1808e2bb1c
Sign kernel-modules by the keys created by kernel ( aligned with
the centos stx behaviour).
Put the keys into linux(-rt)-kbuild-5.10 package and they will be used
to sign the out of tree kernel modules.
Change the private key's name in kernel-modules according to kernel.
Enable oot kernel-modules' signing by default.
Test Plan:
- PASS: Build kernel-std/kernel-rt.
- PASS: Build the 7 oot kernel modules for both kernel-std/kernel-rt.
- PASS: Build the iso for kernel-std and boot up and probe ko for
every oot kernel-moudles without warning.
- PASS: Build the test iso for kernel-rt and boot up and probe ko for
every oot kernel-moudles without warning.
Story: 2009221
Task: 44837
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: If6915c5d3e7d7c7af89b58033804b5a9ca97d09e
51 lines
1.7 KiB
Diff
51 lines
1.7 KiB
Diff
From f581d6bf42a2f71f5026992bce921291f696b009 Mon Sep 17 00:00:00 2001
|
|
From: Li Zhou <li.zhou@windriver.com>
|
|
Date: Fri, 18 Mar 2022 16:57:42 +0800
|
|
Subject: [PATCH] kernel-modules: sign kernel-modules
|
|
|
|
Sign kernel-modules by the keys created by kernel-rt.
|
|
Put the keys into linux-rt-kbuild-5.10 package and they will be used
|
|
to sign the out of tree kernel modules for kernel-rt.
|
|
|
|
Signed-off-by: Li Zhou <li.zhou@windriver.com>
|
|
---
|
|
debian/config/amd64/none/config | 11 +++++++++++
|
|
debian/rules.real | 2 ++
|
|
2 files changed, 13 insertions(+)
|
|
|
|
diff --git a/debian/config/amd64/none/config b/debian/config/amd64/none/config
|
|
index 7662fd5..e329ad0 100644
|
|
--- a/debian/config/amd64/none/config
|
|
+++ b/debian/config/amd64/none/config
|
|
@@ -6383,3 +6383,14 @@ CONFIG_RUNTIME_TESTING_MENU=y
|
|
# CONFIG_MEMTEST is not set
|
|
# end of Kernel Testing and Coverage
|
|
# end of Kernel hacking
|
|
+
|
|
+##
|
|
+## file: init/Kconfig
|
|
+##
|
|
+CONFIG_MODULE_SIG_ALL=y
|
|
+# CONFIG_MODULE_SIG_FORCE is not set
|
|
+
|
|
+##
|
|
+## file: certs/Kconfig
|
|
+##
|
|
+CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
|
|
diff --git a/debian/rules.real b/debian/rules.real
|
|
index 3304579..552fcf0 100644
|
|
--- a/debian/rules.real
|
|
+++ b/debian/rules.real
|
|
@@ -664,6 +664,8 @@ install-kbuild: build-kbuild
|
|
$(call make-tools,scripts) install DESTDIR=$(DIR) prefix=$(PREFIX_DIR)
|
|
$(call make-tools,tools/objtool) install DESTDIR=$(DIR) prefix=$(PREFIX_DIR)
|
|
dh_link $(PREFIX_DIR) /usr/src/$(PACKAGE_NAME)
|
|
+ dh_install $(BUILD_DIR)/*/certs/signing_key.pem /usr/src/kernels/$(ABINAME)-$(ARCH)/
|
|
+ dh_install $(BUILD_DIR)/*/certs/signing_key.x509 /usr/src/kernels/$(ABINAME)-$(ARCH)/
|
|
dh_installchangelogs
|
|
ifeq (,$(filter nodoc,$(DEB_BUILD_PROFILES)))
|
|
dh_installdocs
|
|
--
|
|
2.17.1
|
|
|