alfred/bash-stuff
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Make sure sign and verify boot scripts are run one at a time.

Browse Source
This commit is contained in:
Captain ALM 2024-10-07 17:14:49 +01:00
parent d14e408298
commit 84ae836a71
Signed by: alfred
GPG Key ID: 4E4ADD02609997B1
2 changed files with 13 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
local-sbin/sign-boot
View File

@ -1,15 +1,11 @@
#!/bin/bash
if [ -f /run/signing ]; then
echo "[-] Signing already in progress!";
if [ -f /run/sign-verify-boot-flag ]; then
echo "[-] Waiting for in-progress Signing / Verifying!";
while lsof /run/sign-verify-boot-flag > /dev/null 2>&1; do sleep 0.1; done
while [ -f /run/sign-verify-boot-flag ]; do sleep 0.1; done
fi;
/usr/bin/touch /run/signing;
/usr/bin/touch /run/sign-verify-boot-flag;
echo "[*] Preparing to sign!";
#touch /dev/shm/sb-passpwd.txt;
#chown root:root /dev/shm/sb-passpwd.txt;
#chmod u=rw,g=,o= /dev/shm/sb-passpwd.txt;
#echo -n "Password: ";
#read -s pwd;
#echo -n "$pwd" > /dev/shm/sb-passpwd.txt;
echo "[-] BMOK Un-Signing...";
for i in $(/usr/bin/find /boot/grub -iname "*.efi" -type f -print)
do
@ -33,14 +29,11 @@ for i in $(/usr/bin/find /boot -iname "efi" -prune -o -iname "grubenv" -prune -o
do
echo $i;
/usr/bin/gpg --batch --detach-sign $i;
#gpg -v --batch --detach-sign --passphrase-fd 0 $i < \
# /dev/shm/sb-passpwd.txt;
done;
for i in $(/usr/bin/find /boot/efi -iname "*.cfg" -type f -o -iname "*.efi" -type f -print)
do
echo $i;
/usr/bin/gpg --batch --detach-sign $i;
done;
#shred /dev/shm/sb-passpwd.txt;
/usr/bin/rm -f /run/signing;
/usr/bin/rm -f /run/sign-verify-boot-flag;
echo "[*] Signing Complete!";

7
local-sbin/verify-boot
View File

@ -1,4 +1,10 @@
#!/bin/bash
if [ -f /run/sign-verify-boot-flag ]; then
echo "[-] Waiting for in-progress Signing / Verifying!";
while lsof /run/sign-verify-boot-flag > /dev/null 2>&1; do sleep 0.1; done
while [ -f /run/sign-verify-boot-flag ]; do sleep 0.1; done
fi;
/usr/bin/touch /run/sign-verify-boot-flag;
echo "[*] Preparing to verify!";
echo "[-] Missing Signatures:";
ec=0;
@ -50,5 +56,6 @@ if [ $ec -ne 0 ]; then
elif [ -f /boot/boot-tainted ]; then
rm -f /boot/boot-tainted;
fi
/usr/bin/rm -f /run/sign-verify-boot-flag;
echo "[*] Finished Verification!";
exit $ec;