From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 7218497889822048256 X-Received: by 2002:a50:ce47:0:b0:502:4a93:9c51 with SMTP id k7-20020a50ce47000000b005024a939c51mr795150edj.5.1680687509721; Wed, 05 Apr 2023 02:38:29 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a05:6402:42cb:b0:4ad:73cb:b525 with SMTP id i11-20020a05640242cb00b004ad73cbb525ls7659091edc.3.-pod-prod-gmail; Wed, 05 Apr 2023 02:38:28 -0700 (PDT) X-Google-Smtp-Source: AKy350avMLvnz3ASq90i1dMKFJM2KEbT3I6iHgcdI4xQ4ldzx22jKjmyrzYhux47RLMwC9/wefws X-Received: by 2002:aa7:d350:0:b0:4fb:59bb:ce7c with SMTP id m16-20020aa7d350000000b004fb59bbce7cmr1101426edr.32.1680687508030; Wed, 05 Apr 2023 02:38:28 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1680687508; cv=pass; d=google.com; s=arc-20160816; b=xNrLBFtwea7ytkfoNLnedV5tuAS77nXKNXSK8B/7ayWfgXg9dvepbt+6quSpp9YHso 6N6JkBsP0vm86sW649tnl03GQum30N4z80y9+zay8VIBGoVzB27XFNaLAWAcKFtMiHYV DOyZYYRSyvEV1QRf3eajopK4Cl6SewDWArrt+GatkSlnJcExp2yvAi6qRo02iKTvWc+y 0AcQDaqvOawtYy56vojd7o+5hNCvPMH9ZEFKk0HiqV7TCnmEoo+ROqz+7MMsZZiTdG3m EPXYz7AE1g5JofjwVw+kYUayjSDkDFL4VK02EXcnWkVNKQgEuBvywtP435VRbnKC/yBp Na3w== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:content-transfer-encoding:cc:to:content-language :subject:from:user-agent:date:message-id:dkim-signature; bh=7PJsmQOgQjmhw4RNngcyLKdBS7rgvLXv75vm1JUWGLM=; b=D3ru73aJvKSTNxRGuOhSRd5JvyDoo2yTAdDTFndgUvwzJKBwHjYPtmKyvssIn2k+qM Hn2QulynVxQr7iHe3QO1LBj15BJjhuYqfMIzNZxSE0uhhK3vilIO/Bgz7e0XwyKUyC5M ngpzTXF13tvMdAsAsbVue/5jEh0CGGfdwLQ7zZdJH+Y5JsnCllsXjekIFCjiBfg0XhY5 sBQdINb661yu7bKIUDyorGN5vGmTYLzg5uKYhUi5K8Thxzo+I1TGZJ4k78TeeTKJ5l4a UzW77GNLeLIGtDKxbgswxAXCtQx0PWnf4U+AUP5cnUXt9JxoYEnAjVTd9P3bR2prHhKg +WiA== ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=duc0cPRQ; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of jan.kiszka@siemens.com designates 2a01:111:f400:fe16::617 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Return-Path: Received: from EUR02-VI1-obe.outbound.protection.outlook.com (mail-vi1eur02on20617.outbound.protection.outlook.com. [2a01:111:f400:fe16::617]) by gmr-mx.google.com with ESMTPS id s17-20020a056402037100b00501d6d459e7si829493edw.2.2023.04.05.02.38.27 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 05 Apr 2023 02:38:28 -0700 (PDT) Received-SPF: pass (google.com: domain of jan.kiszka@siemens.com designates 2a01:111:f400:fe16::617 as permitted sender) client-ip=2a01:111:f400:fe16::617; Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=duc0cPRQ; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of jan.kiszka@siemens.com designates 2a01:111:f400:fe16::617 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FS97crfAJvIFz0U69wMdWizjPpBc6lhC3H2bvZfplw/eUmPy/K433MYvpYngbpwE1A6It/vRzI4rRcokHHDnHp+/qoO73dpQRWomscYzvBb/Xa1HaO52J4MiYxPS2W8Hw/X+m3fL9TdRpZTy8KAqAcGiKvhHTYGXb+tecgaE0bM6uQKIwirx5YvmwFswhFwRgQL/pXgZtbKW1m8t6LAkoC6IF+04n1ur12r+qDakEx+eCnG0alpqbV7lfrQpBQjO6hU9Os3L6EWbdaaL1GLHw2ZlNNQHegAxx2hrNoK0P5qfgRR7WMwZABQym84nssmuMjAaiNOrF5DDzWpoVI9qlQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7PJsmQOgQjmhw4RNngcyLKdBS7rgvLXv75vm1JUWGLM=; b=DhBV4R9o04kJ61qhs0FImMeQL7yR83YmYLjQqB5WdQb2ykKJNVofiD9enq//8DTCM8Z4Ogov3DHB6LdgE6pCNhOVZcmb2CTfbMxJJEtalRSXeGUt1l5QjhfRJvPGHEJ7aCIPg8hFDg2TPxUOmBgI0VyAQ4MqaucQDnLCHhhhjZoFFJTVnWvf9gQJeWhEd1letXHSaYWjpnwAetzl4clPxSpsOnDTSTpO+BWDy4VYUnmdLUtd6e3eh6bEBu+mq7+pcXo/3Pm0DTM/8hbtJcBj5ItUYsQc/sSSWpfvqgZyOHG4VcggFYy57ZfJFX50H/vsLOp3g1SdClmQXxdpjQ2bVg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7PJsmQOgQjmhw4RNngcyLKdBS7rgvLXv75vm1JUWGLM=; b=duc0cPRQRF3E0K/LYwZjzWlgxqshIPZS78RE0BdpzqX1ebs1ErvkqFazPwwrkcfaz9OqKregH12o1d45OG28EBXHt/HPVem+E4ibvfcIZeP18fElPUCTaQ/LLL0vQ2xMPlOeDROW1cFk/P21sKLAabEwV+Kr6WRTnf+s69MwLCL3d30UH7tvckm1Vq6mIe+0DWisV9Fkj9FP7AYj8fixeAbj2vcx7VNv70L2pNxE4rGiyGvfhDs7xlpxjXryIOTXS5onp2f4SJuB7ER1xYP5zIRpzTjtQP3f2x0XC4M7VBFsHk+0Kb1acAApC0NHf3q8XAm6kBpud2e6Mpfr0P2n1g== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com; Received: from AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:588::19) by DB9PR10MB6451.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:3d8::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6277.14; Wed, 5 Apr 2023 09:38:26 +0000 Received: from AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM ([fe80::d4b2:77cc:31cd:a3a2]) by AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM ([fe80::d4b2:77cc:31cd:a3a2%9]) with mapi id 15.20.6277.012; Wed, 5 Apr 2023 09:38:26 +0000 Message-ID: Date: Wed, 5 Apr 2023 11:38:23 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.9.1 From: Jan Kiszka Subject: [isar-cip-core][PATCH] scripts: Address shellcheck findings Content-Language: en-US To: isar-users Cc: Quirin Gylstorff , Srinuvasan A Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-ClientProxiedBy: FR3P281CA0012.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:1d::15) To AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:588::19) Return-Path: jan.kiszka@siemens.com MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AS4PR10MB6181:EE_|DB9PR10MB6451:EE_ X-MS-Office365-Filtering-Correlation-Id: cc16831d-6eee-4b7e-aac5-08db35b98166 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: LTV9+WgtElEgJfy3JdocOSKsnkKauc5NcGgZgEmrwUXRZtvtM7DiNRqL+hLkNxsTTB4o7STeyrocE3QootaM+Ouze7ZGGndWcJX0RDBZBnngNCL2dtIbGbxaZSD79655FuIFjHNjFwm3aw8NwwK9s0jDj042G/aFe8oX8lE8O5QFTU9TUW6Z1enGK5kssU7aSyfgyL6dARsnjaOtDDvAQnEnQaX+OiIEb7BLfsa2PMWhooPnuZiLbUUM3wHr3zfpS7LDxJfbhlZsW2c04I3DN1W4PTxFN+tEMQ2DbOwrIFfbkXhBpzyf1ztFgrlivzI+wNcDndcEwMc6zJgPXwDznU7vxQwJyRmdtnBTqzRUsF8bfNqEXPevKbne87xJseIPge4C49iEPEGIzJHMYwCoMbf1O9aUNfF6yhXjYfiOoqJE1rUOc1B57ER0EVrg7v98u88YN4dqv4dV9pr+Qw0uMm1qs3KNLLqXUKpsudltQZnqGW8+jwZwjYnd7h2lliCvjxNGcp+3zOUV5a7z73tNsEOg4xvI+mGJ/LUo++Le89vjpPx9G4Z25jcP5KUVYjIQFXrg7J363+ATuWvWaFR6Az7542FoTs4aKwXApyD7mtbmzxHup8k5tPXYvStCkKzlpm7OMtVge+I0+8ulzqU13Q== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230028)(4636009)(396003)(136003)(346002)(376002)(366004)(39860400002)(451199021)(83380400001)(6666004)(44832011)(66946007)(66556008)(66476007)(82960400001)(6916009)(41300700001)(4326008)(5660300002)(107886003)(26005)(8676002)(2906002)(6486002)(316002)(478600001)(38100700002)(31686004)(6506007)(8936002)(54906003)(2616005)(6512007)(86362001)(31696002)(36756003)(186003)(43740500002)(45980500001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?czlHdzFXNHcyT20xcjc4a3EvUklDTk5GM1dWd3ZDaU92ZDVMSDBYbWF0aU8w?= =?utf-8?B?NHR5NCtNK0xiTFlhTmQwbDJZS2NldUlWeVRieTV1TEQyVEFnSVJZc2tWdm9O?= =?utf-8?B?QlZBeFoycCtwR2Y1eitLdHlZTW5uTE5YTmRuaCtxblhTeHphKzhvQnN6SEdh?= =?utf-8?B?NWtlRTdoakN0RzFQRmdQUzZXZGJiNWE2WldUbUhaQ3g1ckc0MkFUdXNselhI?= =?utf-8?B?Z1B2VkU0bDVuczZoOVo1Wkx0Mm9TUUFUdi9CdldFWU1QeTVCSEZ2Rm0ralcx?= =?utf-8?B?dHh5R3RTdnRrYW5FK2t4MVJ6bkszOEhDTGpzSStnUng5Z01UVlo1Q1FiWnZi?= =?utf-8?B?K0JIZmk3S1VVV0QyRUcrS3hucnIxWk5YUmhURmZScCtMU0xPclMva0xDdDhl?= =?utf-8?B?YTR6UTJzbmpwWldES3lIMGZxMDZUZEswRmc4dzRUUE9xWko4Qzh1OXJzaDNs?= =?utf-8?B?WjlPTXZ0aWtHN1d0UE1kenJMaGduTmZrOVhEVGtnMDcycXBsbi9acEVtSUND?= =?utf-8?B?bmx2UVY1VUh4ZWdTNHpTWTVEZ0RVSWF2dHVZcDlOR0hpbjdVOWgybTFwNUdq?= =?utf-8?B?RmJwbHo1cVY3NlBqcjJpRjcyTmMrT2loNVdMTGtISmpkMS9kM1ptN2NkNUhr?= =?utf-8?B?cVFOS0VGamNTVGZER3dYa3Z0WEwrU2FUWVI2MXp4a0daQ3hBdmM4Q1FqZDlp?= =?utf-8?B?TVQ4WldrL0RTTUs5dWNQaDVzZ2pTNVNSRFI5TFluVEJZL0w1Qy94bUlmUlpj?= =?utf-8?B?YnlvaUVMVkIvQTdIaWMyeFliOVVybVVLUTU5M3dtK3UrZUJSdDRRV3JHaTBH?= =?utf-8?B?Qzl1eVFMTCtMUEVRTlFjYVZseFFjSEJhRGlYWGJ1TjdJUEFjTkVqNWpKTFJr?= =?utf-8?B?VEpVaDhhMmtxWW1wejlvV3ZoWEpvZ09RbDlEcE80dW1NdTNhdUMxR0I1dyt4?= =?utf-8?B?QXhNelgzcHdaL0sydzRWVXdXMmlhYjAvRzgzUi9yemYvZlNvZTVZT2J0T2tK?= =?utf-8?B?emdrcG90SG90QjlWak9ZenArRTNEN1MxVG5FWEE4UU1rNnRLY0tKandyZXhi?= =?utf-8?B?UEt6TCtsTHA2enM1NTV6YXkxMm82ZnNLb3dHajZyUENENlA4RmZMMlJORjJG?= =?utf-8?B?TUNtN25Jd0hxTW9ZZENYTE1JN0NiNlpHWFlPc3FUWUcwN1N4eEVJNEJCcWFW?= =?utf-8?B?ZU4wZEFLUjgxRDF1UlllM1lCM09XaXA1RG5vREI1alB4QmhYN3huaDQ2eWZX?= =?utf-8?B?bHJqM25FQjJieWZQOVQ1RXg2NU5NdmM1QVMyY3lVcHU0N1FPcjBtZk5MNEJw?= =?utf-8?B?ZFY1cWpZTS9TNTNEWnZNblhSUUdnY21qaVkxckNJU05xRmxWVGZBbEZSU29E?= =?utf-8?B?OVZ5OXczQXcwNmVXTjBZYkRkVndWcGRBbXBTSk5xbE9qOXFqZ0hheEV2MkJD?= =?utf-8?B?UU1MNDNFa0tyaVJQOWYvcnZBYTdJK2E4Ym1hbUN2a0U1UkJUa2V6SVQrREpR?= =?utf-8?B?M0s4bkN3RVh6RlFBaDBEeWZlbDdITmR0ZkpDRlVKNFNRWU5lRkxHZDVHN0Jm?= =?utf-8?B?MThYd2dDRjA4dmVjay9mVFVrT2Y5czVCYm5PaHVBbE0yYW4rb3A4T1MvdWNm?= =?utf-8?B?MzNsWTAzamVTdXpnREREVndOeFhGOXNZV3QrZm9tL05sd0JtL1JKNTVZWHZE?= =?utf-8?B?cGI3dHpKelJUNWVwVjRPWTUyajYwK0ZuZnBJTjI3bkVaVkdUaFdiWSs4Y0o1?= =?utf-8?B?MzhjdW9pQzlQNUlQN0JmeGFLaXhuQUtoeUVCM1JZWTRhUjV2TllBTnBWdmxm?= =?utf-8?B?M2NJcGNLUDlHUGE0UmRyWXJraUhxTm5PYTZkYlJtcTlRL1kxenBYcG1QdW12?= =?utf-8?B?TFB0Z2o4blJ6eXNXSFRpYkhOUG1aNmxHM01taWpzdTJEUGpsRGIxU1FTRWdn?= =?utf-8?B?cXVMdml3T2dRSXo5dDJFTGlFSml3cFFOaHpMamFuT3NDM3FJczJqL0JSdi9L?= =?utf-8?B?cEEyZjVLVlo1dzZpa2EzelZYcFFNTWw4eWhVMUdIaU5VRHJ6SDJxODJzVk04?= =?utf-8?B?c3RiRWhETEVtSmpHTFdPamwxM29IZ3VpWHowb2REd2dxT2NOamNraG8wTDNv?= =?utf-8?B?VWRiRk5Dc1NtTXAxM001bW9aUksyYml0enR5YTIyUWtrQjQyQVV5enpxUnlp?= =?utf-8?B?NWc9PQ==?= X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: cc16831d-6eee-4b7e-aac5-08db35b98166 X-MS-Exchange-CrossTenant-AuthSource: AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Apr 2023 09:38:26.0533 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Y2LFwCWuYl9LmLORmrDkenPab4KgOn36zjbfyg5h2Uiw/9T7oVpP5X9P69vz88+3L5zvd57n8oV58KyvtP/ozg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR10MB6451 X-TUID: A3PMsl0rqJ+8 From: Jan Kiszka Mostly quoting warnings, but also a non-functional stderr>stdout redirection. Signed-off-by: Jan Kiszka --- scripts/deploy-cip-core.sh | 20 ++--- ...enerate-sb-db-from-existing-certificate.sh | 16 ++-- scripts/generate_secure_boot_keys.sh | 82 +++++++++---------- scripts/start-efishell.sh | 6 +- 4 files changed, 62 insertions(+), 62 deletions(-) diff --git a/scripts/deploy-cip-core.sh b/scripts/deploy-cip-core.sh index b185a847..186e88a4 100755 --- a/scripts/deploy-cip-core.sh +++ b/scripts/deploy-cip-core.sh @@ -4,7 +4,7 @@ set -e PATH=$PATH:~/.local/bin -if ! which aws 2>&1 >/dev/null; then +if ! which aws >/dev/null 2>&1; then echo "Installing awscli..." pip3 install wheel pip3 install awscli @@ -28,27 +28,27 @@ fi BASE_PATH=build/tmp/deploy/images/$TARGET/$BASE_FILENAME S3_TARGET=s3://download2.cip-project.org/cip-core/$REF/$TARGET/ -if [ -f $BASE_PATH.wic ]; then +if [ -f "${BASE_PATH}.wic" ]; then echo "Compressing $BASE_FILENAME.wic..." - xz -9 -k -T0 $BASE_PATH.wic + xz -9 -k -T0 "${BASE_PATH}.wic" echo "Uploading artifacts..." - aws s3 cp --no-progress --acl public-read $BASE_PATH.wic.xz ${S3_TARGET} + aws s3 cp --no-progress --acl public-read "${BASE_PATH}.wic.xz" "${S3_TARGET}" fi -if [ -f $BASE_PATH.tar.gz ]; then +if [ -f "${BASE_PATH}.tar.gz" ]; then echo "Uploading artifacts..." - aws s3 cp --no-progress --acl public-read $BASE_PATH.tar.gz ${S3_TARGET} + aws s3 cp --no-progress --acl public-read "${BASE_PATH}.tar.gz" "${S3_TARGET}" fi KERNEL_IMAGE="$BASE_PATH-vmlinu[xz]" # iwg20m workaround -if [ -f build/tmp/deploy/images/$TARGET/zImage ]; then +if [ -f "build/tmp/deploy/images/$TARGET/zImage" ]; then KERNEL_IMAGE=build/tmp/deploy/images/$TARGET/zImage fi -aws s3 cp --no-progress --acl public-read $KERNEL_IMAGE ${S3_TARGET} -aws s3 cp --no-progress --acl public-read $BASE_PATH-initrd.img ${S3_TARGET} +aws s3 cp --no-progress --acl public-read "$KERNEL_IMAGE" "${S3_TARGET}" +aws s3 cp --no-progress --acl public-read "${BASE_PATH}-initrd.img" "${S3_TARGET}" if [ "$DTB" != "none" ]; then - aws s3 cp --no-progress --acl public-read build/tmp/deploy/images/*/$DTB ${S3_TARGET} + aws s3 cp --no-progress --acl public-read build/tmp/deploy/images/*/"$DTB" "${S3_TARGET}" fi diff --git a/scripts/generate-sb-db-from-existing-certificate.sh b/scripts/generate-sb-db-from-existing-certificate.sh index ddaf4c95..dddd9b5f 100755 --- a/scripts/generate-sb-db-from-existing-certificate.sh +++ b/scripts/generate-sb-db-from-existing-certificate.sh @@ -4,16 +4,16 @@ set -e name=${SB_NAME:-snakeoil} keydir=${SB_KEYDIR:-./keys} -if [ ! -d ${keydir} ]; then - mkdir -p ${keydir} +if [ ! -d "${keydir}" ]; then + mkdir -p "${keydir}" fi inkey=${INKEY:-/usr/share/ovmf/PkKek-1-snakeoil.key} incert=${INCERT:-/usr/share/ovmf/PkKek-1-snakeoil.pem} nick_name=${IN_NICK:-snakeoil} TMP=$(mktemp -d) -mkdir -p ${keydir}/${name}certdb -certutil -N --empty-password -d ${keydir}/${name}certdb -openssl pkcs12 -export -out ${TMP}/foo_key.p12 -inkey $inkey -in $incert -name $nick_name -pk12util -i ${TMP}/foo_key.p12 -d ${keydir}/${name}certdb -cp $incert ${keydir}/$(basename $incert) -rm -rf $TMP +mkdir -p "${keydir}/${name}certdb" +certutil -N --empty-password -d "${keydir}/${name}certdb" +openssl pkcs12 -export -out "${TMP}/foo_key.p12" -inkey "$inkey" -in "$incert" -name "$nick_name" +pk12util -i "${TMP}/foo_key.p12" -d "${keydir}/${name}certdb" +cp "$incert" "${keydir}/$(basename "$incert")" +rm -rf "$TMP" diff --git a/scripts/generate_secure_boot_keys.sh b/scripts/generate_secure_boot_keys.sh index 4988a689..8be05695 100755 --- a/scripts/generate_secure_boot_keys.sh +++ b/scripts/generate_secure_boot_keys.sh @@ -4,51 +4,51 @@ set -e name=${SB_NAME:-demo} keydir=${SB_KEYDIR:-./keys} -if [ ! -d ${keydir} ]; then - mkdir -p ${keydir} +if [ ! -d "${keydir}" ]; then + mkdir -p "${keydir}" fi openssl req -new -x509 -newkey rsa:4096 -subj "/CN=${name}PK/" -outform PEM \ - -keyout ${keydir}/${name}PK.key -out ${keydir}/${name}PK.crt -days 3650 -nodes -sha256 + -keyout "${keydir}/${name}PK.key" -out "${keydir}/${name}PK.crt" -days 3650 -nodes -sha256 openssl req -new -x509 -newkey rsa:4096 -subj "/CN=${name}KEK/" -outform PEM \ - -keyout ${keydir}/${name}KEK.key -out ${keydir}/${name}KEK.crt -days 3650 -nodes -sha256 + -keyout "${keydir}/${name}KEK.key" -out "${keydir}/${name}KEK.crt" -days 3650 -nodes -sha256 openssl req -new -x509 -newkey rsa:4096 -subj "/CN=${name}DB/" -outform PEM \ - -keyout ${keydir}/${name}DB.key -out ${keydir}/${name}DB.crt -days 3650 -nodes -sha256 -openssl x509 -in ${keydir}/${name}PK.crt -out ${keydir}/${name}PK.cer -outform DER -openssl x509 -in ${keydir}/${name}KEK.crt -out ${keydir}/${name}KEK.cer -outform DER -openssl x509 -in ${keydir}/${name}DB.crt -out ${keydir}/${name}DB.cer -outform DER + -keyout "${keydir}/${name}DB.key" -out "${keydir}/${name}DB.crt" -days 3650 -nodes -sha256 +openssl x509 -in "${keydir}/${name}PK.crt" -out "${keydir}/${name}PK.cer" -outform DER +openssl x509 -in "${keydir}/${name}KEK.crt" -out "${keydir}/${name}KEK.cer" -outform DER +openssl x509 -in "${keydir}/${name}DB.crt" -out "${keydir}/${name}DB.cer" -outform DER -openssl pkcs12 -export -out ${keydir}/${name}DB.p12 \ - -in ${keydir}/${name}DB.crt -inkey ${keydir}/${name}DB.key -passout pass: +openssl pkcs12 -export -out "${keydir}/${name}DB.p12" \ + -in "${keydir}/${name}DB.crt" -inkey "${keydir}/${name}DB.key" -passout pass: GUID=$(uuidgen --random) -echo $GUID > ${keydir}/${name}GUID - -cert-to-efi-sig-list -g $GUID ${keydir}/${name}PK.crt ${keydir}/${name}PK.esl -cert-to-efi-sig-list -g $GUID ${keydir}/${name}KEK.crt ${keydir}/${name}KEK.esl -cert-to-efi-sig-list -g $GUID ${keydir}/${name}DB.crt ${keydir}/${name}DB.esl -rm -f ${keydir}/${name}noPK.esl -touch ${keydir}/${name}noPK.esl - -sign-efi-sig-list -g $GUID \ - -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \ - PK ${keydir}/${name}PK.esl ${keydir}/${name}PK.auth -sign-efi-sig-list -g $GUID \ - -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \ - PK ${keydir}/${name}noPK.esl ${keydir}/${name}noPK.auth -sign-efi-sig-list -g $GUID \ - -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \ - KEK ${keydir}/${name}KEK.esl ${keydir}/${name}KEK.auth -sign-efi-sig-list -g $GUID \ - -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \ - DB ${keydir}/${name}DB.esl ${keydir}/${name}DB.auth - -chmod 0600 ${keydir}/${name}*.key -mkdir -p ${keydir}/${name}certdb -certutil -N --empty-password -d ${keydir}/${name}certdb - -certutil -A -n 'PK' -d ${keydir}/${name}certdb -t CT,CT,CT -i ${keydir}/${name}PK.crt -pk12util -W "" -d ${keydir}/${name}certdb -i ${keydir}/${name}DB.p12 -certutil -d ${keydir}/${name}certdb -A -i ${keydir}/${name}DB.crt -n "" -t u - -certutil -d ${keydir}/${name}certdb -K -certutil -d ${keydir}/${name}certdb -L +echo "$GUID" > "${keydir}/${name}GUID" + +cert-to-efi-sig-list -g "$GUID" "${keydir}/${name}PK.crt" "${keydir}/${name}PK.esl" +cert-to-efi-sig-list -g "$GUID" "${keydir}/${name}KEK.crt" "${keydir}/${name}KEK.esl" +cert-to-efi-sig-list -g "$GUID" "${keydir}/${name}DB.crt" "${keydir}/${name}DB.esl" +rm -f "${keydir}/${name}noPK.esl" +touch "${keydir}/${name}noPK.esl" + +sign-efi-sig-list -g "$GUID" \ + -k "${keydir}/${name}PK.key" -c "${keydir}/${name}PK.crt" \ + PK "${keydir}/${name}PK.esl" "${keydir}/${name}PK.auth" +sign-efi-sig-list -g "$GUID" \ + -k "${keydir}/${name}PK.key" -c "${keydir}/${name}PK.crt" \ + PK "${keydir}/${name}noPK.esl" "${keydir}/${name}noPK.auth" +sign-efi-sig-list -g "$GUID" \ + -k "${keydir}/${name}PK.key" -c "${keydir}/${name}PK.crt" \ + KEK "${keydir}/${name}KEK.esl" "${keydir}/${name}KEK.auth" +sign-efi-sig-list -g "$GUID" \ + -k "${keydir}/${name}PK.key" -c "${keydir}/${name}PK.crt" \ + DB "${keydir}/${name}DB.esl" "${keydir}/${name}DB.auth" + +chmod 0600 "${keydir}/${name}"*.key +mkdir -p "${keydir}/${name}certdb" +certutil -N --empty-password -d "${keydir}/${name}certdb" + +certutil -A -n 'PK' -d "${keydir}/${name}certdb" -t CT,CT,CT -i "${keydir}/${name}PK.crt" +pk12util -W "" -d "${keydir}/${name}certdb" -i "${keydir}/${name}DB.p12" +certutil -d "${keydir}/${name}certdb" -A -i "${keydir}/${name}DB.crt" -n "" -t u + +certutil -d "${keydir}/${name}certdb" -K +certutil -d "${keydir}/${name}certdb" -L diff --git a/scripts/start-efishell.sh b/scripts/start-efishell.sh index cc8dc580..5ec85e07 100755 --- a/scripts/start-efishell.sh +++ b/scripts/start-efishell.sh @@ -10,6 +10,6 @@ qemu-system-x86_64 -enable-kvm -M q35 -nographic \ -global ICH9-LPC.disable_s3=1 \ -global isa-fdc.driveA= \ -boot menu=on \ - -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \ - -drive if=pflash,format=raw,file=${ovmf_vars} \ - -drive file=fat:rw:$DISK + -drive if=pflash,format=raw,unit=0,readonly=on,file="${ovmf_code}" \ + -drive if=pflash,format=raw,file="${ovmf_vars}" \ + -drive file=fat:rw:"$DISK" -- 2.35.3