Rationalize BASEDIR/TOP/PREFIX/DIR

functions.sh

@@ -20,6 +20,37 @@ error() { echo "$@" >&2 ; return 1 ; }
 info() { ((${VERBOSE:-0})) && echo "$@" >&2 ; return 0 ; }
 debug() { ((${VERBOSE:-0})) && echo "$@" >&2 ; return 0 ; }
 
+safeboot_dir() {
+	[[ -n $1 ]]	\
+	|| die "Internal error in caller of safeboot_dir"
+	case "$1" in
+	bin)	echo "$TOP/bin";;
+	lib)	echo "$TOP/lib";;
+	etc)	if [[ $TOP = /usr ]]; then
+			echo "/etc/safeboot"
+		elif [[ -d $TOP/etc/safeboot ]]; then
+			echo "$TOP/etc/safeboot"
+		elif [[ -d $TOP/etc && -f $TOP/etc/safeboot.conf ]]; then
+			echo "$TOP/etc"
+		elif [[ -d $TOP && -f $TOP/safeboot.conf ]]; then
+			echo "$TOP"
+		elif [[ -d /etc/safeboot ]]; then
+			echo "$TOP/etc"
+		else
+			die "Cannot find 'etc' directory for Safeboot"
+		fi;;
+	*)	die "Internal error in caller of safeboot_dir";;
+	esac
+}
+safeboot_file() {
+	local dir
+
+	[[ -n $1 && -n $2 ]]	\
+	|| die "Internal error in caller of safeboot_file"
+
+	dir="$(safeboot_dir "$1")"
+	echo "${dir}/$2"
+}
 
 ########################################
 #

sbin/attest-enroll

@@ -13,26 +13,35 @@ set -euo pipefail
 shopt -s extglob
 
 PROG=${0##*/}
-if [[ $0 = /* ]]; then
-	BASEDIR=${0%/*}
-elif [[ $0 = */* ]]; then
-	BASEDIR=$PWD/${0%/*}
+BINDIR=$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")
+TOP=$(dirname "$BINDIR")
+
+if [[ -s $TOP/lib/safeboot/functions.sh ]]; then
+	# shellcheck source=functions.sh
+	. "$TOP/lib/safeboot/functions.sh"
+elif [[ -s $TOP/functions.sh ]]; then
+	# shellcheck source=functions.sh
+	. "$TOP/functions.sh"
 else
-	BASEDIR=$PWD
+	echo "Unable to find Safeboot function library" 1>&2
+	exit 1
 fi
 
 # Make sure to export SAFEBOOT_ENROLL_CONF for external genprogs
 #
 # If one or more -C options given, use the first one for this (see getopts
 # loop below).
-export SAFEBOOT_ENROLL_CONF=/etc/safeboot-enroll.conf
-CONF=$SAFEBOOT_ENROLL_CONF
+cf=$(safeboot_file etc safeboot.conf)
+if [[ -n $cf && -f $cf ]]; then
+	export SAFEBOOT_ENROLL_CONF=/etc/safeboot/enroll.conf
+	CONF=$SAFEBOOT_ENROLL_CONF
+fi
 configured=false
 
 EKPUB=/dev/stdin
 
 # Configuration variables
-DBDIR="$BASEDIR/build/attest"
+DBDIR="$TOP/build/attest"
 POLICY=
 ESCROW_POLICY=
 ESCROW_PUBS_DIR=
@@ -81,9 +90,6 @@ configs() {
 	done
 }
 
-# shellcheck disable=SC1090
-. "$BASEDIR/../functions.sh"
-
 die() { echo >&2 "Error: $PROG" "$@" ; exit 1 ; }
 warn() { echo >&2 "$@" ; }
 

sbin/gencert

@@ -6,12 +6,18 @@ set -euo pipefail
 shopt -s extglob
 
 PROG=${0##*/}
-if [[ $0 = /* ]]; then
-	BASEDIR=${0%/*}
-elif [[ $0 = */* ]]; then
-	BASEDIR=$PWD/${0%/*}
+BINDIR=$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")
+TOP=$(dirname "$BINDIR")
+
+if [[ -s $TOP/lib/safeboot/functions.sh ]]; then
+	# shellcheck disable=SC1090 source=functions.sh
+	. "$TOP/lib/safeboot/functions.sh"
+elif [[ -s $TOP/functions.sh ]]; then
+	# shellcheck disable=SC1090 source=functions.sh
+	. "$TOP/functions.sh"
 else
-	BASEDIR=$PWD
+	echo "Unable to find Safeboot function library" 1>&2
+	exit 1
 fi
 
 GENCERT_CRED=PEM-FILE:/etc/safeboot/gencert-ca.pem
@@ -22,13 +28,12 @@ GENCERT_INCLUDE_SAN_DNSNAME=false
 GENCERT_EKUS=()
 declare -A GENCERT_DOMAIN_REALM
 
-: "${SAFEBOOT_ENROLL_CONF:=/etc/safeboot-enroll.conf}"
-# shellcheck disable=SC1090
-[[ -n $SAFEBOOT_ENROLL_CONF && -f $SAFEBOOT_ENROLL_CONF ]] \
-&& . "${SAFEBOOT_ENROLL_CONF}"
-
-# shellcheck disable=SC1090
-. "$BASEDIR/../functions.sh"
+cf=$(safeboot_file etc enroll.conf)
+if [[ -n $cf && -f $cf ]]; then
+	# shellcheck disable=SC1090
+	. "$cf"
+	export SAFEBOOT_ENROLL_CONF="$cf"
+fi
 
 die() { echo "skip: $*"; echo >&2 "Error: $PROG" "$@" ; exit 1 ; }
 warn() { echo >&2 "$@" ; }

sbin/genkeytab

@@ -6,12 +6,18 @@ set -euo pipefail
 shopt -s extglob
 
 PROG=${0##*/}
-if [[ $0 = /* ]]; then
-	BASEDIR=${0%/*}
-elif [[ $0 = */* ]]; then
-	BASEDIR=$PWD/${0%/*}
+BINDIR=$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")
+TOP=$(dirname "$BINDIR")
+
+if [[ -s $TOP/lib/safeboot/functions.sh ]]; then
+	# shellcheck disable=SC1090 source=functions.sh
+	. "$TOP/lib/safeboot/functions.sh"
+elif [[ -s $TOP/functions.sh ]]; then
+	# shellcheck disable=SC1090 source=functions.sh
+	. "$TOP/functions.sh"
 else
-	BASEDIR=$PWD
+	echo "Unable to find Safeboot function library" 1>&2
+	exit 1
 fi
 
 # Keytab gen methods:
@@ -36,13 +42,13 @@ curl_opts=(
 		--negotiate
 )
 
-: "${SAFEBOOT_ENROLL_CONF:=/etc/safeboot-enroll.conf}"
-# shellcheck disable=SC1090
-[[ -n $SAFEBOOT_ENROLL_CONF && -f $SAFEBOOT_ENROLL_CONF ]] \
-&& . "${SAFEBOOT_ENROLL_CONF}"
 
-# shellcheck disable=SC1090
-. "$BASEDIR/../functions.sh"
+cf=$(safeboot_file etc enroll.conf)
+if [[ -n $cf && -f $cf ]]; then
+	# shellcheck disable=SC1090
+	. "$cf"
+	export SAFEBOOT_ENROLL_CONF="$cf"
+fi
 
 die() { echo >&2 "Error: $PROG" "$@" ; exit 1 ; }
 warn() { echo >&2 "$@" ; }

sbin/getkeytab

@@ -7,7 +7,20 @@ shopt -s extglob
 umask 077
 
 PROG=${0##*/}
-BASEDIR=$(dirname "$( dirname "$(readlink -f "${BASH_SOURCE[0]}")" )")
+BINDIR=$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")
+TOP=$(dirname "$BINDIR")
+
+if [[ -s $TOP/lib/safeboot/functions.sh ]]; then
+	# shellcheck disable=SC1090 source=functions.sh
+	. "$TOP/lib/safeboot/functions.sh"
+elif [[ -s $TOP/functions.sh ]]; then
+	# shellcheck disable=SC1090 source=functions.sh
+	. "$TOP/functions.sh"
+else
+	echo "Unable to find Safeboot function library" 1>&2
+	exit 1
+fi
+
 
 declare -A GETCERT_DOMAIN_REALM
 KEYTAB=FILE:/etc/krb5.keytab
@@ -23,19 +36,23 @@ curl_opts=(
 	--negotiate
 )
 
-: "${PREFIX:=}"
-: "${DIR:=/etc/safeboot}"
-SAFEBOOT_CONF=${PREFIX}${DIR}/safeboot.conf
-# shellcheck disable=SC1090
-[[ -n $SAFEBOOT_CONF && -f $SAFEBOOT_CONF ]]	\
-&& . "${SAFEBOOT_CONF}"
-
-# shellcheck disable=SC1090
-. "$BASEDIR/../functions.sh"
-
-: "${CERT_KEY:=${PREFIX}${DIR}/cert-key.pem}"
-: "${CERT:=${PREFIX}${DIR}/cert.pem}"
+cf=$(safeboot_file etc safeboot.conf)
+if [[ -n $cf && -f $cf ]]; then
+	# shellcheck disable=SC1090
+	. "$cf"
+	export SAFEBOOT_CONF="$cf"
+else
+	warn "${cf:-/etc/safeboot/safeboot.conf} not present; was it installed?"
+fi
+cf=$(safeboot_file etc local.conf)
+if [[ -n $cf && -f $cf ]]; then
+	# shellcheck disable=SC1090
+	. "$cf"
+fi
+DIR=$(safeboot_dir etc)
 
+: "${CERT_KEY:=${DIR}/cert-key.pem}"
+: "${CERT:=${DIR}/cert.pem}"
 [[ -f $CERT_KEY &&  -f $CERT ]]			\
 || die "Could not get PKINIT certificate for impersonation"
 

sbin/safeboot

@@ -24,35 +24,49 @@
 set -e -o pipefail
 export LC_ALL=C
 
-: "${PREFIX:=}"
-: "${DIR:=/etc/safeboot}"
-
-# shellcheck source=functions.sh
-. "$PREFIX$DIR/functions.sh"
+BINDIR=$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")
+TOP=$(dirname "$BINDIR")
+
+if [[ -s $TOP/lib/safeboot/functions.sh ]]; then
+	# shellcheck source=functions.sh
+	. "$TOP/lib/safeboot/functions.sh"
+elif [[ -s $TOP/functions.sh ]]; then
+	# shellcheck source=functions.sh
+	. "$TOP/functions.sh"
+else
+	echo "Unable to find Safeboot function library" 1>&2
+	exit 1
+fi
 
-if [ -r "$PREFIX$DIR/safeboot.conf" ]; then
-	# shellcheck source=safeboot.conf
-	. $PREFIX$DIR/safeboot.conf
+: "${PREFIX:=}"
+cf=$(safeboot_file etc safeboot.conf)
+if [[ -n $cf && -f $cf ]]; then
+	# shellcheck disable=SC1090
+	. "$cf"
+	export SAFEBOOT_CONF="$cf"
 else
-	warn "$PREFIX$DIR/safeboot.conf not present; was it installed?"
+	warn "${cf:-/etc/safeboot/safeboot.conf} not present; was it installed?"
 fi
-if [ -r "$PREFIX$DIR/local.conf" ]; then
-	# shellcheck source=local.conf
-	. $PREFIX$DIR/local.conf
+cf=$(safeboot_file etc local.conf)
+if [[ -n $cf && -f $cf ]]; then
+	# shellcheck disable=SC1090
+	. "$cf"
 fi
+: "${DIR:="$(safeboot_dir etc)"}"
+
+setup
 
-# Apply $PREFIX to files and use default value
-CERT=$PREFIX${CERT:-$DIR/cert.pem}
-KERNEL=$PREFIX${KERNEL:-/boot/vmlinuz}
-INITRD=$PREFIX${INITRD:-/boot/initrd.img}
-EFIDIR=$PREFIX${EFIDIR:-/boot/efi/EFI}
+: "${KERNEL:=/boot/vmlinuz}"
+: "${INITRD:=/boot/initrd.img}"
+: "${EFIDIR:=/boot/efi/EFI}"
+:   "${CERT:=$DIR/cert.pem}"
 
 if [ "$KEY" == "pkcs11:" ]; then
 	# KEY is a hardware token, use the yubikey engine
 	KEY_ENGINE="-e pkcs11"
 else
 	# KEY is a normal file, don't use an openssl engine
-	KEY=$PREFIX${KEY:-$DIR/cert.priv}
+	KEY=${KEY:-$DIR/cert.priv}
 	KEY_ENGINE=""
 fi
 
@@ -89,7 +103,7 @@ rootdev-check()
 	fi
 
 	if [ "$TEST_ROOTDEV" = 1 ]; then
-		warn "$PREFXI$DIR/local.conf: setting \$ROOTDEV=$ROOTDEV"
+		warn "$PREFIX$DIR/local.conf: setting \$ROOTDEV=$ROOTDEV"
 		echo "ROOTDEV=\"$ROOTDEV\"" >> $PREFIX$DIR/local.conf \
 		|| die "$PREFIX$DIR/local.conf: Unable to set \$ROOTDEV"
 		TEST_ROOTDEV=0
@@ -114,7 +128,7 @@ rootdev-check()
 	fi
 
 	if [ "$TEST_HASHDEV" = 1 ]; then
-		warn "$PREFXI$DIR/local.conf: setting \$HASHDEV=$HASHDEV"
+		warn "$PREFIX$DIR/local.conf: setting \$HASHDEV=$HASHDEV"
 		echo "HASHDEV=\"$HASHDEV\"" >> $PREFIX$DIR/local.conf \
 		|| die "$PREFIX$DIR/local.conf: Unable to set \$HASHDEV"
 		TEST_HASHDEV=0

sbin/tpm2-attest

@@ -20,21 +20,36 @@ export LC_ALL=C
 unset CDPATH
 
 # Find the directory that contains functions.sh
-TOP="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && cd .. && pwd )"
 
-: "${PREFIX:=}"
-: "${DIR:=/etc/safeboot}"
+BINDIR=$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")
+TOP=$(dirname "$BINDIR")
 
-. "$TOP/functions.sh"
-
-if [ -r "$PREFIX$DIR/safeboot.conf" ]; then
-	. $PREFIX$DIR/safeboot.conf
+if [[ -s $TOP/lib/safeboot/functions.sh ]]; then
+	# shellcheck source=functions.sh
+	. "$TOP/lib/safeboot/functions.sh"
+elif [[ -s $TOP/functions.sh ]]; then
+	# shellcheck source=functions.sh
+	. "$TOP/functions.sh"
 else
-	warn "$PREFIX$DIR/safeboot.conf not present?"
+	echo "Unable to find Safeboot function library" 1>&2
+	exit 1
+fi
+
+cf=$(safeboot_file etc safeboot.conf)
+if [[ -n $cf && -f $cf ]]; then
+	# shellcheck disable=SC1090
+	. "$cf"
+	export SAFEBOOT_CONF="$cf"
 fi
-if [ -r "$PREFIX$DIR/local.conf" ]; then
-	. $PREFIX$DIR/local.conf
+cf=$(safeboot_file etc local.conf)
+if [[ -n $cf && -f $cf ]]; then
+	# shellcheck disable=SC1090
+	. "$cf"
 fi
+: "${PREFIX:=}"
+: "${DIR:=/etc/safeboot}"
+
+setup
 
 # Apply $PREFIX to files and use default value
 [[ -n ${CERT:-} && ${CERT} != /* ]]	\