X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Froles%2Ffiles%2Fsigning%2Fsecure-boot-code-sign.py;fp=modules%2Froles%2Ffiles%2Fsigning%2Fsecure-boot-code-sign.py;h=0000000000000000000000000000000000000000;hb=76ca91bce24ecbcbcc4e62a37aa06fd0fb9f96c7;hp=04a3344d0a72e5ae00a189764f0f173f25a37351;hpb=46cee04ab06b23ab6e9e4baba655cf470d10cfc4;p=mirror%2Fdsa-puppet.git diff --git a/modules/roles/files/signing/secure-boot-code-sign.py b/modules/roles/files/signing/secure-boot-code-sign.py deleted file mode 100755 index 04a3344d0..000000000 --- a/modules/roles/files/signing/secure-boot-code-sign.py +++ /dev/null @@ -1,138 +0,0 @@ -#!/usr/bin/python3 - -# Copyright (C) 2017 Collabora Ltd -# 2017 Helen Koike -# -# Ported from bash to python3 by Julien Cristau -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; either -# version 2.1 of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. - -import argparse -import configparser -import os -import subprocess -import sys -import tarfile -import tempfile - - -config = {} - - -def sign(extract_dir, signed_dir): - for dirpath, dirnames, filenames in os.walk(extract_dir): - assert dirpath.startswith(extract_dir) - out_dir = signed_dir + dirpath[len(extract_dir):] - os.makedirs(out_dir) - for filename in filenames: - #print(os.path.join(dirpath, filename), file=sys.stderr) - if filename.endswith('.efi') or filename.startswith('vmlinuz-'): - sign_efi(os.path.join(dirpath, filename), os.path.join(out_dir, filename + '.sig')) - elif filename.endswith('.ko'): - sign_kmod(os.path.join(dirpath, filename), os.path.join(out_dir, filename + '.sig')) - else: - print("ignoring %s" % os.path.join(dirpath, filename), file=sys.stderr) - - -def sign_kmod(module_path, signature_path): - assert 'linux_sign_file' in config - assert 'pkcs11_uri' in config - assert 'cert_path' in config - assert 'pin' in config - - env = os.environ.copy() - env['KBUILD_SIGN_PIN'] = config['pin'] - # use check_output instead of check_call as sign-file seems to send random - # stuff to stderr even when it succeeds - subprocess.check_output( - [config['linux_sign_file'], '-d', 'sha256', config['pkcs11_uri'], - config['cert_path'], module_path], - env=env, stderr=subprocess.STDOUT) - os.rename(module_path + '.p7s', signature_path) - - -def sign_efi(efi_path, signature_path): - assert 'sign-efi' in config - assert 'certdir' in config - assert 'token' in config - assert 'certname' in config - assert 'pin' in config - - env = os.environ.copy() - env['PESIGN_PIN'] = config['pin'] - with open(signature_path, 'wb') as out: - subprocess.check_call( - [config['sign-efi'], config['certdir'], config['token'], - config['certname'], efi_path], - env=env, stdout=out) - - -def extract(tar_file, extract_dir): - with tarfile.TarFile.open(fileobj=tar_file, mode="r:xz") as f: - f.extractall(extract_dir) - - -def repack(signed_dir, fileobj): - def cleanup_tarinfo(tarinfo): - tarinfo.path = os.path.relpath('/' + tarinfo.path, signed_dir) - tarinfo.gid = 0 - tarinfo.gname = 'root' - tarinfo.uid = 0 - tarinfo.uname = 'root' - return tarinfo - - with tarfile.TarFile.open(mode='w:xz', fileobj=fileobj) as f: - f.add(signed_dir, filter=cleanup_tarinfo) - - -def main(): - parser = argparse.ArgumentParser( - description='sign files in a tarball') - parser.add_argument('input_tar', metavar='input', type=argparse.FileType('rb'), - help='tarball containing files to be signed') - parser.add_argument('--config', '-c', type=str, - default='/etc/codesign.ini', help='configuration file') - - args = parser.parse_args() - - cp = configparser.RawConfigParser() - cp.read(args.config) - - # path to the sign-file command from Linux - config['linux_sign_file'] = cp.get('commands', 'sign-kmod', - fallback='/usr/lib/linux-kbuild-4.9/scripts/sign-file') - # pkcs11 uri from `p11tool --list-token-urls` - config['pkcs11_uri'] = cp.get('efi', 'pkcs11_uri') - # path to the PEM or DER-format certificate - config['cert_path'] = cp.get('efi', 'cert_path') - - # path to our pesign wrapper script - config['sign-efi'] = cp.get('commands', 'sign-efi', fallback='/usr/local/bin/pesign-wrap') - # path to the nss store - config['certdir'] = cp.get('efi', 'certdir', fallback='/srv/codesign/pki') - # name of the token in the nss store - config['token'] = cp.get('efi','token', fallback='PIV_II (PIV Card Holder pin)') - # name of the cert in the nss store - config['certname'] = cp.get('efi', 'cert', fallback='Certificate for Digital Signature') - - config['pin'] = cp.get('efi', 'pin') - - workdir = tempfile.TemporaryDirectory() - with workdir: - extract_dir = os.path.join(workdir.name, 'in') - signed_dir = os.path.join(workdir.name, 'out') - extract(args.input_tar, extract_dir) - sign(extract_dir, signed_dir) - repack(signed_dir, sys.stdout.buffer) - - -if __name__ == '__main__': - sys.exit(main())