-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathzbm-sign
executable file
·85 lines (67 loc) · 2.13 KB
/
zbm-sign
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
#!/usr/bin/env perl
# vim: softtabstop=2 shiftwidth=2 expandtab
# This script is for signing ZBM EFI Images for use with Secure Boot
# It supports sbctl and sbsigntools
# Config is written at the end of the main ZBM config file (/etc/zfsbootmenu/config.yaml), and looks like this:
#SecureBoot:
# SignBackup: true
# DeleteUnsigned: false
# SignMethod: sbctl
# KeyDir: /etc/sbkeys/
print "---------- ZBM-Sign ----------\n";
use feature 'say';
use strict;
use warnings;
use File::Find;
use YAML::PP;
my @EFIBins;
my $Unsigned;
my $SignMethod;
my $ypp = YAML::PP->new(boolean => 'boolean');
my $config = $ypp->load_file('/etc/zfsbootmenu/config.yaml');
my $EFI = $config->{EFI};
my $EFI_Enabled = $EFI->{Enabled};
if (!$EFI_Enabled) {
die "EFI images are disabled! Nothing to sign!";
}
my $Global = $config->{Global};
my $ESP = $Global->{BootMountPoint};
my $SecureBoot = $config->{SecureBoot} or die "No config found, please edit /etc/zfsbootmenu/config.yaml";
my $ZBM = "$ESP/EFI/zbm";
my $KeyDir = $SecureBoot->{KeyDir};
my $DeleteUnsigned = $SecureBoot->{DeleteUnsigned};
my $SignBackups = $SecureBoot->{SignBackup};
$SignMethod = $SecureBoot->{SignMethod};
opendir my $ZBM_dir, $ZBM
or die "Cannot open ZBM dir: $ZBM";
if ($SignBackups) {
@EFIBins = grep { !/signed\.efi$/i and /\.efi/i } readdir $ZBM_dir;
}
else {
@EFIBins = grep { !/signed\.efi$/i and !/backup/i and /\.efi/i } readdir $ZBM_dir;
}
say "Found: @EFIBins";
if (!$SignMethod) {
die "No sign method found"
}
for(@EFIBins){
say "\nSigning $_";
if ($SignMethod eq "sbctl") {
system "sbctl sign $ZBM/$_"
}
elsif ($SignMethod eq "sbsign") {
$Unsigned = substr($_,0,-4);
system "sbsign --key $KeyDir/DB.key --cert $KeyDir/DB.crt $ZBM/$_ --output $ZBM/$Unsigned-signed.efi";
}
else {
die "Sign method $SignMethod not valid."
}
if ($DeleteUnsigned && $SignMethod eq "sbctl") {
say "sbctl signs in place, not deleting $_";
}
elsif ($DeleteUnsigned && $SignMethod ne "sbctl") {
say "Deleting unsigned $_";
system "rm $ZBM/$_";
}
}
print "---------- FINISHED ----------\n";