[secure boot]Remove sudo redundancy, fix code example comments

davidpil2002 · Dec 6, 2022 · 46b3040 · 46b3040
1 parent 48fcf94
commit 46b3040
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 28 deletions.
diff --git a/build_debian.sh b/build_debian.sh
@@ -646,25 +646,25 @@ if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" && $SONIC_
             exit 1
         fi
 
-        sudo bash scripts/signing_secure_boot_dev.sh -a $CONFIGURED_ARCH \
-                                                     -r $FILESYSTEM_ROOT \
-                                                     -l $LINUX_KERNEL_VERSION \
-                                                     -c $SECURE_UPGRADE_DEV_SIGNING_CERT \
-                                                     -p $SECURE_UPGRADE_DEV_SIGNING_KEY
+        sudo ./scripts/signing_secure_boot_dev.sh -a $CONFIGURED_ARCH \
+                                                  -r $FILESYSTEM_ROOT \
+                                                  -l $LINUX_KERNEL_VERSION \
+                                                  -c $SECURE_UPGRADE_DEV_SIGNING_CERT \
+                                                  -p $SECURE_UPGRADE_DEV_SIGNING_KEY
     elif [[ $SECURE_UPGRADE_MODE == "prod" ]]; then
         #  Here Vendor signing should be implemented
         OUTPUT_SEC_BOOT_DIR=$FILESYSTEM_ROOT/boot
-        sudo bash scripts/signing_secure_boot_prod.sh $CONFIGURED_ARCH $FILESYSTEM_ROOT $LINUX_KERNEL_VERSION $OUTPUT_SEC_BOOT_DIR
+        sudo ./scripts/signing_secure_boot_prod.sh $CONFIGURED_ARCH $FILESYSTEM_ROOT $LINUX_KERNEL_VERSION $OUTPUT_SEC_BOOT_DIR
 
         # verifying all EFI files and kernel modules in $OUTPUT_SEC_BOOT_DIR
-        bash scripts/secure_boot_signature_verification.sh -e $OUTPUT_SEC_BOOT_DIR \
-                                                        -c $SECURE_UPGRADE_DEV_SIGNING_CERT \
-                                                        -k $FILESYSTEM_ROOT
+        sudo ./scripts/secure_boot_signature_verification.sh -e $OUTPUT_SEC_BOOT_DIR \
+                                                             -c $SECURE_UPGRADE_DEV_SIGNING_CERT \
+                                                             -k $FILESYSTEM_ROOT
 
         # verifying vmlinuz file.
-        bash scripts/secure_boot_signature_verification.sh -e $FILESYSTEM_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-${CONFIGURED_ARCH} \
-                                                        -c $SECURE_UPGRADE_DEV_SIGNING_CERT \
-                                                        -k $FILESYSTEM_ROOT
+        sudo ./scripts/secure_boot_signature_verification.sh -e $FILESYSTEM_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-${CONFIGURED_ARCH} \
+                                                             -c $SECURE_UPGRADE_DEV_SIGNING_CERT \
+                                                             -k $FILESYSTEM_ROOT
     fi
     echo "Secure Boot support build stage: END."
 fi

diff --git a/scripts/signing_kernel_modules.sh b/scripts/signing_kernel_modules.sh
@@ -16,8 +16,8 @@ LOCAL_EXTRACT_CERT                   path of the extract-cert tool for Extract X
 KERNEL_MODULES_DIR                   root directory of all the kernel modules to be sign by the script, if the value empty it will use the call script location as root.
 
 Runs examples:
-1. sudo bash scripts/signing_kernel_modules.sh 5.10.0-8-2 cert.pem priv-key.pem
-2. sudo bash scripts/signing_kernel_modules.sh 5.10.0-8-2 cert.pem priv-key.pem fsroot-mellanox /usr/lib/linux-kbuild-5.10/scripts/extract-cert /usr/lib/linux-kbuild-5.10/scripts/sign-file
+1. sudo bash scripts/signing_kernel_modules.sh -l 5.10.0-8-2 -c cert.pem -p priv-key.pem
+2. sudo bash scripts/signing_kernel_modules.sh -l 5.10.0-8-2 -c cert.pem priv-key.pem -k fsroot-mellanox -e /usr/lib/linux-kbuild-5.10/scripts/extract-cert -s /usr/lib/linux-kbuild-5.10/scripts/sign-file
 EOF
 }
 

diff --git a/scripts/signing_secure_boot_dev.sh b/scripts/signing_secure_boot_dev.sh
@@ -16,8 +16,8 @@ EOF
 clean_file() {
     if [ -f $1 ]; then
         echo "clean old file named: $1"
-        echo "sudo rm -f $1"
-        sudo sudo rm -f $1
+        echo "rm -f $1"
+        rm -f $1
     fi
 }
 
@@ -39,31 +39,31 @@ echo "$0 signing & verifying EFI files and Kernel Modules start ..."
 
 if [ -z ${CONFIGURED_ARCH} ]; then
     echo "ERROR: CONFIGURED_ARCH=${CONFIGURED_ARCH} is empty"
-    usage
+    print_usage
     exit 1
 fi
 
 if [ -z ${FS_ROOT} ]; then
     echo "ERROR: FS_ROOT=${FS_ROOT} is empty"
-    usage
+    print_usage
     exit 1
 fi
 
 if [ -z ${LINUX_KERNEL_VERSION} ]; then
     echo "ERROR: LINUX_KERNEL_VERSION=${LINUX_KERNEL_VERSION} is empty"
-    usage
+    print_usage
     exit 1
 fi
 
 if [ ! -f "${PEM_CERT}" ]; then
     echo "ERROR: PEM_CERT=${PEM_CERT} file does not exist"
-    usage
+    print_usage
     exit 1
 fi
 
 if [ ! -f "${PEM_PRIV_KEY}" ]; then
     echo "ERROR: PEM_PRIV_KEY=${PEM_PRIV_KEY} file does not exist"
-    usage
+    print_usage
     exit 1
 fi
 
@@ -86,13 +86,13 @@ do
 
         echo "signing efi file - full path: ${efi} filename: ${efi_filename}"
         echo "sudo ${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${efi} -s ${efi}-signed"
-        sudo ${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${efi} -s ${efi}-signed
+        ${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${efi} -s ${efi}-signed
 
         # cp shim & mmx signed files to boot directory in the fs.
-        sudo cp ${efi}-signed $FS_ROOT/boot/${efi_filename}
+        cp ${efi}-signed $FS_ROOT/boot/${efi_filename}
 
         # verifying signature of mm & shim efi files.
-        sudo bash scripts/secure_boot_signature_verification.sh -c $PEM_CERT -e $FS_ROOT/boot/${efi_filename} 
+        ./scripts/secure_boot_signature_verification.sh -c $PEM_CERT -e $FS_ROOT/boot/${efi_filename} 
     fi
 done
 
@@ -106,16 +106,16 @@ CURR_VMLINUZ=$FS_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-${CONFIGURED_ARCH}
 clean_file ${CURR_VMLINUZ}-signed
 
 echo "signing ${CURR_VMLINUZ} .."
-sudo ${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${CURR_VMLINUZ} -s ${CURR_VMLINUZ}-signed
+${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${CURR_VMLINUZ} -s ${CURR_VMLINUZ}-signed
 
 # rename signed vmlinuz with the name vmlinuz without signed suffix
-sudo mv ${CURR_VMLINUZ}-signed ${CURR_VMLINUZ}
+mv ${CURR_VMLINUZ}-signed ${CURR_VMLINUZ}
 
-sudo bash scripts/secure_boot_signature_verification.sh -c $PEM_CERT -e ${CURR_VMLINUZ}
+./scripts/secure_boot_signature_verification.sh -c $PEM_CERT -e ${CURR_VMLINUZ}
 
 #########################
 # Kernel Modules signing
 #########################
-sudo bash scripts/signing_kernel_modules.sh -l $LINUX_KERNEL_VERSION -c ${PEM_CERT} -p ${PEM_PRIV_KEY} -k ${FS_ROOT}
+./scripts/signing_kernel_modules.sh -l $LINUX_KERNEL_VERSION -c ${PEM_CERT} -p ${PEM_PRIV_KEY} -k ${FS_ROOT}
 
 echo "$0 signing & verifying EFI files and Kernel Modules DONE"