-
Notifications
You must be signed in to change notification settings - Fork 173
/
manage-config
executable file
·190 lines (170 loc) · 6.21 KB
/
manage-config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
#!/bin/bash
#
# SPDX-License-Identifier: GPL-2.0
#
# Add / Remove options in kernel configuration,
# and Verify the kernel configuration afterwards.
#
# To remove options from the kernel, add the options into the flat text file
# patch/kconfig-exclusions
#
# Example:
# CONFIG_SOUND
# CONFIG_ISDN
#
# To add options into the kernel, add the options into the flat text file
# patch/kconfig-inclusions
#
# Example:
# CONFIG_AD5064=y
#
# If the option is required on all architectures, add it to the common section;
# if the option is only relevant to a specific architecture, add it to the
# section of the corresponding architecture.
# Configuration file to change
ARCH=amd64
PLATFORM=
SECURE_UPGRADE_MODE="no_sign"
SECURE_UPGRADE_SIGNING_CERT=
if [ $# -ge 1 ]; then
ARCH=$1
fi
if [ $# -ge 2 ]; then
PLATFORM=$2
fi
if [ $# -ge 3 ]; then
SECURE_UPGRADE_MODE=$3
fi
if [ $# -ge 4 ]; then
SECURE_UPGRADE_SIGNING_CERT=$4
fi
case "$ARCH" in
amd64)
CONFIG_FILE_LOC=debian/build/build_amd64_none_amd64
;;
arm64)
CONFIG_FILE_LOC=debian/build/build_arm64_none_arm64
;;
armhf)
CONFIG_FILE_LOC=debian/build/build_armhf_none_armmp
;;
*)
CONFIG_FILE_LOC=debian/build/build_amd64_none_amd64
;;
esac
CONFIG_FILE=${CONFIG_FILE_LOC}/.config
function get_section_opts(){
file=$1
for((i=2;i<=$#;i++));do
eval section=\$$i
opts+=$(sed -n '/^\['${section}'\]/, /^\[.*\]/p' ${file} | grep -Ev '\[.*\]|^$|[#;]')
opts+=$'\n'
done
echo "$opts"
}
function process_inclusion_exclusion_files(){
echo "process_inclusion_exclusion_files Start"
ret=0
echo "debug ret=$ret 1"
if [ -e ${exclusion_file} -o -e ${inclusion_file} -o -e ${force_inclusion_file} ]; then
# Process any exclusions in the kernel
if [ -f ${exclusion_file} ]; then
exclusion_opts=$(get_section_opts ${exclusion_file} "common" ${ARCH} ${PLATFORM} ${PLATFORM}-${ARCH})
while read -r opt; do
if [ ! -z "$opt" ] && [[ ! "$opt" =~ ^#.* ]]; then
scripts/config --file ${CONFIG_FILE} -d $opt
fi
done <<< ${exclusion_opts};
fi
# Process any inclusions in the kernel
if [ -f ${inclusion_file} ]; then
inclusion_opts=$(get_section_opts ${inclusion_file} "common" ${ARCH} ${PLATFORM} ${PLATFORM}-${ARCH})
while read -r opt; do
if [ ! -z "$opt" ] && [[ ! "$opt" =~ ^#.* ]]; then
n=${opt%=*}
v="${opt#*=}"
scripts/config --file ${CONFIG_FILE} -k --set-val "$n" "$v"
fi
done <<< ${inclusion_opts};
fi
# Update the .config file to be sure it's consistent
make -C ${CONFIG_FILE_LOC} olddefconfig
# Verify that the kernel options we want to remove are not in the updated configuration
if [ -f ${exclusion_file} ]; then
echo
echo "Checking removed kernel options..."
while read -r opt; do
if [ ! -z "$opt" ] && [[ ! "$opt" =~ ^#.* ]]; then
s=$(scripts/config --file ${CONFIG_FILE} -k --state $opt)
if [ ! "$s" = "undef" -a ! "$s" = "n" ]; then
ret=1
echo "Option $opt should not be set, but is set to [$s]"
fi
fi
done <<< ${exclusion_opts};
if [ $ret = 0 ]; then
echo "No error"
fi
fi
# Verify that the kernel options we want to add are now in the updated configuration
if [ -f ${inclusion_file} ]; then
echo
echo "Checking added kernel options..."
while read -r opt; do
if [ ! -z "$opt" ] && [[ ! "$opt" =~ ^#.* ]]; then
n=${opt%=*}
v="${opt#*=}"
v="${v/#\"/}"
v="${v/%\"/}"
s=$(scripts/config --file ${CONFIG_FILE} -k --state $n)
if [ ! "$s" = "$v" ]; then
ret=2
echo "Option $n should be set to [$v] instead of [$s]"
fi
fi
done <<< ${inclusion_opts};
if [ $ret = 0 ]; then
echo "No error"
fi
fi
# Process any force inclusions in the kernel
if [ -f ${force_inclusion_file} ]; then
force_inclusion_opts=$(get_section_opts ${force_inclusion_file} "common" ${ARCH} ${PLATFORM})
while read -r opt; do
if [ ! -z "$opt" ] && [[ ! "$opt" =~ ^#.* ]]; then
echo $opt >> ${CONFIG_FILE}
fi
done <<< ${force_inclusion_opts};
fi
echo
fi
echo "process_inclusion_exclusion_files Done"
return $ret
}
exclusion_file="../patch/kconfig-exclusions"
inclusion_file="../patch/kconfig-inclusions"
force_inclusion_file="../patch/kconfig-force-inclusions"
process_inclusion_exclusion_files
ret_process_inc_ex=$?
# Secure Boot support
if [ $ret_process_inc_ex -eq 0 ]; then
echo "Secure Boot params: SECURE_UPGRADE_MODE=${SECURE_UPGRADE_MODE}, SECURE_UPGRADE_SIGNING_CERT=${SECURE_UPGRADE_SIGNING_CERT}"
if [ ${SECURE_UPGRADE_MODE} == "dev" -o ${SECURE_UPGRADE_MODE} == "prod" ]; then
echo "set kconfig-secure-boot-exclusions & kconfig-secure-boot-inclusions"
if [ ! -f "${SECURE_UPGRADE_SIGNING_CERT}" ]; then
echo "ERROR: SECURE_UPGRADE_SIGNING_CERT=${SECURE_UPGRADE_SIGNING_CERT} file does not exist"
exit 1
fi
exclusion_file="../patch/kconfig-secure-boot-exclusions"
inclusion_file="../patch/kconfig-secure-boot-inclusions"
force_inclusion_file="../patch/kconfig-force-secure-boot-inclusions"
# save the new pub key in kernel
sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"$SECURE_UPGRADE_SIGNING_CERT\"|g" ${inclusion_file}
process_inclusion_exclusion_files
ret_process_inc_ex=$?
echo "Secure Boot kernel configuration done."
else
echo "no Secure Boot Kernel configuration required."
fi
fi
exit $ret_process_inc_ex