|
@@ -0,0 +1,87 @@
|
|
|
|
|
+From deb1109883e7a969c1532e10efdb2c55d64f4b9c Mon Sep 17 00:00:00 2001
|
|
|
|
|
+From: Dorian Stoll <dorian.stoll@tmsp.io>
|
|
|
|
|
+Date: Sun, 22 Sep 2019 22:44:16 +0200
|
|
|
|
|
+Subject: [PATCH] Add secureboot pre-signing to the kernel
|
|
|
|
|
+
|
|
|
|
|
+If it detects a secure boot certificate at `keys/MOK.key` and `keys/MOK.cer`,
|
|
|
|
|
+the kernel Makefile will automatically sign the vmlinux / bzImage file that
|
|
|
|
|
+gets generated, and that is then used in packaging.
|
|
|
|
|
+
|
|
|
|
|
+By integrating it into the kernel build system directly, it is fully integrated
|
|
|
|
|
+with targets like `make deb-pkg` (opposed to `make all`, sign, `make bindeb-pkg`)
|
|
|
|
|
+and it gets added to every tree by the same mechanism that is used to apply the
|
|
|
|
|
+other surface patches anyways.
|
|
|
|
|
+
|
|
|
|
|
+Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
|
|
|
|
|
+---
|
|
|
|
|
+ .gitignore | 3 +++
|
|
|
|
|
+ arch/x86/Makefile | 1 +
|
|
|
|
|
+ scripts/sign_kernel.sh | 30 ++++++++++++++++++++++++++++++
|
|
|
|
|
+ 3 files changed, 34 insertions(+)
|
|
|
|
|
+ create mode 100755 scripts/sign_kernel.sh
|
|
|
|
|
+
|
|
|
|
|
+diff --git a/.gitignore b/.gitignore
|
|
|
|
|
+index 70ec6037fa7a..9097532c1a1a 100644
|
|
|
|
|
+--- a/.gitignore
|
|
|
|
|
++++ b/.gitignore
|
|
|
|
|
+@@ -151,6 +151,9 @@ signing_key.priv
|
|
|
|
|
+ signing_key.x509
|
|
|
|
|
+ x509.genkey
|
|
|
|
|
+
|
|
|
|
|
++# Secureboot certificate
|
|
|
|
|
++/keys/
|
|
|
|
|
++
|
|
|
|
|
+ # Kconfig presets
|
|
|
|
|
+ /all.config
|
|
|
|
|
+ /alldef.config
|
|
|
|
|
+diff --git a/arch/x86/Makefile b/arch/x86/Makefile
|
|
|
|
|
+index b39975977c03..30adea5508d6 100644
|
|
|
|
|
+--- a/arch/x86/Makefile
|
|
|
|
|
++++ b/arch/x86/Makefile
|
|
|
|
|
+@@ -283,6 +283,7 @@ endif
|
|
|
|
|
+ $(Q)$(MAKE) $(build)=$(boot) $(KBUILD_IMAGE)
|
|
|
|
|
+ $(Q)mkdir -p $(objtree)/arch/$(UTS_MACHINE)/boot
|
|
|
|
|
+ $(Q)ln -fsn ../../x86/boot/bzImage $(objtree)/arch/$(UTS_MACHINE)/boot/$@
|
|
|
|
|
++ $(Q)$(srctree)/scripts/sign_kernel.sh $(objtree)/arch/$(UTS_MACHINE)/boot/$@
|
|
|
|
|
+
|
|
|
|
|
+ $(BOOT_TARGETS): vmlinux
|
|
|
|
|
+ $(Q)$(MAKE) $(build)=$(boot) $@
|
|
|
|
|
+diff --git a/scripts/sign_kernel.sh b/scripts/sign_kernel.sh
|
|
|
|
|
+new file mode 100755
|
|
|
|
|
+index 000000000000..d2526a279254
|
|
|
|
|
+--- /dev/null
|
|
|
|
|
++++ b/scripts/sign_kernel.sh
|
|
|
|
|
+@@ -0,0 +1,30 @@
|
|
|
|
|
++#!/bin/sh
|
|
|
|
|
++# SPDX-License-Identifier: GPL-2.0
|
|
|
|
|
++
|
|
|
|
|
++# The path to the compiled kernel image is passed as the first argument
|
|
|
|
|
++BUILDDIR=$(dirname $(dirname $0))
|
|
|
|
|
++VMLINUX=$1
|
|
|
|
|
++
|
|
|
|
|
++# Keys are stored in a toplevel directory called keys
|
|
|
|
|
++# The following files need to be there:
|
|
|
|
|
++# * MOK.priv (private key)
|
|
|
|
|
++# * MOK.pem (public key)
|
|
|
|
|
++#
|
|
|
|
|
++# If the files don't exist, this script will do nothing.
|
|
|
|
|
++if [ ! -f "$BUILDDIR/keys/MOK.key" ]; then
|
|
|
|
|
++ exit 0
|
|
|
|
|
++fi
|
|
|
|
|
++if [ ! -f "$BUILDDIR/keys/MOK.crt" ]; then
|
|
|
|
|
++ exit 0
|
|
|
|
|
++fi
|
|
|
|
|
++
|
|
|
|
|
++# Both required certificates were found. Check if sbsign is installed.
|
|
|
|
|
++echo "Keys for automatic secureboot signing found."
|
|
|
|
|
++if [ ! -x "$(command -v sbsign)" ]; then
|
|
|
|
|
++ echo "ERROR: sbsign not found!"
|
|
|
|
|
++ exit -2
|
|
|
|
|
++fi
|
|
|
|
|
++
|
|
|
|
|
++# Sign the kernel
|
|
|
|
|
++sbsign --key $BUILDDIR/keys/MOK.key --cert $BUILDDIR/keys/MOK.crt \
|
|
|
|
|
++ --output $VMLINUX $VMLINUX
|
|
|
|
|
+--
|
|
|
|
|
+2.41.0
|
|
|
|
|
+
|
Maximilian Luz