beenull/linux-surface
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
linux-surface/pkg/fedora/kernel-surface/secureboot/0001-secureboot.patch
Dorian Stoll 69db543758
pkg: fedora: Update to 6.8
2024-03-16 23:07:58 +01:00

61 lines
2.2 KiB
Diff
Raw Blame History

From d4bbfbfee98f8b117885cf88a48f686ac889d73e Mon Sep 17 00:00:00 2001
From: Dorian Stoll <dorian.stoll@tmsp.io>
Date: Sat, 22 Jul 2023 10:45:33 +0200
Subject: [PATCH] Use a custom key and certificate for Secure Boot signing
Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
---
redhat/kernel.spec.template | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
index 0fb19cc23041..d7bd6013423c 100644
--- a/redhat/kernel.spec.template
+++ b/redhat/kernel.spec.template
@@ -762,6 +762,7 @@ BuildRequires: system-sb-certs
%ifarch x86_64 aarch64
BuildRequires: nss-tools
BuildRequires: pesign >= 0.10-4
+BuildRequires: sbsigntools
%endif
%endif
%endif
@@ -821,6 +822,13 @@ Source2: kernel.changelog
%define signing_key_filename kernel-signing-s390.cer
%endif
+%ifarch x86_64 aarch64
+
+Source7001: MOK.key
+Source7002: MOK.crt
+
+%endif
+
%if %{?released_kernel}
Source10: redhatsecurebootca5.cer
@@ -2201,9 +2209,7 @@ BuildKernel() {
%ifarch x86_64 aarch64
%{log_msg "Sign kernel image"}
- %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
- %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
- rm vmlinuz.tmp
+ sbsign --key %{SOURCE7001} --cert %{SOURCE7002} --output vmlinuz.signed $SignImage
%endif
%ifarch s390x ppc64le
if [ -x /usr/bin/rpm-sign ]; then
@@ -2783,9 +2789,6 @@ BuildKernel() {
%{log_msg "Install certs"}
mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
%ifarch x86_64 aarch64
- install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer
- install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer
- ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
%else
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
%endif
--
2.44.0
Reference in a new issue View git blame Copy permalink