blob: 73df8fb5dd83e74291b822efe40f388fa42691b9 [file] [log] [blame]
#
# Copyright 2023 Google LLC
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# version 2 as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# Check for EAPI 5+
case "${EAPI:-0}" in
0|1|2|3|4) die "Unsupported EAPI=${EAPI:-0} (too old) for ${ECLASS}" ;;
5|6) inherit eapi7-ver ;;
7) ;;
esac
REQUIRED_USE=""
DEPEND=""
RDEPEND="${DEPEND}"
BDEPEND="dev-libs/openssl"
FEATURES="xattr"
# Because our kernel version string ends with '+' (e.g.
# "4.4.21+"), Gentoo Linux's linux-info.eclass cannot locate the kernel build
# output directory. Hence we set it up here.
KBUILD_OUTPUT="${KERNEL_DIR}"/build
cos-linux-fw_raw_signature() {
local firmware_file="$1"
# produce raw signature
openssl dgst -sign "${KBUILD_OUTPUT}"/certs/signing_key.pem -keyform PEM -sha256 -out "${firmware_file}.sign" -binary "${firmware_file}"
# construct prefix
local -r subjectKeyId=$(openssl x509 -in "${KBUILD_OUTPUT}"/certs/signing_key.pem -noout -ext subjectKeyIdentifier | xargs | sed 's/://g')
local prefixBytes="030204${subjectKeyId: -8}0180"
# assemble ima signature
local -r detachedSignature=$(cat "${firmware_file}.sign" | xxd -p | tr -d '\n')
echo "${prefixBytes}${detachedSignature}"
}
cos-linux-fw_sign_detached() {
local firmware_file="$1"
cos-linux-fw_raw_signature ${firmware_file} | xxd -r -p > "${firmware_file}.sig"
}
cos-linux-fw_sign() {
local firmware_file="$1"
# attach ima signature
setfattr -n security.ima -v "0x$(cos-linux-fw_raw_signature ${firmware_file})" "${firmware_file}"
}