void-packages/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install

#!/bin/sh
#
# Kernel hook for sbsigntool.
#
# Arguments passed to this script: $1 pkgname, $2 version.
#

PKGNAME="$1"
VERSION="$2"

msg() {
	echo "sbsigntool: $1"
}

do_sign() {
	_kernel="$1"
	if [ ! -f "$_kernel" ]; then
		msg "$_kernel not found"
		return 1
	fi
	# Ignore efi file signed with this key
	if usr/bin/sbverify -c "$ROOTDIR/$EFI_CERT_FILE" "$_kernel" >/dev/null 2>&1; then
		return 0
	fi
	if ! usr/bin/sbsign ${EFI_SIGN_ENGINE:+"--engine=$EFI_SIGN_ENGINE"} \
		-k "$ROOTDIR/$EFI_KEY_FILE" -c "$ROOTDIR/$EFI_CERT_FILE" \
		"$_kernel"
	then
		msg "failed to sign $_kernel"
		return 1
	fi
	if ! usr/bin/sbverify -c "$ROOTDIR/$EFI_CERT_FILE" "$_kernel.signed"; then
		msg "failed to verify the signature"
		return 1
	fi

	if [ "x${EFI_KEEP_UNSIGNED}" = "x1" ]; then
		mv -f "$_kernel" "$_kernel.unsigned"
	fi
	mv -f "$_kernel.signed" "$_kernel"
}

. "${ROOTDIR}/etc/default/sbsigntool-kernel-hook"
if [ "x${SBSIGN_EFI_KERNEL}" != x1 ]; then
	exit 0
fi

if [ ! -f "$ROOTDIR/$EFI_KEY_FILE" ] || [ ! -f "$ROOTDIR/$EFI_CERT_FILE" ]; then
	msg "key and/or certificate is not available"
	exit 1
fi

# All POSIX comformance ls should work
if ! ls -Ll "$ROOTDIR/$EFI_KEY_FILE" "$ROOTDIR/$EFI_CERT_FILE" |
	awk '$1 !~ /^-...------$/ || $3 != "root" { exit 1 }'
then
	msg "$EFI_KEY_FILE and $EFI_CERT_FILE must be owned by root."
	msg "and not readable by other users."
	exit 1
fi

do_sign "boot/vmlinuz-$VERSION"