debian: Package split part 2

Author: nicowilliams

debian/install

@@ -1,30 +1,6 @@
-# shell scripts in the tree
-sbin/safeboot			usr/sbin/
-sbin/safeboot-tpm-unseal	usr/sbin/
+# shell script commands
 sbin/tpm2-attest		usr/sbin/
 sbin/tpm2-pcr-validate		usr/sbin/
 
-# configuration files and helper functions
-safeboot.conf			etc/safeboot/
-functions.sh			etc/safeboot/
-
-# TPM certs and a script to refresh them
-tpm-certs.txt			etc/safeboot/
-refresh-certs			etc/safeboot/
-certs/*				etc/safeboot/certs/
-
-# Compiled with modifications from source
-# to add support for the pkcs11 engine (sbsign),
-# hostnames and small qrcodes (tpm2-totp), 
-# and bundle all tpm2 applications in a single script (tpm2)
-bin/sbsign.safeboot		usr/sbin/
-bin/sign-efi-sig-list.safeboot	usr/sbin/
-bin/tpm2-totp			usr/sbin/
-bin/tpm2			usr/sbin/
-
-# scripts to interface with secure boot in the initramfs
-initramfs/hooks/dmverity-root	etc/initramfs-tools/hooks/
-initramfs/hooks/safeboot-hooks	etc/initramfs-tools/hooks/
-initramfs/scripts/dmverity-root	etc/initramfs-tools/scripts/local-premount/
-initramfs/scripts/blockdev-readonly etc/initramfs-tools/scripts/local-premount/
-initramfs/scripts/safeboot-bootmode etc/initramfs-tools/scripts/init-top/
+# libexec shell scripts
+sbin/getkeytab			usr/libexec/safeboot/

debian/safeboot-attest-client.install

@@ -1,30 +1,14 @@
 # shell scripts in the tree
-sbin/safeboot			usr/sbin/
-sbin/safeboot-tpm-unseal	usr/sbin/
-sbin/tpm2-attest		usr/sbin/
-sbin/tpm2-pcr-validate		usr/sbin/
-
-# configuration files and helper functions
-safeboot.conf			etc/safeboot/
-functions.sh			etc/safeboot/
-
-# TPM certs and a script to refresh them
-tpm-certs.txt			etc/safeboot/
-refresh-certs			etc/safeboot/
-certs/*				etc/safeboot/certs/
-
-# Compiled with modifications from source
-# to add support for the pkcs11 engine (sbsign),
-# hostnames and small qrcodes (tpm2-totp), 
-# and bundle all tpm2 applications in a single script (tpm2)
-bin/sbsign.safeboot		usr/sbin/
-bin/sign-efi-sig-list.safeboot	usr/sbin/
-bin/tpm2-totp			usr/sbin/
-bin/tpm2			usr/sbin/
-
-# scripts to interface with secure boot in the initramfs
-initramfs/hooks/dmverity-root	etc/initramfs-tools/hooks/
-initramfs/hooks/safeboot-hooks	etc/initramfs-tools/hooks/
-initramfs/scripts/dmverity-root	etc/initramfs-tools/scripts/local-premount/
-initramfs/scripts/blockdev-readonly etc/initramfs-tools/scripts/local-premount/
-initramfs/scripts/safeboot-bootmode etc/initramfs-tools/scripts/init-top/
+sbin/attest-enroll		usr/sbin/
+sbin/attest-verify
+sbin/attest-server		usr/sbin/
+# XXX
+sbin/attest-server-sub.py	usr/sbin/
+
+# These are delivered by safeboot-attest-client for now until we split them up
+# sbin/tpm2-attest		usr/sbin/
+# sbin/tpm2-pcr-validate		usr/sbin/
+
+# libexec shell scripts
+sbin/gencert			usr/libexec/safeboot/
+sbin/genkeytab			usr/libexec/safeboot/

debian/safeboot-attest-server.install

@@ -1,26 +1,13 @@
 # shell scripts in the tree
 sbin/safeboot			usr/sbin/
 sbin/safeboot-tpm-unseal	usr/sbin/
-sbin/tpm2-attest		usr/sbin/
-sbin/tpm2-pcr-validate		usr/sbin/
-
-# configuration files and helper functions
-safeboot.conf			etc/safeboot/
-functions.sh			etc/safeboot/
-
-# TPM certs and a script to refresh them
-tpm-certs.txt			etc/safeboot/
-refresh-certs			etc/safeboot/
-certs/*				etc/safeboot/certs/
 
 # Compiled with modifications from source
 # to add support for the pkcs11 engine (sbsign),
 # hostnames and small qrcodes (tpm2-totp), 
 # and bundle all tpm2 applications in a single script (tpm2)
 bin/sbsign.safeboot		usr/sbin/
 bin/sign-efi-sig-list.safeboot	usr/sbin/
-bin/tpm2-totp			usr/sbin/
-bin/tpm2			usr/sbin/
 
 # scripts to interface with secure boot in the initramfs
 initramfs/hooks/dmverity-root	etc/initramfs-tools/hooks/

debian/safeboot-boot.install

@@ -1,30 +1,5 @@
-# shell scripts in the tree
-sbin/safeboot			usr/sbin/
-sbin/safeboot-tpm-unseal	usr/sbin/
-sbin/tpm2-attest		usr/sbin/
-sbin/tpm2-pcr-validate		usr/sbin/
-
-# configuration files and helper functions
-safeboot.conf			etc/safeboot/
-functions.sh			etc/safeboot/
-
-# TPM certs and a script to refresh them
-tpm-certs.txt			etc/safeboot/
-refresh-certs			etc/safeboot/
-certs/*				etc/safeboot/certs/
-
 # Compiled with modifications from source
 # to add support for the pkcs11 engine (sbsign),
 # hostnames and small qrcodes (tpm2-totp), 
 # and bundle all tpm2 applications in a single script (tpm2)
-bin/sbsign.safeboot		usr/sbin/
-bin/sign-efi-sig-list.safeboot	usr/sbin/
-bin/tpm2-totp			usr/sbin/
 bin/tpm2			usr/sbin/
-
-# scripts to interface with secure boot in the initramfs
-initramfs/hooks/dmverity-root	etc/initramfs-tools/hooks/
-initramfs/hooks/safeboot-hooks	etc/initramfs-tools/hooks/
-initramfs/scripts/dmverity-root	etc/initramfs-tools/scripts/local-premount/
-initramfs/scripts/blockdev-readonly etc/initramfs-tools/scripts/local-premount/
-initramfs/scripts/safeboot-bootmode etc/initramfs-tools/scripts/init-top/

debian/safeboot-tpm2-tools.install

@@ -1,30 +1,5 @@
-# shell scripts in the tree
-sbin/safeboot			usr/sbin/
-sbin/safeboot-tpm-unseal	usr/sbin/
-sbin/tpm2-attest		usr/sbin/
-sbin/tpm2-pcr-validate		usr/sbin/
-
-# configuration files and helper functions
-safeboot.conf			etc/safeboot/
-functions.sh			etc/safeboot/
-
-# TPM certs and a script to refresh them
-tpm-certs.txt			etc/safeboot/
-refresh-certs			etc/safeboot/
-certs/*				etc/safeboot/certs/
-
 # Compiled with modifications from source
 # to add support for the pkcs11 engine (sbsign),
 # hostnames and small qrcodes (tpm2-totp), 
 # and bundle all tpm2 applications in a single script (tpm2)
-bin/sbsign.safeboot		usr/sbin/
-bin/sign-efi-sig-list.safeboot	usr/sbin/
 bin/tpm2-totp			usr/sbin/
-bin/tpm2			usr/sbin/
-
-# scripts to interface with secure boot in the initramfs
-initramfs/hooks/dmverity-root	etc/initramfs-tools/hooks/
-initramfs/hooks/safeboot-hooks	etc/initramfs-tools/hooks/
-initramfs/scripts/dmverity-root	etc/initramfs-tools/scripts/local-premount/
-initramfs/scripts/blockdev-readonly etc/initramfs-tools/scripts/local-premount/
-initramfs/scripts/safeboot-bootmode etc/initramfs-tools/scripts/init-top/

debian/safeboot-tpm2-totp.install

@@ -1,30 +1,8 @@
-# shell scripts in the tree
-sbin/safeboot			usr/sbin/
-sbin/safeboot-tpm-unseal	usr/sbin/
-sbin/tpm2-attest		usr/sbin/
-sbin/tpm2-pcr-validate		usr/sbin/
-
-# configuration files and helper functions
-safeboot.conf			etc/safeboot/
+# Shell functions library
 functions.sh			etc/safeboot/
+functions.sh			usr/lib/safeboot/
 
 # TPM certs and a script to refresh them
-tpm-certs.txt			etc/safeboot/
-refresh-certs			etc/safeboot/
-certs/*				etc/safeboot/certs/
-
-# Compiled with modifications from source
-# to add support for the pkcs11 engine (sbsign),
-# hostnames and small qrcodes (tpm2-totp), 
-# and bundle all tpm2 applications in a single script (tpm2)
-bin/sbsign.safeboot		usr/sbin/
-bin/sign-efi-sig-list.safeboot	usr/sbin/
-bin/tpm2-totp			usr/sbin/
-bin/tpm2			usr/sbin/
-
-# scripts to interface with secure boot in the initramfs
-initramfs/hooks/dmverity-root	etc/initramfs-tools/hooks/
-initramfs/hooks/safeboot-hooks	etc/initramfs-tools/hooks/
-initramfs/scripts/dmverity-root	etc/initramfs-tools/scripts/local-premount/
-initramfs/scripts/blockdev-readonly etc/initramfs-tools/scripts/local-premount/
-initramfs/scripts/safeboot-bootmode etc/initramfs-tools/scripts/init-top/
+tpm-certs.txt                   usr/share/safeboot/
+refresh-certs                   usr/share/safeboot/
+certs/*                         usr/share/safeboot/certs/

debian/safeboot.install

@@ -24,8 +24,17 @@ safeboot_dir() {
 	[[ -n $1 ]]	\
 	|| die "Internal error in caller of safeboot_dir"
 	case "$1" in
-	bin)	echo "$TOP/bin";;
+	bin)	echo "$TOP/sbin";;
 	lib)	echo "$TOP/lib";;
+	libexec|share)
+		if [[ $TOP = /usr && -d /usr/${1}/safeboot ]]; then
+			echo "/usr/${1}/safeboot"
+		elif [[ -d $TOP/${1} ]]; then
+			echo "$TOP/${1}"
+		else
+			echo "/etc/safeboot"
+		fi;;
+	certs)	echo "$(safeboot_dir libexec)/certs";;
 	etc)	if [[ $TOP = /usr ]]; then
 			echo "/etc/safeboot"
 		elif [[ -d $TOP/etc/safeboot ]]; then

functions.sh

@@ -394,7 +394,7 @@ verify()
 
 	QUOTE_TAR="$1"
 	NONCE="$2"
-	CA_ROOT="${3:-$PREFIX$DIR/certs}"
+	CA_ROOT="${3:-$(safeboot_dir certs)}"
 
 	unpack-quote "$QUOTE_TAR" \
 	|| die "$QUOTE_TAR: unable to unpack"