mirror_ubuntu-kernels/debian/scripts/checks/module-signature-check

#!/bin/bash -eu

flavor="${1}"
mods_dir="${2}"
mods_extra_dir="${3}"

skip_checks=${4:-}
case "${skip_checks,,}" in
        1|true|yes) skip_checks=1 ;;
        *) skip_checks=0 ;;
esac

echo "II: Checking signature of staging modules for ${flavor}..."

root=$(dirname "$(realpath -e "${0}")")/../../..
. "${root}"/debian/debian.env

# Collect the signature-inclusion files
sig_incs=()
for d in debian "${DEBIAN}" ; do
	if [ -f "${root}"/"${d}"/signature-inclusion ] ; then
		sig_incs+=("${root}"/"${d}"/signature-inclusion)
	fi
done

if [ "${#sig_incs[@]}" -gt 0 ] ; then
	echo "II: Use signature inclusion file(s):"
	printf "    %s\n" "${sig_incs[@]}"
	sig_all=0
else
	echo "WW: Signature inclusion file(s) missing"
	echo "II: All modules must be signed"
	sig_all=1
fi

if ! [ -d "${mods_dir}" ] ; then
	echo "EE: Modules directory missing:"
	echo "    ${mods_dir}"
	if [ ${skip_checks} -eq 1 ] ; then
		echo "WW: Explicitly asked to ignore failures"
		echo "II: Done"
		exit 0
	fi
	exit 1
fi

echo "II: Checking modules directory:"
echo "    ${mods_dir}"
mods_dirs=("${mods_dir}")

if [ -d "${mods_extra_dir}" ] ; then
	echo "    ${mods_extra_dir}"
	mods_dirs+=("${mods_extra_dir}")
fi

pass=0
fail=0
while IFS= read -r mod ; do
	is=0
	if /sbin/modinfo "${mod}" | grep -q "^signature:" ; then
		# Module is signed
		is=1
	fi

	must=0
	if [ ${sig_all} -eq 1 ] || grep -qFx "${mod##*/}" "${sig_incs[@]}" ; then
		# Module must be signed
		must=1
	fi

	case "${is}${must}" in
		00) echo "    PASS (unsigned) : ${mod##*/}" ; pass=$((pass + 1)) ;;
		01) echo "    FAIL (unsigned) : ${mod##*/}" ; fail=$((fail + 1)) ;;
		10) echo "    FAIL (signed)   : ${mod##*/}" ; fail=$((fail + 1)) ;;
		11) echo "    PASS (signed)   : ${mod##*/}" ; pass=$((pass + 1)) ;;
	esac
done < <(find "${mods_dirs[@]}" -path '*/drivers/staging/*.ko' | sort)

echo "II: Checked $((pass + fail)) modules : ${pass} PASS, ${fail} FAIL"

if [ ${fail} -ne 0 ] ; then
	if [ ${skip_checks} -eq 1 ] ; then
		echo "WW: Explicitly asked to ignore failures"
	else
		echo "EE: Modules signature failures"
		exit 1
	fi
fi

echo "II: Done"
exit 0
lowlatency-hwe-6.8-next 2024-07-02 00:48:40 +03:00			`#!/bin/bash -eu`

			`flavor="${1}"`
			`mods_dir="${2}"`
			`mods_extra_dir="${3}"`

			`skip_checks=${4:-}`
			`case "${skip_checks,,}" in`
			`1\|true\|yes) skip_checks=1 ;;`
			`*) skip_checks=0 ;;`
			`esac`

			`echo "II: Checking signature of staging modules for ${flavor}..."`

			`root=$(dirname "$(realpath -e "${0}")")/../../..`
			`. "${root}"/debian/debian.env`

			`# Collect the signature-inclusion files`
			`sig_incs=()`
			`for d in debian "${DEBIAN}" ; do`
			`if [ -f "${root}"/"${d}"/signature-inclusion ] ; then`
			`sig_incs+=("${root}"/"${d}"/signature-inclusion)`
			`fi`
			`done`

			`if [ "${#sig_incs[@]}" -gt 0 ] ; then`
			`echo "II: Use signature inclusion file(s):"`
			`printf " %s\n" "${sig_incs[@]}"`
			`sig_all=0`
			`else`
			`echo "WW: Signature inclusion file(s) missing"`
			`echo "II: All modules must be signed"`
			`sig_all=1`
			`fi`

			`if ! [ -d "${mods_dir}" ] ; then`
			`echo "EE: Modules directory missing:"`
			`echo " ${mods_dir}"`
			`if [ ${skip_checks} -eq 1 ] ; then`
			`echo "WW: Explicitly asked to ignore failures"`
			`echo "II: Done"`
			`exit 0`
			`fi`
			`exit 1`
			`fi`

			`echo "II: Checking modules directory:"`
			`echo " ${mods_dir}"`
			`mods_dirs=("${mods_dir}")`

			`if [ -d "${mods_extra_dir}" ] ; then`
			`echo " ${mods_extra_dir}"`
			`mods_dirs+=("${mods_extra_dir}")`
			`fi`

			`pass=0`
			`fail=0`
			`while IFS= read -r mod ; do`
			`is=0`
			`if /sbin/modinfo "${mod}" \| grep -q "^signature:" ; then`
			`# Module is signed`
			`is=1`
			`fi`

			`must=0`
			`if [ ${sig_all} -eq 1 ] \|\| grep -qFx "${mod##*/}" "${sig_incs[@]}" ; then`
			`# Module must be signed`
			`must=1`
			`fi`

			`case "${is}${must}" in`
			`00) echo " PASS (unsigned) : ${mod##*/}" ; pass=$((pass + 1)) ;;`
			`01) echo " FAIL (unsigned) : ${mod##*/}" ; fail=$((fail + 1)) ;;`
			`10) echo " FAIL (signed) : ${mod##*/}" ; fail=$((fail + 1)) ;;`
			`11) echo " PASS (signed) : ${mod##*/}" ; pass=$((pass + 1)) ;;`
			`esac`
			`done < <(find "${mods_dirs[@]}" -path '/drivers/staging/.ko' \| sort)`

			`echo "II: Checked $((pass + fail)) modules : ${pass} PASS, ${fail} FAIL"`

			`if [ ${fail} -ne 0 ] ; then`
			`if [ ${skip_checks} -eq 1 ] ; then`
			`echo "WW: Explicitly asked to ignore failures"`
			`else`
			`echo "EE: Modules signature failures"`
			`exit 1`
			`fi`
			`fi`

			`echo "II: Done"`
			`exit 0`