Set-up secure-boot signing for Debian
This commit is contained in:
parent
d8887bc8ce
commit
2e84160e65
13
.github/workflows/release.yml
vendored
13
.github/workflows/release.yml
vendored
|
@ -99,6 +99,19 @@ jobs:
|
||||||
# apply surface patches
|
# apply surface patches
|
||||||
for PATCH in ../../../patches/${KERNEL_VERSION%.*}/*.patch; do patch -p1 < ${PATCH}; done
|
for PATCH in ../../../patches/${KERNEL_VERSION%.*}/*.patch; do patch -p1 < ${PATCH}; done
|
||||||
|
|
||||||
|
- name: Setup secureboot certificate
|
||||||
|
env:
|
||||||
|
SB_KEY: ${{ secrets.SURFACE_SB_KEY }}
|
||||||
|
run: |
|
||||||
|
cd pkg
|
||||||
|
|
||||||
|
mkdir -o debian/linux/keys
|
||||||
|
|
||||||
|
# unlock/copy key and certificate
|
||||||
|
echo "$SB_KEY" | base64 -d > debian/linux/keys/MOK.key
|
||||||
|
cp keys/surface.crt debian/linux/keys/MOK.crt
|
||||||
|
|
||||||
|
|
||||||
- name: Configure
|
- name: Configure
|
||||||
run: |
|
run: |
|
||||||
cd pkg/debian/linux
|
cd pkg/debian/linux
|
||||||
|
|
|
@ -0,0 +1,87 @@
|
||||||
|
From 073fd9a84f681846f23b25721bef79eb92d06225 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dorian Stoll <dorian.stoll@tmsp.io>
|
||||||
|
Date: Sun, 22 Sep 2019 22:44:16 +0200
|
||||||
|
Subject: [PATCH] Add secureboot pre-signing to the kernel
|
||||||
|
|
||||||
|
If it detects a secure boot certificate at `keys/MOK.key` and `keys/MOK.cer`,
|
||||||
|
the kernel Makefile will automatically sign the vmlinux / bzImage file that
|
||||||
|
gets generated, and that is then used in packaging.
|
||||||
|
|
||||||
|
By integrating it into the kernel build system directly, it is fully integrated
|
||||||
|
with targets like `make deb-pkg` (opposed to `make all`, sign, `make bindeb-pkg`)
|
||||||
|
and it gets added to every tree by the same mechanism that is used to apply the
|
||||||
|
other surface patches anyways.
|
||||||
|
|
||||||
|
Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
|
||||||
|
---
|
||||||
|
.gitignore | 3 +++
|
||||||
|
arch/x86/Makefile | 1 +
|
||||||
|
scripts/sign_kernel.sh | 30 ++++++++++++++++++++++++++++++
|
||||||
|
3 files changed, 34 insertions(+)
|
||||||
|
create mode 100755 scripts/sign_kernel.sh
|
||||||
|
|
||||||
|
diff --git a/.gitignore b/.gitignore
|
||||||
|
index 70580bdd352c..5043497f1509 100644
|
||||||
|
--- a/.gitignore
|
||||||
|
+++ b/.gitignore
|
||||||
|
@@ -133,6 +133,9 @@ signing_key.priv
|
||||||
|
signing_key.x509
|
||||||
|
x509.genkey
|
||||||
|
|
||||||
|
+# Secureboot certificate
|
||||||
|
+/keys/
|
||||||
|
+
|
||||||
|
# Kconfig presets
|
||||||
|
/all.config
|
||||||
|
/alldef.config
|
||||||
|
diff --git a/arch/x86/Makefile b/arch/x86/Makefile
|
||||||
|
index 94df0868804b..2c7b7829f0c2 100644
|
||||||
|
--- a/arch/x86/Makefile
|
||||||
|
+++ b/arch/x86/Makefile
|
||||||
|
@@ -284,6 +284,7 @@ endif
|
||||||
|
$(Q)$(MAKE) $(build)=$(boot) $(KBUILD_IMAGE)
|
||||||
|
$(Q)mkdir -p $(objtree)/arch/$(UTS_MACHINE)/boot
|
||||||
|
$(Q)ln -fsn ../../x86/boot/bzImage $(objtree)/arch/$(UTS_MACHINE)/boot/$@
|
||||||
|
+ $(Q)$(srctree)/scripts/sign_kernel.sh $(objtree)/arch/$(UTS_MACHINE)/boot/$@
|
||||||
|
|
||||||
|
$(BOOT_TARGETS): vmlinux
|
||||||
|
$(Q)$(MAKE) $(build)=$(boot) $@
|
||||||
|
diff --git a/scripts/sign_kernel.sh b/scripts/sign_kernel.sh
|
||||||
|
new file mode 100755
|
||||||
|
index 000000000000..ce8bf9185551
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/scripts/sign_kernel.sh
|
||||||
|
@@ -0,0 +1,30 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+# SPDX-License-Identifier: GPL-2.0
|
||||||
|
+
|
||||||
|
+# The path to the compiled kernel image is passed as the first argument
|
||||||
|
+BUILDDIR=$(dirname $(dirname $0))
|
||||||
|
+VMLINUX=$1
|
||||||
|
+
|
||||||
|
+# Keys are stored in a toplevel directory called keys
|
||||||
|
+# The following files need to be there:
|
||||||
|
+# * MOK.priv (private key)
|
||||||
|
+# * MOK.pem (public key)
|
||||||
|
+#
|
||||||
|
+# If the files don't exist, this script will do nothing.
|
||||||
|
+if [[ ! -f "$BUILDDIR/keys/MOK.key" ]]; then
|
||||||
|
+ exit 0
|
||||||
|
+fi
|
||||||
|
+if [[ ! -f "$BUILDDIR/keys/MOK.crt" ]]; then
|
||||||
|
+ exit 0
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+# Both required certificates were found. Check if sbsign is installed.
|
||||||
|
+echo "Keys for automatic secureboot signing found."
|
||||||
|
+if [[ ! -x "$(command -v sbsign)" ]]; then
|
||||||
|
+ echo "ERROR: sbsign not found!"
|
||||||
|
+ exit -2
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+# Sign the kernel
|
||||||
|
+sbsign --key $BUILDDIR/keys/MOK.key --cert $BUILDDIR/keys/MOK.crt \
|
||||||
|
+ --output $VMLINUX $VMLINUX
|
||||||
|
--
|
||||||
|
2.25.0
|
||||||
|
|
Loading…
Reference in a new issue