[SRU][J][PATCH 5/6] UBUNTU: [Packaging] Introduce debian/scripts/sign-module

[Juerg Haefliger]

BugLink: https://bugs.launchpad.net/bugs/1642368

Move the logic that determines if a module needs to be signed to a script
and extend it to also check the signature-inclusion list of derivatives.

Signed-off-by: Juerg Haefliger <juerg.haefliger at canonical.com>
Signed-off-by: Andrea Righi <andrea.righi at canonical.com>

(cherry picked from commit 2ce8907f20c3691096e27ea9ae18dd17e5c4f63c kinetic:linux)
Signed-off-by: Juerg Haefliger <juerg.haefliger at canonical.com>
---
 debian/scripts/sign-module | 40 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100755 debian/scripts/sign-module

diff --git a/debian/scripts/sign-module b/debian/scripts/sign-module
new file mode 100755
index 000000000000..03ce543de7f8
--- /dev/null
+++ b/debian/scripts/sign-module
@@ -0,0 +1,40 @@
+#!/bin/bash -eu
+#
+# Staging drivers must not be signed if they are not listed in a
+# signature-inclusion file to prevent loading of 'unsafe' drivers in a
+# Secure Boot environment.
+#
+# Exit with status 0 if the provided module needs to be signed, 1 otherwise
+#
+
+mod=${1}
+
+# Sign the module if not a staging driver
+if [ "${mod/\/drivers\/staging\//}" = "${mod}" ] ; then
+	exit 0
+fi
+
+root=$(dirname "$(realpath -e "${0}")")/../..
+. "${root}"/debian/debian.env
+
+# Collect the signature-inclusion files
+sig_incls=()
+for d in debian "${DEBIAN}" ; do
+	if [ -f "${root}"/"${d}"/signature-inclusion ] ; then
+		sig_incls+=("${root}"/"${d}"/signature-inclusion)
+	fi
+done
+
+# Sign the module if no signature-inclusion files
+if [ ${#sig_incls[@]} -eq 0 ] ; then
+	exit 0
+fi
+
+# Sign the module if listed in signature-inclusion files
+if grep -qFx "${mod##*/}" "${sig_incls[@]}" ; then
+	exit 0
+fi
+
+# Don't sign the module
+echo "UBUNTU: Not signing ${1}"
+exit 1
-- 
2.34.1