| # |
| # Copyright 2023 Google LLC |
| # |
| # This program is free software; you can redistribute it and/or |
| # modify it under the terms of the GNU General Public License |
| # version 2 as published by the Free Software Foundation. |
| # |
| # This program is distributed in the hope that it will be useful, |
| # but WITHOUT ANY WARRANTY; without even the implied warranty of |
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| # GNU General Public License for more details. |
| # |
| |
| # Check for EAPI 5+ |
| case "${EAPI:-0}" in |
| 0|1|2|3|4) die "Unsupported EAPI=${EAPI:-0} (too old) for ${ECLASS}" ;; |
| 5|6) inherit eapi7-ver ;; |
| 7) ;; |
| esac |
| |
| REQUIRED_USE="" |
| |
| DEPEND="" |
| RDEPEND="${DEPEND}" |
| BDEPEND="dev-libs/openssl" |
| |
| FEATURES="xattr" |
| |
| # Because our kernel version string ends with '+' (e.g. |
| # "4.4.21+"), Gentoo Linux's linux-info.eclass cannot locate the kernel build |
| # output directory. Hence we set it up here. |
| KBUILD_OUTPUT="${KERNEL_DIR}"/build |
| |
| cos-linux-fw_raw_signature() { |
| local firmware_file="$1" |
| |
| # produce raw signature |
| openssl dgst -sign "${KBUILD_OUTPUT}"/certs/signing_key.pem -keyform PEM -sha256 -out "${firmware_file}.sign" -binary "${firmware_file}" |
| # construct prefix |
| local -r subjectKeyId=$(openssl x509 -in "${KBUILD_OUTPUT}"/certs/signing_key.pem -noout -ext subjectKeyIdentifier | xargs | sed 's/://g') |
| local prefixBytes="030204${subjectKeyId: -8}0180" |
| # assemble ima signature |
| local -r detachedSignature=$(cat "${firmware_file}.sign" | xxd -p | tr -d '\n') |
| echo "${prefixBytes}${detachedSignature}" |
| } |
| |
| cos-linux-fw_sign_detached() { |
| local firmware_file="$1" |
| cos-linux-fw_raw_signature ${firmware_file} | xxd -r -p > "${firmware_file}.sig" |
| } |
| |
| cos-linux-fw_sign() { |
| local firmware_file="$1" |
| |
| # attach ima signature |
| setfattr -n security.ima -v "0x$(cos-linux-fw_raw_signature ${firmware_file})" "${firmware_file}" |
| } |