Load kernel module signing keys before we start doing any real work.

This loads kernel module signing keys, so that we can verify signed
modules in secure boot mode.

Signed-off-by: Peter Jones <pjones@redhat.com>

diff --git a/modules.d/03modsign/load-modsign-keys.sh b/modules.d/03modsign/load-modsign-keys.sh
new file mode 100644 (file)
index 0000000..de2a1e9
--- /dev/null
+++ b/modules.d/03modsign/load-modsign-keys.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+#
+# Licensed under the GPLv2
+#
+# Copyright 2013 Red Hat, Inc.
+# Peter Jones <pjones@redhat.com>
+
+for x in /lib/modules/keys/* ; do
+    [ "${x}" = "/lib/modules/keys/*" ] && break
+    keyctl padd asymmetric "" @s < ${x}
+done

diff --git a/modules.d/03modsign/module-setup.sh b/modules.d/03modsign/module-setup.sh
new file mode 100644 (file)
index 0000000..8831ad5
--- /dev/null
+++ b/modules.d/03modsign/module-setup.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+#
+# Licensed under the GPLv2
+#
+# Copyright 2013 Red Hat, Inc.
+# Peter Jones <pjones@redhat.com>
+
+check() {
+    [ -x /usr/bin/keyctl ] || return 1
+    return 0
+}
+
+depends() {
+    return 0
+}
+
+install() {
+    inst_dir /lib/modules/keys
+    inst_binary /usr/bin/keyctl
+
+    inst_hook initqueue/pre-trigger 01 "$moddir/load-modsign-keys.sh"
+    for x in /lib/modules/keys/* ; do
+        [ "${x}" = "/lib/modules/keys/*" ] && break
+        inst_simple ${x}
+    done
+}