archive-gh-me/OpenCorePkg
1
0
Fork 0
mirror of https://github.com/acidanthera/OpenCorePkg.git synced 2025-12-08 19:25:01 +00:00
Code Issues Projects Releases Wiki Activity
OpenCorePkg/Utilities/CreateVault/sign.command
Mike Beaton 35bcb134f1 CreateVault: Fix sign.command and update signing docs 
Fix operation of `sign.command` when printable characters occur
immediately before `=BEGIN OC VAULT=`. `strings` finds the location of
the first printable character in such a sequence. `hexdump` automatically
works on 16 byte boundaries, so still finds the correct offset.

Use `BASE_ALIGNAS` to enforce the required alignment, which will not be
correct on all builds unless enforced (note alignment is required purely
for locating the structure correctly from external script as above, not
for reading in C).

Remove struct packing, since structs had better be naturally packed anyway
(if not, reading from them without arbitrary-alignment-safe code, as we
do, would be undefined behaviour). Add static asserts to confirm expected
size as required by `sign.command`.

Update the docs to refer to `sign.command` rather than to include the
signing commands explicitly - otherwise we have two places that need to
be kept in sync for signing commands, and note that the commands in the
two places were already out of sync.

Signed-off-by: Mike Beaton <mjsbeaton@gmail.com>
2024-11-26 22:22:28 +00:00

73 lines
1.9 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
abort() {
echo "Fatal error: ${1}!"
exit 1
}
# shellcheck disable=SC2317
cleanup() {
echo "Cleaning up key"
rm -rf "${KeyPath}"
}
if [ ! -x /usr/bin/dirname ] || [ ! -x /bin/chmod ] || [ ! -x /bin/mkdir ] || [ ! -x /bin/rm ] || [ ! -x /usr/bin/strings ] || [ ! -x /usr/bin/grep ] || [ ! -x /usr/bin/awk ] || [ ! -x /bin/dd ] || [ ! -x /usr/bin/uuidgen ] ; then
abort "Unix environment is broken!"
fi
cd "$(/usr/bin/dirname "$0")" || abort "Failed to enter working directory!"
OCPath="$1"
if [ "$OCPath" = "" ]; then
OCPath=../../EFI/OC
fi
KeyPath="/tmp/$(/usr/bin/uuidgen)"
OCBin="${OCPath}/OpenCore.efi"
PubKey="${KeyPath}/vault.pub"
if [ ! -d "${OCPath}" ]; then
abort "Path ${OCPath} is missing!"
fi
if [ ! -f "${OCBin}" ]; then
abort "OpenCore.efi is missing!"
fi
if [ ! -x ./RsaTool ] || [ ! -x ./create_vault.sh ]; then
if [ -f ./RsaTool ]; then
/bin/chmod a+x ./RsaTool || abort "Failed to set permission for RsaTool"
else
abort "Failed to find RsaTool!"
fi
if [ -f ./create_vault.sh ]; then
/bin/chmod a+x ./create_vault.sh || abort "Failed to set permission for create_vault.sh"
else
abort "Failed to find create_vault.sh!"
fi
fi
trap cleanup EXIT INT TERM
if [ ! -d "${KeyPath}" ]; then
/bin/mkdir -p "${KeyPath}" || abort "Failed to create path ${KeyPath}"
fi
./create_vault.sh "${OCPath}" || abort "create_vault.sh returns errors!"
echo "Signing ${OCBin}..."
./RsaTool -sign "${OCPath}/vault.plist" "${OCPath}/vault.sig" "${PubKey}" || abort "Failed to patch ${PubKey}"
echo "Bin-patching ${OCBin}..."
off=$((0x$(/usr/bin/hexdump -C "${OCBin}" | /usr/bin/grep "=BEGIN OC VAULT=" | /usr/bin/awk '{print $1}') + 16))
if [ "${off}" -le 16 ]; then
abort "${OCBin} is borked"
fi
/bin/dd of="${OCBin}" if="${PubKey}" bs=1 seek="${off}" count=528 conv=notrunc || abort "Failed to bin-patch ${OCBin}"
echo "All done!"
exit 0
Reference in New Issue View Git Blame Copy Permalink