From 59722538bfc1c500ba6124aca3533ff6811c6616 Mon Sep 17 00:00:00 2001
From: jinlun <jinlun@huawei.com>
Date: Thu, 5 Dec 2024 20:27:36 +0800
Subject: add the wget timeout mechanism and optimize the dim
 check  the modsign script is optimized.

---
 secconf/check/check_dim         | 3 ++-
 secconf/check/check_modsign     | 4 ++--
 secconf/check/check_secure_boot | 2 +-
 secconf/gen/gen_modsign         | 4 ++--
 secconf/gen/gen_secure_boot     | 2 +-
 5 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/secconf/check/check_dim b/secconf/check/check_dim
index bfad32d..0166a97 100644
--- a/secconf/check/check_dim
+++ b/secconf/check/check_dim
@@ -82,7 +82,7 @@ dim_comm()
     else
         echo "Skip the baseline file consistency check."
     fi
-{{end}}{{ if .BaselineIsEnable }}
+{{end}}
     echo "Checking whether the DIM kernel module is loaded"
     lsmod | grep dim_monitor &> /dev/null
     if [ $? -eq 0 ]; then
@@ -98,6 +98,7 @@ dim_comm()
         echo "Error! dim_core is not loaded!"
         return 1
     fi
+{{ if .BaselineIsEnable }}
     echo "Checking if baseline is configured..."
     cat /sys/kernel/security/dim/monitor_ascii_runtime_measurements | wc -l | grep 2 &> /dev/null
     if [ $? -ne 0 ]; then
diff --git a/secconf/check/check_modsign b/secconf/check/check_modsign
index 99d7a00..143d319 100644
--- a/secconf/check/check_modsign
+++ b/secconf/check/check_modsign
@@ -7,7 +7,7 @@ modsign_comm()
         grub_path="/boot/efi/EFI/openEuler/grub.cfg"
     fi
 {{ if .Enable }}
-    grep sig_enforce $grub_path &> /dev/null
+    grep "vmlinuz-$(uname -r) .*sig_enforce" $grub_path &> /dev/null
     if [ $? -eq 0 ]; then
         echo "Kernel Module Signature Verification has been configured."
     fi
@@ -18,7 +18,7 @@ modsign_comm()
         echo "Kernel Module Signature Verification hasn't benn activated. Please restart to activate!"
     fi
 {{ else }}
-    grep sig_enforce $grub_path &> /dev/null
+    grep "vmlinuz-$(uname -r) .*sig_enforce" $grub_path &> /dev/null
     if [ $? -eq 0 ]; then
         echo "Kernel Module Signature Verification is not disable."
     fi
diff --git a/secconf/check/check_secure_boot b/secconf/check/check_secure_boot
index 22d5590..587deaf 100644
--- a/secconf/check/check_secure_boot
+++ b/secconf/check/check_secure_boot
@@ -16,7 +16,7 @@ secure_boot_comm()
     if [ ! -s /boot/efi/EFI/secure_boot.der ]; then
         get_usr_input "Secure Boot certificate of openeuler is about to be downloaded?【Y/N】"
         if [ $? -eq 1 ]; then
-            wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate &> /dev/null
+            wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate --timeout=30 --tries=3 &> /dev/null
             if [ $? -ne 0 ]; then
                 echo "Secure Boot cerificate download failed，Please obtain the certificate in other ways"
                 return 1
diff --git a/secconf/gen/gen_modsign b/secconf/gen/gen_modsign
index 2917ea1..dc20ee3 100644
--- a/secconf/gen/gen_modsign
+++ b/secconf/gen/gen_modsign
@@ -6,14 +6,14 @@ modsign_comm()
     else
         grub_path="/boot/efi/EFI/openEuler/grub.cfg"
     fi
-    grep sig_enforce $grub_path &> /dev/null
+    grep "vmlinuz-$(uname -r) .*sig_enforce" $grub_path &> /dev/null
 {{ if .Enable }}
     if [ $? -eq 0 ]; then
         echo "Kernel module verification has been set and does not need to be set again."
     else
         get_usr_input "Check whether the grub.cfg file is modified to enable forcible signature verification in the kernel.【Y/N】"
         if [ $? -eq 1 ]; then
-            sed -i '/vmlinuz/s/$/ module\.sig_enforce/' $grub_path
+            sed -i "/vmlinuz-$(uname -r)/ s/$/ module\.sig_enforce/" "${grub_path}"
             if [ $? -eq 0 ]; then
                 echo "The kernel module verification is successful when the OS is started. The verification takes effect after the OS is restarted."
             else
diff --git a/secconf/gen/gen_secure_boot b/secconf/gen/gen_secure_boot
index 9ace5e0..bd78d7e 100644
--- a/secconf/gen/gen_secure_boot
+++ b/secconf/gen/gen_secure_boot
@@ -20,7 +20,7 @@ secure_boot_comm()
             else
                 get_usr_input "Download the openeuler secure boot certificate right now?【Y/N】"
                 if [ $? -eq 1 ]; then
-                    wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate
+                    wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate --timeout=30 --tries=3 &> /dev/null
                     if [ $? -ne 0 ]; then
                         echo "Certificate downloaded failed. Please obtain the certificate manually!"
                         return 1
-- 
2.33.0