beenull/linux-surface
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

pkg/debian: Replace dangling symlink

Browse source
This commit is contained in:
Maximilian Luz 2023-06-14 13:11:58 +02:00
parent fe387a5685
commit 130f855120
No known key found for this signature in database
GPG key ID: 70EC0937F6C26F02
1 changed files with 87 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
pkg/debian/kernel/0001-Add-secureboot-pre-signing-to-the-kernel.patch
View file

@ -1 +0,0 @@
../../fedora/kernel-surface/0001-Add-secureboot-pre-signing-to-the-kernel.patch

87
pkg/debian/kernel/0001-Add-secureboot-pre-signing-to-the-kernel.patch Normal file
View file

@ -0,0 +1,87 @@
From deb1109883e7a969c1532e10efdb2c55d64f4b9c Mon Sep 17 00:00:00 2001
From: Dorian Stoll <dorian.stoll@tmsp.io>
Date: Sun, 22 Sep 2019 22:44:16 +0200
Subject: [PATCH] Add secureboot pre-signing to the kernel
If it detects a secure boot certificate at `keys/MOK.key` and `keys/MOK.cer`,
the kernel Makefile will automatically sign the vmlinux / bzImage file that
gets generated, and that is then used in packaging.
By integrating it into the kernel build system directly, it is fully integrated
with targets like `make deb-pkg` (opposed to `make all`, sign, `make bindeb-pkg`)
and it gets added to every tree by the same mechanism that is used to apply the
other surface patches anyways.
Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
---
.gitignore | 3 +++
arch/x86/Makefile | 1 +
scripts/sign_kernel.sh | 30 ++++++++++++++++++++++++++++++
3 files changed, 34 insertions(+)
create mode 100755 scripts/sign_kernel.sh
diff --git a/.gitignore b/.gitignore
index 70ec6037fa7a..9097532c1a1a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -151,6 +151,9 @@ signing_key.priv
signing_key.x509
x509.genkey
+# Secureboot certificate
+/keys/
+
# Kconfig presets
/all.config
/alldef.config
diff --git a/arch/x86/Makefile b/arch/x86/Makefile
index b39975977c03..30adea5508d6 100644
--- a/arch/x86/Makefile
+++ b/arch/x86/Makefile
@@ -283,6 +283,7 @@ endif
$(Q)$(MAKE) $(build)=$(boot) $(KBUILD_IMAGE)
$(Q)mkdir -p $(objtree)/arch/$(UTS_MACHINE)/boot
$(Q)ln -fsn ../../x86/boot/bzImage $(objtree)/arch/$(UTS_MACHINE)/boot/$@
+ $(Q)$(srctree)/scripts/sign_kernel.sh $(objtree)/arch/$(UTS_MACHINE)/boot/$@
$(BOOT_TARGETS): vmlinux
$(Q)$(MAKE) $(build)=$(boot) $@
diff --git a/scripts/sign_kernel.sh b/scripts/sign_kernel.sh
new file mode 100755
index 000000000000..d2526a279254
--- /dev/null
+++ b/scripts/sign_kernel.sh
@@ -0,0 +1,30 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0
+
+# The path to the compiled kernel image is passed as the first argument
+BUILDDIR=$(dirname $(dirname $0))
+VMLINUX=$1
+
+# Keys are stored in a toplevel directory called keys
+# The following files need to be there:
+# * MOK.priv (private key)
+# * MOK.pem (public key)
+#
+# If the files don't exist, this script will do nothing.
+if [ ! -f "$BUILDDIR/keys/MOK.key" ]; then
+ exit 0
+fi
+if [ ! -f "$BUILDDIR/keys/MOK.crt" ]; then
+ exit 0
+fi
+
+# Both required certificates were found. Check if sbsign is installed.
+echo "Keys for automatic secureboot signing found."
+if [ ! -x "$(command -v sbsign)" ]; then
+ echo "ERROR: sbsign not found!"
+ exit -2
+fi
+
+# Sign the kernel
+sbsign --key $BUILDDIR/keys/MOK.key --cert $BUILDDIR/keys/MOK.crt \
+ --output $VMLINUX $VMLINUX
--
2.41.0