diff options
author | Jeremy Kerr <jeremy.kerr@canonical.com> | 2012-08-21 11:59:42 +0800 |
---|---|---|
committer | Jeremy Kerr <jeremy.kerr@canonical.com> | 2012-08-24 20:02:15 +0800 |
commit | add8d00f31dcb48bc40499eedc86fc4d5c040d84 (patch) | |
tree | 2d580044c5eefd30d3c3fe237c42fff3f626724b | |
parent | a151ffdb9d085122e0e9a18e44f79f8587478346 (diff) | |
download | sbsigntools-add8d00f31dcb48bc40499eedc86fc4d5c040d84.tar.gz |
sbkeysync: Add --keystore and --no-default-keystores options
Add a couple of options to configure the location we read keys from
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
-rw-r--r-- | src/sbkeysync.c | 46 |
1 files changed, 40 insertions, 6 deletions
diff --git a/src/sbkeysync.c b/src/sbkeysync.c index b354739..29898fb 100644 --- a/src/sbkeysync.c +++ b/src/sbkeysync.c @@ -79,7 +79,7 @@ struct efi_sigdb_desc efi_sigdb_descs[] = { { SIGDB_DBX, "dbx", EFI_IMAGE_SECURITY_DATABASE_GUID }, }; -static const char *keystore_roots[] = { +static const char *default_keystore_dirs[] = { "/etc/secureboot/keys", "/usr/share/secureboot/keys", }; @@ -125,6 +125,8 @@ struct sync_context { struct key_database *db; struct key_database *dbx; struct keystore *keystore; + const char **keystore_dirs; + unsigned int n_keystore_dirs; bool verbose; }; @@ -494,8 +496,8 @@ static int read_keystore(struct sync_context *ctx) keystore = talloc(ctx, struct keystore); list_head_init(&keystore->keys); - for (i = 0; i < ARRAY_SIZE(keystore_roots); i++) { - update_keystore(keystore, keystore_roots[i]); + for (i = 0; i < ctx->n_keystore_dirs; i++) { + update_keystore(keystore, ctx->keystore_dirs[i]); } ctx->keystore = keystore; @@ -518,6 +520,8 @@ static struct option options[] = { { "version", no_argument, NULL, 'V' }, { "efivars-path", required_argument, NULL, 'e' }, { "verbose", no_argument, NULL, 'v' }, + { "no-default-keystores", no_argument, NULL, 'd' }, + { "keystore", required_argument, NULL, 'k' }, { NULL, 0, NULL, 0 }, }; @@ -528,8 +532,14 @@ static void usage(void) "\n" "Options:\n" "\t--efivars-path <dir> Path to efivars mountpoint\n" - " (or regular directory for testing)\n" - "\t--verbose Print verbose progress information\n", + "\t (or regular directory for testing)\n" + "\t--verbose Print verbose progress information\n" + "\t--keystore <dir> Read keys from <dir>/{db,dbx,KEK}/*\n" + "\t (can be specified multiple times,\n" + "\t first dir takes precedence)\n" + "\t--no-default-keystores\n" + "\t Don't read keys from the default\n" + "\t keystore dirs\n", toolname); } @@ -538,15 +548,26 @@ static void version(void) printf("%s %s\n", toolname, VERSION); } +static void add_keystore_dir(struct sync_context *ctx, const char *dir) +{ + ctx->keystore_dirs = talloc_realloc(ctx, ctx->keystore_dirs, + const char *, ++ctx->n_keystore_dirs); + + ctx->keystore_dirs[ctx->n_keystore_dirs - 1] = + talloc_strdup(ctx->keystore_dirs, dir); +} + int main(int argc, char **argv) { + bool use_default_keystore_dirs; struct sync_context *ctx; + use_default_keystore_dirs = true; ctx = talloc_zero(NULL, struct sync_context); for (;;) { int idx, c; - c = getopt_long(argc, argv, "e:vhV", options, &idx); + c = getopt_long(argc, argv, "e:dkvhV", options, &idx); if (c == -1) break; @@ -554,6 +575,12 @@ int main(int argc, char **argv) case 'e': ctx->efivars_dir = optarg; break; + case 'd': + use_default_keystore_dirs = false; + break; + case 'k': + add_keystore_dir(ctx, optarg); + break; case 'v': ctx->verbose = true; break; @@ -584,6 +611,13 @@ int main(int argc, char **argv) } } + if (use_default_keystore_dirs) { + unsigned int i; + for (i = 0; i < ARRAY_SIZE(default_keystore_dirs); i++) + add_keystore_dir(ctx, default_keystore_dirs[i]); + } + + read_key_databases(ctx); read_keystore(ctx); |