[isar-cip-core][PATCH] scripts: Address shellcheck findings

From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev <cip-dev@lists.cip-project.org>
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>,
	Srinuvasan A <srinuvasan.a@siemens.com>
Subject: [isar-cip-core][PATCH] scripts: Address shellcheck findings
Date: Wed, 5 Apr 2023 11:41:53 +0200	[thread overview]
Message-ID: <1f6ac84a-96ad-711a-11db-f541130c0608@siemens.com> (raw)

From: Jan Kiszka <jan.kiszka@siemens.com>

Mostly quoting warnings, but also a non-functional stderr>stdout
redirection.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 scripts/deploy-cip-core.sh                    | 20 ++---
 ...enerate-sb-db-from-existing-certificate.sh | 16 ++--
 scripts/generate_secure_boot_keys.sh          | 82 +++++++++----------
 scripts/start-efishell.sh                     |  6 +-
 4 files changed, 62 insertions(+), 62 deletions(-)

diff --git a/scripts/deploy-cip-core.sh b/scripts/deploy-cip-core.sh
index b185a847..186e88a4 100755
--- a/scripts/deploy-cip-core.sh
+++ b/scripts/deploy-cip-core.sh
@@ -4,7 +4,7 @@ set -e
  PATH=$PATH:~/.local/bin
 -if ! which aws 2>&1 >/dev/null; then
+if ! which aws >/dev/null 2>&1; then
 	echo "Installing awscli..."
 	pip3 install wheel
 	pip3 install awscli
@@ -28,27 +28,27 @@ fi
 BASE_PATH=build/tmp/deploy/images/$TARGET/$BASE_FILENAME
 S3_TARGET=s3://download2.cip-project.org/cip-core/$REF/$TARGET/
 -if [ -f $BASE_PATH.wic ]; then
+if [ -f "${BASE_PATH}.wic" ]; then
 	echo "Compressing $BASE_FILENAME.wic..."
-	xz -9 -k -T0 $BASE_PATH.wic
+	xz -9 -k -T0 "${BASE_PATH}.wic"
  	echo "Uploading artifacts..."
-	aws s3 cp --no-progress --acl public-read $BASE_PATH.wic.xz ${S3_TARGET}
+	aws s3 cp --no-progress --acl public-read "${BASE_PATH}.wic.xz" "${S3_TARGET}"
 fi
 -if [ -f $BASE_PATH.tar.gz ]; then
+if [ -f "${BASE_PATH}.tar.gz" ]; then
 	echo "Uploading artifacts..."
-	aws s3 cp --no-progress --acl public-read $BASE_PATH.tar.gz ${S3_TARGET}
+	aws s3 cp --no-progress --acl public-read "${BASE_PATH}.tar.gz" "${S3_TARGET}"
 fi
  KERNEL_IMAGE="$BASE_PATH-vmlinu[xz]"
 # iwg20m workaround
-if [ -f build/tmp/deploy/images/$TARGET/zImage ]; then
+if [ -f "build/tmp/deploy/images/$TARGET/zImage" ]; then
 	KERNEL_IMAGE=build/tmp/deploy/images/$TARGET/zImage
 fi
-aws s3 cp --no-progress --acl public-read $KERNEL_IMAGE ${S3_TARGET}
-aws s3 cp --no-progress --acl public-read $BASE_PATH-initrd.img ${S3_TARGET}
+aws s3 cp --no-progress --acl public-read "$KERNEL_IMAGE" "${S3_TARGET}"
+aws s3 cp --no-progress --acl public-read "${BASE_PATH}-initrd.img" "${S3_TARGET}"
  if [ "$DTB" != "none" ]; then
-	aws s3 cp --no-progress --acl public-read build/tmp/deploy/images/*/$DTB ${S3_TARGET}
+	aws s3 cp --no-progress --acl public-read build/tmp/deploy/images/*/"$DTB" "${S3_TARGET}"
 fi
diff --git a/scripts/generate-sb-db-from-existing-certificate.sh b/scripts/generate-sb-db-from-existing-certificate.sh
index ddaf4c95..dddd9b5f 100755
--- a/scripts/generate-sb-db-from-existing-certificate.sh
+++ b/scripts/generate-sb-db-from-existing-certificate.sh
@@ -4,16 +4,16 @@ set -e
  name=${SB_NAME:-snakeoil}
 keydir=${SB_KEYDIR:-./keys}
-if [ ! -d  ${keydir} ]; then
-    mkdir -p ${keydir}
+if [ ! -d  "${keydir}" ]; then
+    mkdir -p "${keydir}"
 fi
 inkey=${INKEY:-/usr/share/ovmf/PkKek-1-snakeoil.key}
 incert=${INCERT:-/usr/share/ovmf/PkKek-1-snakeoil.pem}
 nick_name=${IN_NICK:-snakeoil}
 TMP=$(mktemp -d)
-mkdir -p ${keydir}/${name}certdb
-certutil -N --empty-password -d ${keydir}/${name}certdb
-openssl pkcs12 -export -out ${TMP}/foo_key.p12 -inkey $inkey  -in $incert  -name $nick_name
-pk12util -i ${TMP}/foo_key.p12 -d ${keydir}/${name}certdb
-cp $incert ${keydir}/$(basename $incert)
-rm -rf $TMP
+mkdir -p "${keydir}/${name}certdb"
+certutil -N --empty-password -d "${keydir}/${name}certdb"
+openssl pkcs12 -export -out "${TMP}/foo_key.p12" -inkey "$inkey" -in "$incert" -name "$nick_name"
+pk12util -i "${TMP}/foo_key.p12" -d "${keydir}/${name}certdb"
+cp "$incert" "${keydir}/$(basename "$incert")"
+rm -rf "$TMP"
diff --git a/scripts/generate_secure_boot_keys.sh b/scripts/generate_secure_boot_keys.sh
index 4988a689..8be05695 100755
--- a/scripts/generate_secure_boot_keys.sh
+++ b/scripts/generate_secure_boot_keys.sh
@@ -4,51 +4,51 @@ set -e
  name=${SB_NAME:-demo}
 keydir=${SB_KEYDIR:-./keys}
-if [ ! -d  ${keydir} ]; then
-    mkdir -p ${keydir}
+if [ ! -d "${keydir}" ]; then
+    mkdir -p "${keydir}"
 fi
 openssl req -new -x509 -newkey rsa:4096 -subj "/CN=${name}PK/" -outform PEM \
-        -keyout ${keydir}/${name}PK.key  -out ${keydir}/${name}PK.crt  -days 3650 -nodes -sha256
+        -keyout "${keydir}/${name}PK.key" -out "${keydir}/${name}PK.crt" -days 3650 -nodes -sha256
 openssl req -new -x509 -newkey rsa:4096 -subj "/CN=${name}KEK/" -outform PEM \
-        -keyout ${keydir}/${name}KEK.key -out ${keydir}/${name}KEK.crt -days 3650 -nodes -sha256
+        -keyout "${keydir}/${name}KEK.key" -out "${keydir}/${name}KEK.crt" -days 3650 -nodes -sha256
 openssl req -new -x509 -newkey rsa:4096 -subj "/CN=${name}DB/" -outform PEM \
-        -keyout ${keydir}/${name}DB.key  -out ${keydir}/${name}DB.crt  -days 3650 -nodes -sha256
-openssl x509 -in ${keydir}/${name}PK.crt  -out ${keydir}/${name}PK.cer  -outform DER
-openssl x509 -in ${keydir}/${name}KEK.crt -out ${keydir}/${name}KEK.cer -outform DER
-openssl x509 -in ${keydir}/${name}DB.crt  -out ${keydir}/${name}DB.cer  -outform DER
+        -keyout "${keydir}/${name}DB.key" -out "${keydir}/${name}DB.crt" -days 3650 -nodes -sha256
+openssl x509 -in "${keydir}/${name}PK.crt" -out "${keydir}/${name}PK.cer" -outform DER
+openssl x509 -in "${keydir}/${name}KEK.crt" -out "${keydir}/${name}KEK.cer" -outform DER
+openssl x509 -in "${keydir}/${name}DB.crt" -out "${keydir}/${name}DB.cer" -outform DER
 -openssl pkcs12 -export -out ${keydir}/${name}DB.p12 \
-        -in ${keydir}/${name}DB.crt -inkey ${keydir}/${name}DB.key -passout pass:
+openssl pkcs12 -export -out "${keydir}/${name}DB.p12" \
+        -in "${keydir}/${name}DB.crt" -inkey "${keydir}/${name}DB.key" -passout pass:
  GUID=$(uuidgen --random)
-echo $GUID > ${keydir}/${name}GUID
-
-cert-to-efi-sig-list -g $GUID ${keydir}/${name}PK.crt  ${keydir}/${name}PK.esl
-cert-to-efi-sig-list -g $GUID ${keydir}/${name}KEK.crt ${keydir}/${name}KEK.esl
-cert-to-efi-sig-list -g $GUID ${keydir}/${name}DB.crt  ${keydir}/${name}DB.esl
-rm -f ${keydir}/${name}noPK.esl
-touch ${keydir}/${name}noPK.esl
-
-sign-efi-sig-list -g $GUID  \
-                  -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \
-                  PK ${keydir}/${name}PK.esl   ${keydir}/${name}PK.auth
-sign-efi-sig-list -g $GUID  \
-                  -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \
-                  PK ${keydir}/${name}noPK.esl ${keydir}/${name}noPK.auth
-sign-efi-sig-list -g $GUID  \
-                  -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \
-                  KEK ${keydir}/${name}KEK.esl ${keydir}/${name}KEK.auth
-sign-efi-sig-list -g $GUID  \
-                  -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \
-                  DB ${keydir}/${name}DB.esl ${keydir}/${name}DB.auth
-
-chmod 0600 ${keydir}/${name}*.key
-mkdir -p ${keydir}/${name}certdb
-certutil -N --empty-password -d ${keydir}/${name}certdb
-
-certutil -A -n 'PK' -d ${keydir}/${name}certdb -t CT,CT,CT -i ${keydir}/${name}PK.crt
-pk12util -W "" -d ${keydir}/${name}certdb -i ${keydir}/${name}DB.p12
-certutil -d ${keydir}/${name}certdb -A -i ${keydir}/${name}DB.crt -n "" -t u
-
-certutil -d ${keydir}/${name}certdb -K
-certutil -d ${keydir}/${name}certdb -L
+echo "$GUID" > "${keydir}/${name}GUID"
+
+cert-to-efi-sig-list -g "$GUID" "${keydir}/${name}PK.crt"  "${keydir}/${name}PK.esl"
+cert-to-efi-sig-list -g "$GUID" "${keydir}/${name}KEK.crt" "${keydir}/${name}KEK.esl"
+cert-to-efi-sig-list -g "$GUID" "${keydir}/${name}DB.crt"  "${keydir}/${name}DB.esl"
+rm -f "${keydir}/${name}noPK.esl"
+touch "${keydir}/${name}noPK.esl"
+
+sign-efi-sig-list -g "$GUID" \
+                  -k "${keydir}/${name}PK.key" -c "${keydir}/${name}PK.crt" \
+                  PK "${keydir}/${name}PK.esl" "${keydir}/${name}PK.auth"
+sign-efi-sig-list -g "$GUID" \
+                  -k "${keydir}/${name}PK.key" -c "${keydir}/${name}PK.crt" \
+                  PK "${keydir}/${name}noPK.esl" "${keydir}/${name}noPK.auth"
+sign-efi-sig-list -g "$GUID" \
+                  -k "${keydir}/${name}PK.key" -c "${keydir}/${name}PK.crt" \
+                  KEK "${keydir}/${name}KEK.esl" "${keydir}/${name}KEK.auth"
+sign-efi-sig-list -g "$GUID" \
+                  -k "${keydir}/${name}PK.key" -c "${keydir}/${name}PK.crt" \
+                  DB "${keydir}/${name}DB.esl" "${keydir}/${name}DB.auth"
+
+chmod 0600 "${keydir}/${name}"*.key
+mkdir -p "${keydir}/${name}certdb"
+certutil -N --empty-password -d "${keydir}/${name}certdb"
+
+certutil -A -n 'PK' -d "${keydir}/${name}certdb" -t CT,CT,CT -i "${keydir}/${name}PK.crt"
+pk12util -W "" -d "${keydir}/${name}certdb" -i "${keydir}/${name}DB.p12"
+certutil -d "${keydir}/${name}certdb" -A -i "${keydir}/${name}DB.crt" -n "" -t u
+
+certutil -d "${keydir}/${name}certdb" -K
+certutil -d "${keydir}/${name}certdb" -L
diff --git a/scripts/start-efishell.sh b/scripts/start-efishell.sh
index cc8dc580..5ec85e07 100755
--- a/scripts/start-efishell.sh
+++ b/scripts/start-efishell.sh
@@ -10,6 +10,6 @@ qemu-system-x86_64 -enable-kvm -M q35 -nographic \
                    -global ICH9-LPC.disable_s3=1 \
                    -global isa-fdc.driveA= \
                    -boot menu=on \
-                   -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
-                   -drive if=pflash,format=raw,file=${ovmf_vars} \
-                   -drive file=fat:rw:$DISK
+                   -drive if=pflash,format=raw,unit=0,readonly=on,file="${ovmf_code}" \
+                   -drive if=pflash,format=raw,file="${ovmf_vars}" \
+                   -drive file=fat:rw:"$DISK"
-- 
2.35.3

