Add -f option to sign-file script for generating a firmware signature file. A firmware signature file contains a pretty similar structure like a signed module but in a different order (because it's a separate file while the module signature is embedded at the tail of unsigned module contents). The file consists of - the magic string - the signature information, which is identical with the module signature - signer's name - key id - signature bytes Signed-off-by: Takashi Iwai <tiwai@xxxxxxx> --- scripts/sign-file | 48 +++++++++++++++++++++++++++++++++++------------- 1 file changed, 35 insertions(+), 13 deletions(-) diff --git a/scripts/sign-file b/scripts/sign-file index 87ca59d..5b9d44d 100755 --- a/scripts/sign-file +++ b/scripts/sign-file @@ -4,30 +4,40 @@ # # Format: # -# ./scripts/sign-file [-v] <key> <x509> <module> [<dest>] +# ./scripts/sign-file [-v] [-f] <key> <x509> <module> [<dest>] # # use strict; use FileHandle; use IPC::Open2; +use Getopt::Long; -my $verbose = 0; -if ($#ARGV >= 0 && $ARGV[0] eq "-v") { - $verbose = 1; - shift; +sub usage() +{ + print "Format: ./scripts/sign-file [options] <key> <x509> <module> [<dest>] + -v verbose output + -f create a firmware signature file +"; + exit; } -die "Format: ./scripts/sign-file [-v] <key> <x509> <module> [<dest>]\n" - if ($#ARGV != 2 && $#ARGV != 3); +my $verbose = 0; +my $sign_fw = 0; + +GetOptions( + 'v|verbose' => \$verbose, + 'f|firmware' => \$sign_fw) || usage(); +usage() if ($#ARGV != 2 && $#ARGV != 3); my $private_key = $ARGV[0]; my $x509 = $ARGV[1]; my $module = $ARGV[2]; -my $dest = ($#ARGV == 3) ? $ARGV[3] : $ARGV[2] . "~"; +my $dest = $ARGV[3] ? $ARGV[3] : $ARGV[2] . ($sign_fw ? ".sig" : "~"); +my $mode_name = $sign_fw ? "firmware" : "module"; die "Can't read private key\n" unless (-r $private_key); die "Can't read X.509 certificate\n" unless (-r $x509); -die "Can't read module\n" unless (-r $module); +die "Can't read $mode_name\n" unless (-r $module); # # Read the kernel configuration @@ -393,7 +403,9 @@ die "openssl rsautl died: $?" if ($? >> 8); # my $unsigned_module = read_file($module); -my $magic_number = "~Module signature appended~\n"; +my $magic_number = $sign_fw ? + "~Linux firmware signature~\n" : + "~Module signature appended~\n"; my $info = pack("CCCCCxxxN", $algo, $hash, $id_type, @@ -402,7 +414,7 @@ my $info = pack("CCCCCxxxN", length($signature)); if ($verbose) { - print "Size of unsigned module: ", length($unsigned_module), "\n"; + print "Size of unsigned $mode_name: ", length($unsigned_module), "\n"; print "Size of signer's name : ", length($signers_name), "\n"; print "Size of key identifier : ", length($key_identifier), "\n"; print "Size of signature : ", length($signature), "\n"; @@ -414,7 +426,16 @@ if ($verbose) { open(FD, ">$dest") || die $dest; binmode FD; -print FD +if ($sign_fw) { + print FD + $magic_number, + $info, + $signers_name, + $key_identifier, + $signature + ; +} else { + print FD $unsigned_module, $signers_name, $key_identifier, @@ -422,8 +443,9 @@ print FD $info, $magic_number ; +} close FD || die $dest; -if ($#ARGV != 3) { +if (!$sign_fw && $#ARGV != 3) { rename($dest, $module) || die $module; } -- 1.8.0 -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html