Re: [PATCH] builddeb: Support signing kernels with a Machine Owner Key
From: Ard Biesheuvel
Date: Thu Oct 14 2021 - 05:47:04 EST
On Wed, 13 Oct 2021 at 22:07, Matthew Wilcox (Oracle)
<willy@xxxxxxxxxxxxx> wrote:
>
> If the config file specifies a signing key, use it to sign
> the kernel so that machines with SecureBoot enabled can boot.
> See https://wiki.debian.org/SecureBoot
>
> Signed-off-by: Matthew Wilcox (Oracle) <willy@xxxxxxxxxxxxx>
For the change itself
Acked-by: Ard Biesheuvel <ardb@xxxxxxxxxx>
although I'd suggest to fix the subject not to refer to Machine Owner
Keys, as I don't see anything shim related here (i.e., if you sign
using a key that is listed in db, it should also work)
> ---
> scripts/package/builddeb | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/scripts/package/builddeb b/scripts/package/builddeb
> index 91a502bb97e8..4fa6ff2b5cac 100755
> --- a/scripts/package/builddeb
> +++ b/scripts/package/builddeb
> @@ -147,7 +147,15 @@ else
> cp System.map "$tmpdir/boot/System.map-$version"
> cp $KCONFIG_CONFIG "$tmpdir/boot/config-$version"
> fi
> -cp "$($MAKE -s -f $srctree/Makefile image_name)" "$tmpdir/$installed_image_path"
> +
> +vmlinux=$($MAKE -s -f $srctree/Makefile image_name)
> +if is_enabled CONFIG_MODULE_SIG; then
> + cert=$srctree/$(grep ^CONFIG_MODULE_SIG_KEY= include/config/auto.conf | cut -d\" -f2)
> + key=${cert%pem}priv
> + sbsign --key $key --cert $cert "$vmlinux" --output "$tmpdir/$installed_image_path"
> +else
> + cp "$vmlinux" "$tmpdir/$installed_image_path"
> +fi
>
> if is_enabled CONFIG_OF_EARLY_FLATTREE; then
> # Only some architectures with OF support have this target
> --
> 2.32.0
>