#!/bin/bash -eu flavor="${1}" mods_dir="${2}" mods_extra_dir="${3}" skip_checks=${4:-} case "${skip_checks,,}" in 1|true|yes) skip_checks=1 ;; *) skip_checks=0 ;; esac echo "II: Checking signature of staging modules for ${flavor}..." root=$(dirname "$(realpath -e "${0}")")/../../.. . "${root}"/debian/debian.env # Collect the signature-inclusion files sig_incs=() for d in debian "${DEBIAN}" ; do if [ -f "${root}"/"${d}"/signature-inclusion ] ; then sig_incs+=("${root}"/"${d}"/signature-inclusion) fi done if [ "${#sig_incs[@]}" -gt 0 ] ; then echo "II: Use signature inclusion file(s):" printf " %s\n" "${sig_incs[@]}" sig_all=0 else echo "WW: Signature inclusion file(s) missing" echo "II: All modules must be signed" sig_all=1 fi if ! [ -d "${mods_dir}" ] ; then echo "EE: Modules directory missing:" echo " ${mods_dir}" if [ ${skip_checks} -eq 1 ] ; then echo "WW: Explicitly asked to ignore failures" echo "II: Done" exit 0 fi exit 1 fi echo "II: Checking modules directory:" echo " ${mods_dir}" mods_dirs=("${mods_dir}") if [ -d "${mods_extra_dir}" ] ; then echo " ${mods_extra_dir}" mods_dirs+=("${mods_extra_dir}") fi pass=0 fail=0 while IFS= read -r mod ; do is=0 if /sbin/modinfo "${mod}" | grep -q "^signature:" ; then # Module is signed is=1 fi must=0 if [ ${sig_all} -eq 1 ] || grep -qFx "${mod##*/}" "${sig_incs[@]}" ; then # Module must be signed must=1 fi case "${is}${must}" in 00) echo " PASS (unsigned) : ${mod##*/}" ; pass=$((pass + 1)) ;; 01) echo " FAIL (unsigned) : ${mod##*/}" ; fail=$((fail + 1)) ;; 10) echo " FAIL (signed) : ${mod##*/}" ; fail=$((fail + 1)) ;; 11) echo " PASS (signed) : ${mod##*/}" ; pass=$((pass + 1)) ;; esac done < <(find "${mods_dirs[@]}" -path '*/drivers/staging/*.ko' | sort) echo "II: Checked $((pass + fail)) modules : ${pass} PASS, ${fail} FAIL" if [ ${fail} -ne 0 ] ; then if [ ${skip_checks} -eq 1 ] ; then echo "WW: Explicitly asked to ignore failures" else echo "EE: Modules signature failures" exit 1 fi fi echo "II: Done" exit 0