From e9cb34f0ea846207b4a344bcdadd9742dc7a889c Mon Sep 17 00:00:00 2001 From: Carl Kittelberger Date: Tue, 16 Apr 2024 03:53:28 +0200 Subject: [PATCH] Add signing key generation + post-install secure boot-related messages. This will get rid of the "SSL error" messages related to a missing signing key. It will also aid in instructing the user on how to make the module work properly on Secure Boot. See also https://aur.archlinux.org/pkgbase/decklink#comment-967582. --- PKGBUILD | 2 +- decklink.install | 85 +++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 85 insertions(+), 2 deletions(-) diff --git a/PKGBUILD b/PKGBUILD index 856b9de..d22a937 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -54,7 +54,7 @@ prepare() { package_decklink() { install=decklink.install - depends=('dkms' 'qt5-base' 'libpng') + depends=('dkms' 'qt5-base' 'libpng' 'openssl') mkdir -p "$pkgdir/usr/share/licenses/$pkgbase" chmod 755 "$pkgdir/usr/share/licenses/$pkgbase" diff --git a/decklink.install b/decklink.install index 0fcf327..214441b 100644 --- a/decklink.install +++ b/decklink.install @@ -1,9 +1,92 @@ +secureboot_is_enabled() +{ + local SECUREBOOT_EFIVAR=$(ls -1 /sys/firmware/efi/efivars/SecureBoot-* 2> /dev/null) + [ -z ${SECUREBOOT_EFIVAR} ] && return 1 + [ "$(od -An -t u1 ${SECUREBOOT_EFIVAR} | rev | cut -d ' ' -f 1)" == "1" ] +} + +secureboot_is_enrolled() +{ + local KEY=$1 + mokutil --test-key "${KEY}" | grep -qF 'is already enrolled' +} + +secureboot_validation_is_enabled() +{ + ! (mokutil --sb-state | grep -qF 'validation is disabled') +} + +secureboot_create_mok() +{ + secureboot_is_enabled || return 0 + + if [ ! -f "/var/lib/blackmagic/MOK.der" ]; then + [ -d "/var/lib/blackmagic" ] || mkdir -p "/var/lib/blackmagic" + cat > "/var/lib/blackmagic/openssl.cnf" << EOF +HOME = /var/lib/blackmagic +RANDFILE = /var/lib/blackmagic/.rnd + +[ req ] +distinguished_name = req_distinguished_name +x509_extensions = v3_ca +string_mask = utf8only + +[ req_distinguished_name ] + +[ v3_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical,CA:FALSE + +# We use extended key usage information to limit what this auto-generated +# key can be used for. +# +# codeSigning: specifies that this key is used to sign code. +# +# 1.3.6.1.4.1.2312.16.1.2: defines this key as used for module signing +# only. See https://lkml.org/lkml/2015/8/26/741. +# +extendedKeyUsage = codeSigning,1.3.6.1.4.1.2312.16.1.2 + +nsComment = "OpenSSL Generated Certificate" + +EOF + openssl req -config "/var/lib/blackmagic/openssl.cnf" \ + -subj "/CN=Desktop Video Installer Signing Key" \ + -new -x509 -newkey rsa:2048 \ + -nodes -days 36500 -outform DER \ + -keyout "/var/lib/blackmagic/MOK.priv" \ + -out "/var/lib/blackmagic/MOK.der" + rm "/var/lib/blackmagic/openssl.cnf" + echo ':: A certificate to sign the driver has been created at /var/lib/blackmagic/MOK.der. This certificate needs to be enrolled if you run Secure Boot with validation (e.g. shim).' + fi +} + +setup_secureboot() { + secureboot_create_mok + if secureboot_is_enabled; then + if command -v mokutil >/dev/null; then + if secureboot_validation_is_enabled && ! secureboot_is_enrolled "/var/lib/blackmagic/MOK.der"; then + echo ':: Please enroll /var/lib/blackmagic/MOK.der as MOK by running the following command:' + echo '::' + echo ':: mokutil --import "/var/lib/blackmagic/MOK.der"' + echo '::' + echo ':: Afterwards, reboot to complete the process. This is required to have the module working in Secure Boot mode.' + fi + fi + fi +} + post_upgrade() { if (($(vercmp $2 11.5-2) < 0)); then echo ':: In order to work the DesktopVideoHelper.service has to be started.' fi + + setup_secureboot } post_install() { echo ':: In order to work the DesktopVideoHelper.service has to be started.' -} \ No newline at end of file + + setup_secureboot +} -- 2.44.0