From 130f855120487612748a32b45050e454cc1ada1d Mon Sep 17 00:00:00 2001 From: Maximilian Luz Date: Wed, 14 Jun 2023 13:11:58 +0200 Subject: [PATCH] pkg/debian: Replace dangling symlink --- ...secureboot-pre-signing-to-the-kernel.patch | 88 ++++++++++++++++++- 1 file changed, 87 insertions(+), 1 deletion(-) mode change 120000 => 100644 pkg/debian/kernel/0001-Add-secureboot-pre-signing-to-the-kernel.patch diff --git a/pkg/debian/kernel/0001-Add-secureboot-pre-signing-to-the-kernel.patch b/pkg/debian/kernel/0001-Add-secureboot-pre-signing-to-the-kernel.patch deleted file mode 120000 index 26c95bad7..000000000 --- a/pkg/debian/kernel/0001-Add-secureboot-pre-signing-to-the-kernel.patch +++ /dev/null @@ -1 +0,0 @@ -../../fedora/kernel-surface/0001-Add-secureboot-pre-signing-to-the-kernel.patch \ No newline at end of file diff --git a/pkg/debian/kernel/0001-Add-secureboot-pre-signing-to-the-kernel.patch b/pkg/debian/kernel/0001-Add-secureboot-pre-signing-to-the-kernel.patch new file mode 100644 index 000000000..eb7ebeeff --- /dev/null +++ b/pkg/debian/kernel/0001-Add-secureboot-pre-signing-to-the-kernel.patch @@ -0,0 +1,87 @@ +From deb1109883e7a969c1532e10efdb2c55d64f4b9c Mon Sep 17 00:00:00 2001 +From: Dorian Stoll +Date: Sun, 22 Sep 2019 22:44:16 +0200 +Subject: [PATCH] Add secureboot pre-signing to the kernel + +If it detects a secure boot certificate at `keys/MOK.key` and `keys/MOK.cer`, +the kernel Makefile will automatically sign the vmlinux / bzImage file that +gets generated, and that is then used in packaging. + +By integrating it into the kernel build system directly, it is fully integrated +with targets like `make deb-pkg` (opposed to `make all`, sign, `make bindeb-pkg`) +and it gets added to every tree by the same mechanism that is used to apply the +other surface patches anyways. + +Signed-off-by: Dorian Stoll +--- + .gitignore | 3 +++ + arch/x86/Makefile | 1 + + scripts/sign_kernel.sh | 30 ++++++++++++++++++++++++++++++ + 3 files changed, 34 insertions(+) + create mode 100755 scripts/sign_kernel.sh + +diff --git a/.gitignore b/.gitignore +index 70ec6037fa7a..9097532c1a1a 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -151,6 +151,9 @@ signing_key.priv + signing_key.x509 + x509.genkey + ++# Secureboot certificate ++/keys/ ++ + # Kconfig presets + /all.config + /alldef.config +diff --git a/arch/x86/Makefile b/arch/x86/Makefile +index b39975977c03..30adea5508d6 100644 +--- a/arch/x86/Makefile ++++ b/arch/x86/Makefile +@@ -283,6 +283,7 @@ endif + $(Q)$(MAKE) $(build)=$(boot) $(KBUILD_IMAGE) + $(Q)mkdir -p $(objtree)/arch/$(UTS_MACHINE)/boot + $(Q)ln -fsn ../../x86/boot/bzImage $(objtree)/arch/$(UTS_MACHINE)/boot/$@ ++ $(Q)$(srctree)/scripts/sign_kernel.sh $(objtree)/arch/$(UTS_MACHINE)/boot/$@ + + $(BOOT_TARGETS): vmlinux + $(Q)$(MAKE) $(build)=$(boot) $@ +diff --git a/scripts/sign_kernel.sh b/scripts/sign_kernel.sh +new file mode 100755 +index 000000000000..d2526a279254 +--- /dev/null ++++ b/scripts/sign_kernel.sh +@@ -0,0 +1,30 @@ ++#!/bin/sh ++# SPDX-License-Identifier: GPL-2.0 ++ ++# The path to the compiled kernel image is passed as the first argument ++BUILDDIR=$(dirname $(dirname $0)) ++VMLINUX=$1 ++ ++# Keys are stored in a toplevel directory called keys ++# The following files need to be there: ++# * MOK.priv (private key) ++# * MOK.pem (public key) ++# ++# If the files don't exist, this script will do nothing. ++if [ ! -f "$BUILDDIR/keys/MOK.key" ]; then ++ exit 0 ++fi ++if [ ! -f "$BUILDDIR/keys/MOK.crt" ]; then ++ exit 0 ++fi ++ ++# Both required certificates were found. Check if sbsign is installed. ++echo "Keys for automatic secureboot signing found." ++if [ ! -x "$(command -v sbsign)" ]; then ++ echo "ERROR: sbsign not found!" ++ exit -2 ++fi ++ ++# Sign the kernel ++sbsign --key $BUILDDIR/keys/MOK.key --cert $BUILDDIR/keys/MOK.crt \ ++ --output $VMLINUX $VMLINUX +-- +2.41.0 +