diff --git a/pkg/debian/0001-Add-secureboot-pre-signing-to-the-kernel.patch b/pkg/debian/0001-Add-secureboot-pre-signing-to-the-kernel.patch new file mode 120000 index 000000000..7d1a09948 --- /dev/null +++ b/pkg/debian/0001-Add-secureboot-pre-signing-to-the-kernel.patch @@ -0,0 +1 @@ +../fedora/kernel-surface/0001-Add-secureboot-pre-signing-to-the-kernel.patch \ No newline at end of file diff --git a/pkg/debian/0002-Add-secureboot-pre-signing-to-the-kernel.patch b/pkg/debian/0002-Add-secureboot-pre-signing-to-the-kernel.patch deleted file mode 100644 index 6cc3f3b3f..000000000 --- a/pkg/debian/0002-Add-secureboot-pre-signing-to-the-kernel.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 073fd9a84f681846f23b25721bef79eb92d06225 Mon Sep 17 00:00:00 2001 -From: Dorian Stoll -Date: Sun, 22 Sep 2019 22:44:16 +0200 -Subject: [PATCH] Add secureboot pre-signing to the kernel - -If it detects a secure boot certificate at `keys/MOK.key` and `keys/MOK.cer`, -the kernel Makefile will automatically sign the vmlinux / bzImage file that -gets generated, and that is then used in packaging. - -By integrating it into the kernel build system directly, it is fully integrated -with targets like `make deb-pkg` (opposed to `make all`, sign, `make bindeb-pkg`) -and it gets added to every tree by the same mechanism that is used to apply the -other surface patches anyways. - -Signed-off-by: Dorian Stoll ---- - .gitignore | 3 +++ - arch/x86/Makefile | 1 + - scripts/sign_kernel.sh | 30 ++++++++++++++++++++++++++++++ - 3 files changed, 34 insertions(+) - create mode 100755 scripts/sign_kernel.sh - -diff --git a/.gitignore b/.gitignore -index 70580bdd352c..5043497f1509 100644 ---- a/.gitignore -+++ b/.gitignore -@@ -133,6 +133,9 @@ signing_key.priv - signing_key.x509 - x509.genkey - -+# Secureboot certificate -+/keys/ -+ - # Kconfig presets - /all.config - /alldef.config -diff --git a/arch/x86/Makefile b/arch/x86/Makefile -index 94df0868804b..2c7b7829f0c2 100644 ---- a/arch/x86/Makefile -+++ b/arch/x86/Makefile -@@ -284,6 +284,7 @@ endif - $(Q)$(MAKE) $(build)=$(boot) $(KBUILD_IMAGE) - $(Q)mkdir -p $(objtree)/arch/$(UTS_MACHINE)/boot - $(Q)ln -fsn ../../x86/boot/bzImage $(objtree)/arch/$(UTS_MACHINE)/boot/$@ -+ $(Q)$(srctree)/scripts/sign_kernel.sh $(objtree)/arch/$(UTS_MACHINE)/boot/$@ - - $(BOOT_TARGETS): vmlinux - $(Q)$(MAKE) $(build)=$(boot) $@ -diff --git a/scripts/sign_kernel.sh b/scripts/sign_kernel.sh -new file mode 100755 -index 000000000000..ce8bf9185551 ---- /dev/null -+++ b/scripts/sign_kernel.sh -@@ -0,0 +1,30 @@ -+#!/bin/bash -+# SPDX-License-Identifier: GPL-2.0 -+ -+# The path to the compiled kernel image is passed as the first argument -+BUILDDIR=$(dirname $(dirname $0)) -+VMLINUX=$1 -+ -+# Keys are stored in a toplevel directory called keys -+# The following files need to be there: -+# * MOK.priv (private key) -+# * MOK.pem (public key) -+# -+# If the files don't exist, this script will do nothing. -+if [[ ! -f "$BUILDDIR/keys/MOK.key" ]]; then -+ exit 0 -+fi -+if [[ ! -f "$BUILDDIR/keys/MOK.crt" ]]; then -+ exit 0 -+fi -+ -+# Both required certificates were found. Check if sbsign is installed. -+echo "Keys for automatic secureboot signing found." -+if [[ ! -x "$(command -v sbsign)" ]]; then -+ echo "ERROR: sbsign not found!" -+ exit -2 -+fi -+ -+# Sign the kernel -+sbsign --key $BUILDDIR/keys/MOK.key --cert $BUILDDIR/keys/MOK.crt \ -+ --output $VMLINUX $VMLINUX --- -2.25.0 - diff --git a/pkg/debian/0001-Version-changes-for-linux-surface-debian-package.patch b/pkg/debian/0002-Version-changes-for-linux-surface-debian-package.patch similarity index 100% rename from pkg/debian/0001-Version-changes-for-linux-surface-debian-package.patch rename to pkg/debian/0002-Version-changes-for-linux-surface-debian-package.patch