Remove accidentally added secureboot patch
This is handled on a per-package basis.
This commit is contained in:
Maximilian Luz
parent
f00fd157c3
commit
19ac02843f
|
|
@ -1,87 +0,0 @@
|
|||
From 8197665d00ec54ba9c29ccea0fda45c1cb916f25 Mon Sep 17 00:00:00 2001
|
||||
From: Dorian Stoll <dorian.stoll@tmsp.io>
|
||||
Date: Sun, 22 Sep 2019 22:44:16 +0200
|
||||
Subject: [PATCH] Add secureboot pre-signing to the kernel
|
||||
|
||||
If it detects a secure boot certificate at `keys/MOK.key` and `keys/MOK.cer`,
|
||||
the kernel Makefile will automatically sign the vmlinux / bzImage file that
|
||||
gets generated, and that is then used in packaging.
|
||||
|
||||
By integrating it into the kernel build system directly, it is fully integrated
|
||||
with targets like `make deb-pkg` (opposed to `make all`, sign, `make bindeb-pkg`)
|
||||
and it gets added to every tree by the same mechanism that is used to apply the
|
||||
other surface patches anyways.
|
||||
|
||||
Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
|
||||
---
|
||||
.gitignore | 3 +++
|
||||
arch/x86/Makefile | 1 +
|
||||
scripts/sign_kernel.sh | 30 ++++++++++++++++++++++++++++++
|
||||
3 files changed, 34 insertions(+)
|
||||
create mode 100755 scripts/sign_kernel.sh
|
||||
|
||||
diff --git a/.gitignore b/.gitignore
|
||||
index 7afd412dadd2..2733ab7e2182 100644
|
||||
--- a/.gitignore
|
||||
+++ b/.gitignore
|
||||
@@ -142,6 +142,9 @@ signing_key.priv
|
||||
signing_key.x509
|
||||
x509.genkey
|
||||
|
||||
+# Secureboot certificate
|
||||
+/keys/
|
||||
+
|
||||
# Kconfig presets
|
||||
/all.config
|
||||
/alldef.config
|
||||
diff --git a/arch/x86/Makefile b/arch/x86/Makefile
|
||||
index 42243869216d..493324129d92 100644
|
||||
--- a/arch/x86/Makefile
|
||||
+++ b/arch/x86/Makefile
|
||||
@@ -253,6 +253,7 @@ endif
|
||||
$(Q)$(MAKE) $(build)=$(boot) $(KBUILD_IMAGE)
|
||||
$(Q)mkdir -p $(objtree)/arch/$(UTS_MACHINE)/boot
|
||||
$(Q)ln -fsn ../../x86/boot/bzImage $(objtree)/arch/$(UTS_MACHINE)/boot/$@
|
||||
+ $(Q)$(srctree)/scripts/sign_kernel.sh $(objtree)/arch/$(UTS_MACHINE)/boot/$@
|
||||
|
||||
$(BOOT_TARGETS): vmlinux
|
||||
$(Q)$(MAKE) $(build)=$(boot) $@
|
||||
diff --git a/scripts/sign_kernel.sh b/scripts/sign_kernel.sh
|
||||
new file mode 100755
|
||||
index 000000000000..d2526a279254
|
||||
--- /dev/null
|
||||
+++ b/scripts/sign_kernel.sh
|
||||
@@ -0,0 +1,30 @@
|
||||
+#!/bin/sh
|
||||
+# SPDX-License-Identifier: GPL-2.0
|
||||
+
|
||||
+# The path to the compiled kernel image is passed as the first argument
|
||||
+BUILDDIR=$(dirname $(dirname $0))
|
||||
+VMLINUX=$1
|
||||
+
|
||||
+# Keys are stored in a toplevel directory called keys
|
||||
+# The following files need to be there:
|
||||
+# * MOK.priv (private key)
|
||||
+# * MOK.pem (public key)
|
||||
+#
|
||||
+# If the files don't exist, this script will do nothing.
|
||||
+if [ ! -f "$BUILDDIR/keys/MOK.key" ]; then
|
||||
+ exit 0
|
||||
+fi
|
||||
+if [ ! -f "$BUILDDIR/keys/MOK.crt" ]; then
|
||||
+ exit 0
|
||||
+fi
|
||||
+
|
||||
+# Both required certificates were found. Check if sbsign is installed.
|
||||
+echo "Keys for automatic secureboot signing found."
|
||||
+if [ ! -x "$(command -v sbsign)" ]; then
|
||||
+ echo "ERROR: sbsign not found!"
|
||||
+ exit -2
|
||||
+fi
|
||||
+
|
||||
+# Sign the kernel
|
||||
+sbsign --key $BUILDDIR/keys/MOK.key --cert $BUILDDIR/keys/MOK.crt \
|
||||
+ --output $VMLINUX $VMLINUX
|
||||
--
|
||||
2.35.1
|
||||
|
||||
Loading…
Reference in a new issue