#!/bin/bash
# sys/mok7 - Machine Owner Key (MOK) tool for signing DKMS-built kernel modules

set -e

source "/home/zwelch/src/mcf/mcsh-release/install/share/mcsh/mcsh.sh"

lib_load "mcui"


######
# Native dependencies

mok7_client_packages=( mokutil )


######
# Configuration

mok7_config_init() {
	script_setting_vars mokcert mokkey
}


######
# Key Management CLI

mok7_key() { cmd_dispatch "$@"; }

mok7_key_usage() {
	cat <<USAGE
<cmd>
Key Management Commands:
	gen				Generate a new MOK pair
	import				Import the MOK into EFI memory
USAGE
}

mok7_key_gen() {
	run_sudo mkdir -p "$script_confdir"
	run_sudo openssl req -new -x509 \
		-newkey rsa:2048 -keyout "$mokkey" \
		-outform DER -out "$mokcert" \
		-nodes -days 36500 \
		-subj "/CN=Kernel Module Signing Key/"
	run_sudo chmod 600 "$mokkey"
}

mok7_key_import() {
	local password="1234"
	info "$mokcert: installing in EFI memory..."
	local tmp
	tmp=$(cmd_tempfile)
	run mokutil --generate-hash="$password" >"$tmp"
	run_sudo mokutil --import "$mokcert" -f "$tmp"
	run rm -f "$tmp"

	local mcui_title="MOK Password"
	local msg1 msg2
	msg1="Upon rebooting, you must enter the $package_name import password."
	msg2="The import password is '$password'"
	mcui_warn_details "$msg1" "$msg2"
}


######
# Key Wizard CLI

mok7_wizard() {
	mok7_wizard_check || run mok7_key_gen
	mok7_wizard_import
}

# mok7_wizard_check - Returns success if wizard should use existing key.
mok7_wizard_check() {
	# if key does not exist, we need to generate one
	[ -f "$mokkey" ]

	local mcui_title="Overwrite?"
	local confirm
	mcui_yesno_warn confirm "$mokkey: file exists. Overwrite key file?"

	local usekey=false
	if [ "$confirm" != 'yes' ]; then
		info "$mokkey: using existing key..."
		usekey=true
	fi
	$usekey
}

mok7_wizard_import() {
	local mcui_title="Import?"
	local confirm
	mcui_yesno confirm "$mokkey: import to EFI?"

	[ -z "$confirm" -o "$confirm" = yes ] || return 0
	mok7_key_import

	mcui_title="Restart Required"
	local prompt msg
	prompt="Restart your computer now to complete the import process?"
	msg="Before you can sign modules, you must restart your computer."
	msg="$msg This allows the EFI BIOS to finish importing the new MOK."
	mcui_host_restart "$prompt" "$msg"
}


######
# Module Signing

mok7_sign() {
	if [ "$*" ]; then
		cmd_dispatch "$@"
	else
		mok7_sign_all
	fi
}

mok7_sign_usage() {
	cat <<USAGE
<cmd> [...]>
Module Signing Commands:
	all				Sign all modules
	module <file>			Sign one module file
USAGE
}

mok7_sign_all() {
	has_args 0 "$@"
	local -a modules
	modules=( $(dirname $(modinfo -n vboxdrv))/*.ko )
	for_each mok7_sign_module "${modules[@]}"
}

mok7_sign_module() {
	has_args 1 "$@"
	local file=$1
	info "$file: signing..."
	local sign="/usr/src/linux-headers-$(uname -r)/scripts/sign-file"
	run_sudo $sign sha256 "$mokkey" "$mokcert" "$file"
}

######
# Main

mok7_desc() { echo "Machine Owner Key (MOK) helper"; }

mok7_usage() {
	cat <<USAGE
<cmd> ...
Machine Owner Key (MOK) Commands:
	wizard				Generates and installs the MOK
	sign [...]			Module signing commands
USAGE
}

app_run "$@"

View the Developer Guide Index

View the Reference Manual Index

Generated on Fri Jul 28 14:34:46 PDT 2017 by mcsh d14 v0.23.0.