1 files changed, 115 insertions, 0 deletions
diff --git a/scripts/sign-file b/scripts/sign-file
new file mode 100644
index 000000000000..e58e34e50ac5
--- /dev/null
+++ b/scripts/sign-file
@@ -0,0 +1,115 @@
+#!/bin/sh
+#
+# Sign a module file using the given key.
+#
+# Format: sign-file <key> <x509> <src-file> <dst-file>
+#
+scripts=`dirname $0`
+CONFIG_MODULE_SIG_SHA512=y
+if [ -r .config ]
+then
+    . ./.config
+fi
+key="$1"
+x509="$2"
+src="$3"
+dst="$4"
+if [ ! -r "$key" ]
+then
+    echo "Can't read private key" >&2
+    exit 2
+fi
+if [ ! -r "$x509" ]
+then
+    echo "Can't read X.509 certificate" >&2
+    exit 2
+fi
+if [ ! -r "$x509.signer" ]
+then
+    echo "Can't read Signer name" >&2
+    exit 2;
+fi
+if [ ! -r "$x509.keyid" ]
+then
+    echo "Can't read Key identifier" >&2
+    exit 2;
+fi
+#
+# Signature parameters
+#
+algo=1          # Public-key crypto algorithm: RSA
+hash=           # Digest algorithm
+id_type=1       # Identifier type: X.509
+#
+# Digest the data
+#
+dgst=
+if [ "$CONFIG_MODULE_SIG_SHA1" = "y" ]
+then
+    prologue="0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14"
+    dgst=-sha1
+    hash=2
+elif [ "$CONFIG_MODULE_SIG_SHA224" = "y" ]
+then
+    prologue="0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1C"
+    dgst=-sha224
+    hash=7
+elif [ "$CONFIG_MODULE_SIG_SHA256" = "y" ]
+then
+    prologue="0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20"
+    dgst=-sha256
+    hash=4
+elif [ "$CONFIG_MODULE_SIG_SHA384" = "y" ]
+then
+    prologue="0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30"
+    dgst=-sha384
+    hash=5
+elif [ "$CONFIG_MODULE_SIG_SHA512" = "y" ]
+then
+    prologue="0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40"
+    dgst=-sha512
+    hash=6
+else
+    echo "$0: Can't determine hash algorithm" >&2
+    exit 2
+fi
+(
+perl -e "binmode STDOUT; print pack(\"C*\", $prologue)" || exit $?
+openssl dgst $dgst -binary $src || exit $?
+) >$src.dig || exit $?
+#
+# Generate the binary signature, which will be just the integer that comprises
+# the signature with no metadata attached.
+#
+openssl rsautl -sign -inkey $key -keyform PEM -in $src.dig -out $src.sig || exit $?
+signerlen=`stat -c %s $x509.signer`
+keyidlen=`stat -c %s $x509.keyid`
+siglen=`stat -c %s $src.sig`
+#
+# Build the signed binary
+#
+(
+    cat $src || exit $?
+    echo '~Module signature appended~' || exit $?
+    cat $x509.signer $x509.keyid || exit $?
+    # Preface each signature integer with a 2-byte BE length
+    perl -e "binmode STDOUT; print pack(\"n\", $siglen)" || exit $?
+    cat $src.sig || exit $?
+    # Generate the information block
+    perl -e "binmode STDOUT; print pack(\"CCCCCxxxN\", $algo, $hash, $id_type, $signerlen, $keyidlen, $siglen + 2)" || exit $?
+) >$dst~ || exit $?
+# Permit in-place signing
+mv $dst~ $dst || exit $?

diff --git a/scripts/sign-file b/scripts/sign-file new file mode 100644 index 000000000000..e58e34e50ac5 --- /dev/null +++ b/scripts/sign-file
@@ -0,0 +1,115 @@
	1	#!/bin/sh
	2	#
	3	# Sign a module file using the given key.
	4	#
	5	# Format: sign-file <key> <x509> <src-file> <dst-file>
	6	#
	7
	8	scripts=`dirname $0`
	9
	10	CONFIG_MODULE_SIG_SHA512=y
	11	if [ -r .config ]
	12	then
	13	. ./.config
	14	fi
	15
	16	key="$1"
	17	x509="$2"
	18	src="$3"
	19	dst="$4"
	20
	21	if [ ! -r "$key" ]
	22	then
	23	echo "Can't read private key" >&2
	24	exit 2
	25	fi
	26
	27	if [ ! -r "$x509" ]
	28	then
	29	echo "Can't read X.509 certificate" >&2
	30	exit 2
	31	fi
	32	if [ ! -r "$x509.signer" ]
	33	then
	34	echo "Can't read Signer name" >&2
	35	exit 2;
	36	fi
	37	if [ ! -r "$x509.keyid" ]
	38	then
	39	echo "Can't read Key identifier" >&2
	40	exit 2;
	41	fi
	42
	43	#
	44	# Signature parameters
	45	#
	46	algo=1 # Public-key crypto algorithm: RSA
	47	hash= # Digest algorithm
	48	id_type=1 # Identifier type: X.509
	49
	50	#
	51	# Digest the data
	52	#
	53	dgst=
	54	if [ "$CONFIG_MODULE_SIG_SHA1" = "y" ]
	55	then
	56	prologue="0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14"
	57	dgst=-sha1
	58	hash=2
	59	elif [ "$CONFIG_MODULE_SIG_SHA224" = "y" ]
	60	then
	61	prologue="0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1C"
	62	dgst=-sha224
	63	hash=7
	64	elif [ "$CONFIG_MODULE_SIG_SHA256" = "y" ]
	65	then
	66	prologue="0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20"
	67	dgst=-sha256
	68	hash=4
	69	elif [ "$CONFIG_MODULE_SIG_SHA384" = "y" ]
	70	then
	71	prologue="0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30"
	72	dgst=-sha384
	73	hash=5
	74	elif [ "$CONFIG_MODULE_SIG_SHA512" = "y" ]
	75	then
	76	prologue="0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40"
	77	dgst=-sha512
	78	hash=6
	79	else
	80	echo "$0: Can't determine hash algorithm" >&2
	81	exit 2
	82	fi
	83
	84	(
	85	perl -e "binmode STDOUT; print pack(\"C*\", $prologue)" \|\| exit $?
	86	openssl dgst $dgst -binary $src \|\| exit $?
	87	) >$src.dig \|\| exit $?
	88
	89	#
	90	# Generate the binary signature, which will be just the integer that comprises
	91	# the signature with no metadata attached.
	92	#
	93	openssl rsautl -sign -inkey $key -keyform PEM -in $src.dig -out $src.sig \|\| exit $?
	94	signerlen=`stat -c %s $x509.signer`
	95	keyidlen=`stat -c %s $x509.keyid`
	96	siglen=`stat -c %s $src.sig`
	97
	98	#
	99	# Build the signed binary
	100	#
	101	(
	102	cat $src \|\| exit $?
	103	echo '~Module signature appended~' \|\| exit $?
	104	cat $x509.signer $x509.keyid \|\| exit $?
	105
	106	# Preface each signature integer with a 2-byte BE length
	107	perl -e "binmode STDOUT; print pack(\"n\", $siglen)" \|\| exit $?
	108	cat $src.sig \|\| exit $?
	109
	110	# Generate the information block
	111	perl -e "binmode STDOUT; print pack(\"CCCCCxxxN\", $algo, $hash, $id_type, $signerlen, $keyidlen, $siglen + 2)" \|\| exit $?
	112	) >$dst~ \|\| exit $?
	113
	114	# Permit in-place signing
	115	mv $dst~ $dst \|\| exit $?