#!/usr/bin/env bash export KVER="$(uname -r)" SKMDIR="$(mktemp -p /tmp -d skmod.XXXXXX)"||exit 1 export SKMDIR function hayulp { printf "USAGE: %b [ -k KVER ]\\n" "$(basename "$0")" ( printf -- "-h:;This help\\n" printf -- "-k:;Sign drivers supplied for KVER\\n" printf " ;KVER equals the version name supplied by the folders in /lib/modules\\n" )|column -ts\; } while getopts :hk: SHOPT;do case "${SHOPT}" in h) hayulp;exit 0;; k) export KVER="${OPTARG}";; *) printf "Unknown parameter: -%b\\n\\n" "$OPTARG" >&2;hayulp;exit 1;; esac done SIGNER="$(grep ^CN x509.cnf|awk -F= '{print $NF}'|sed 's/^\ \+//;s/\ \+$//')" [ "${PIPESTATUS[0]}" -ne 0 ]&&exit 1 if [ ! -r private_key.priv ] || [ ! -r public_key.der ];then printf "No signing key and/or certificate found!\\n" >&2 exit 1 fi #printf "We will sign following kernel modules: %b.\n" "$(ls -amA /usr/lib/modules/"$(uname -r)"/extra/nvidia/nvidia{,-uvm}.ko)" printf "We will sign following kernel modules:\\n%b.\n" "$(ls -amA /usr/lib/modules/"$KVER"/extra/nvidia/nvidia*.ko /usr/lib/modules/"$KVER"/extra/nvidia/nvidia*.ko.xz 2>/dev/null)" read -rp "Is this OK? [y/N] " PROEMT case "$PROEMT" in "y"|"Y"|"j"|"J") ;; *) exit 1 ;; esac # shellcheck disable=SC2207 SGDMODS=( $(ls -aA /usr/lib/modules/"$KVER"/extra/nvidia/nvidia*.ko.xz /usr/lib/modules/"$KVER"/extra/nvidia/nvidia*.ko 2>/dev/null) ) MSGND=0 MSKIP=0 IBAS="/dev/null" for i in "${SGDMODS[@]}";do if ! sudo id -u 2>/dev/null|grep -P '^0$' >/dev/null;then printf "Can't elevate to root.\\n" >&2 exit 23 fi MODSIG=0 MODGOODSIG=0 IBAS="$(basename "$i")" MMOD="$(printf "%b" "$i"|sed 's/\.xz$//')" COMPR=0 if printf "%b" "$i"|grep -P '\.ko\.xz$' >/dev/null;then COMPR=1 printf "[....] Extracting module %b\\033[s..." "$IBAS" if sudo rm -f "$MMOD" >/dev/null 2>&1 && sudo xz -kd "$i" >/dev/null 2>&1;then printf "\\033[666D[ \\033[32mOK\\033[0m ]\\033[u\\033[K.\\n" else printf "\\033[666D[\\033[31mFAIL\\033[0m]\\033[u\\033[K.\\n" exit 4 fi fi printf "[....] Signing module %b\\033[s..." "$IBAS" if sudo modinfo "$MMOD"|grep '^sig_id:'|grep 'PKCS#7$' >/dev/null; then MODSIG=1; fi if sudo modinfo "$MMOD"|grep '^signer:'|grep "$SIGNER\$" > /dev/null; then MODGOODSIG=1; fi if [ "$MODSIG" -ne 1 ] || [ "$MODGOODSIG" -ne 1 ];then sudo /usr/src/kernels/"$KVER"/scripts/sign-file sha256 private_key.priv public_key.der "$MMOD" case "$?" in 0) MSGND="$((MSGND+1))" printf "\\033[666D[ \\033[32mOK\\033[0m ]\\033[u\\033[K.\\n" ;; *) printf "\\033[666D[\\033[31mFAIL\\033[0m]\\033[u\\033[K.\\n" exit 3 ;; esac else MSKIP="$((MSKIP+1))" printf "\\033[666D[\\033[1;30mSKIP\\033[0m]\\033[u\\033[K (already signed)\\n" fi if [ "$COMPR" -eq 1 ];then if [ "$MODSIG" -ne 1 ] || [ "$MODGOODSIG" -ne 1 ];then printf "[....] Compressing module %b\\033[s..." "$IBAS" if sudo rm -f "$i" >/dev/null 2>&1 && sudo xz "$MMOD" >/dev/null 2>&1;then printf "\\033[666D[ \\033[32mOK\\033[0m ]\\033[u\\033[K.\\n" else printf "\\033[666D[\\033[31mFAIL\\033[0m]\\033[u\\033[K.\\n" exit 5 fi else sudo rm -f "$MMOD"||exit 117 fi fi done printf "Summary:\\n" ( printf "Signed:;%b\\n" "$MSGND" printf "Skipped:;%b\\n" "$MSKIP" )|column -ts\;