From 2e84160e65d15676c26a1d2a9c80d2b3cd05cbd5 Mon Sep 17 00:00:00 2001 From: Maximilian Luz Date: Mon, 20 Jan 2020 22:42:19 +0100 Subject: [PATCH] Set-up secure-boot signing for Debian --- .github/workflows/release.yml | 13 +++ ...secureboot-pre-signing-to-the-kernel.patch | 87 +++++++++++++++++++ 2 files changed, 100 insertions(+) create mode 100644 pkg/debian/0002-Add-secureboot-pre-signing-to-the-kernel.patch diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 751a576af..6e9139537 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -99,6 +99,19 @@ jobs: # apply surface patches for PATCH in ../../../patches/${KERNEL_VERSION%.*}/*.patch; do patch -p1 < ${PATCH}; done + - name: Setup secureboot certificate + env: + SB_KEY: ${{ secrets.SURFACE_SB_KEY }} + run: | + cd pkg + + mkdir -o debian/linux/keys + + # unlock/copy key and certificate + echo "$SB_KEY" | base64 -d > debian/linux/keys/MOK.key + cp keys/surface.crt debian/linux/keys/MOK.crt + + - name: Configure run: | cd pkg/debian/linux diff --git a/pkg/debian/0002-Add-secureboot-pre-signing-to-the-kernel.patch b/pkg/debian/0002-Add-secureboot-pre-signing-to-the-kernel.patch new file mode 100644 index 000000000..6cc3f3b3f --- /dev/null +++ b/pkg/debian/0002-Add-secureboot-pre-signing-to-the-kernel.patch @@ -0,0 +1,87 @@ +From 073fd9a84f681846f23b25721bef79eb92d06225 Mon Sep 17 00:00:00 2001 +From: Dorian Stoll +Date: Sun, 22 Sep 2019 22:44:16 +0200 +Subject: [PATCH] Add secureboot pre-signing to the kernel + +If it detects a secure boot certificate at `keys/MOK.key` and `keys/MOK.cer`, +the kernel Makefile will automatically sign the vmlinux / bzImage file that +gets generated, and that is then used in packaging. + +By integrating it into the kernel build system directly, it is fully integrated +with targets like `make deb-pkg` (opposed to `make all`, sign, `make bindeb-pkg`) +and it gets added to every tree by the same mechanism that is used to apply the +other surface patches anyways. + +Signed-off-by: Dorian Stoll +--- + .gitignore | 3 +++ + arch/x86/Makefile | 1 + + scripts/sign_kernel.sh | 30 ++++++++++++++++++++++++++++++ + 3 files changed, 34 insertions(+) + create mode 100755 scripts/sign_kernel.sh + +diff --git a/.gitignore b/.gitignore +index 70580bdd352c..5043497f1509 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -133,6 +133,9 @@ signing_key.priv + signing_key.x509 + x509.genkey + ++# Secureboot certificate ++/keys/ ++ + # Kconfig presets + /all.config + /alldef.config +diff --git a/arch/x86/Makefile b/arch/x86/Makefile +index 94df0868804b..2c7b7829f0c2 100644 +--- a/arch/x86/Makefile ++++ b/arch/x86/Makefile +@@ -284,6 +284,7 @@ endif + $(Q)$(MAKE) $(build)=$(boot) $(KBUILD_IMAGE) + $(Q)mkdir -p $(objtree)/arch/$(UTS_MACHINE)/boot + $(Q)ln -fsn ../../x86/boot/bzImage $(objtree)/arch/$(UTS_MACHINE)/boot/$@ ++ $(Q)$(srctree)/scripts/sign_kernel.sh $(objtree)/arch/$(UTS_MACHINE)/boot/$@ + + $(BOOT_TARGETS): vmlinux + $(Q)$(MAKE) $(build)=$(boot) $@ +diff --git a/scripts/sign_kernel.sh b/scripts/sign_kernel.sh +new file mode 100755 +index 000000000000..ce8bf9185551 +--- /dev/null ++++ b/scripts/sign_kernel.sh +@@ -0,0 +1,30 @@ ++#!/bin/bash ++# SPDX-License-Identifier: GPL-2.0 ++ ++# The path to the compiled kernel image is passed as the first argument ++BUILDDIR=$(dirname $(dirname $0)) ++VMLINUX=$1 ++ ++# Keys are stored in a toplevel directory called keys ++# The following files need to be there: ++# * MOK.priv (private key) ++# * MOK.pem (public key) ++# ++# If the files don't exist, this script will do nothing. ++if [[ ! -f "$BUILDDIR/keys/MOK.key" ]]; then ++ exit 0 ++fi ++if [[ ! -f "$BUILDDIR/keys/MOK.crt" ]]; then ++ exit 0 ++fi ++ ++# Both required certificates were found. Check if sbsign is installed. ++echo "Keys for automatic secureboot signing found." ++if [[ ! -x "$(command -v sbsign)" ]]; then ++ echo "ERROR: sbsign not found!" ++ exit -2 ++fi ++ ++# Sign the kernel ++sbsign --key $BUILDDIR/keys/MOK.key --cert $BUILDDIR/keys/MOK.crt \ ++ --output $VMLINUX $VMLINUX +-- +2.25.0 +