* [PATCH] builddeb: Support signing kernels with a Machine Owner Key
@ 2021-05-06 11:58 Matthew Wilcox (Oracle)
2021-05-06 12:01 ` Ard Biesheuvel
0 siblings, 1 reply; 9+ messages in thread
From: Matthew Wilcox (Oracle) @ 2021-05-06 11:58 UTC (permalink / raw)
To: linux-efi, debian-efi, debian-kernel
Cc: Matthew Wilcox (Oracle),
efi, mjg59, masahiroy, michal.lkml, linux-kbuild
If the config file specifies a signing key, use it to sign
the kernel so that machines with SecureBoot enabled can boot.
See https://wiki.debian.org/SecureBoot
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
---
scripts/package/builddeb | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/scripts/package/builddeb b/scripts/package/builddeb
index 91a502bb97e8..4fa6ff2b5cac 100755
--- a/scripts/package/builddeb
+++ b/scripts/package/builddeb
@@ -147,7 +147,15 @@ else
cp System.map "$tmpdir/boot/System.map-$version"
cp $KCONFIG_CONFIG "$tmpdir/boot/config-$version"
fi
-cp "$($MAKE -s -f $srctree/Makefile image_name)" "$tmpdir/$installed_image_path"
+
+vmlinux=$($MAKE -s -f $srctree/Makefile image_name)
+if is_enabled CONFIG_MODULE_SIG; then
+ cert=$srctree/$(grep ^CONFIG_MODULE_SIG_KEY= include/config/auto.conf | cut -d\" -f2)
+ key=${cert%pem}priv
+ sbsign --key $key --cert $cert "$vmlinux" --output "$tmpdir/$installed_image_path"
+else
+ cp "$vmlinux" "$tmpdir/$installed_image_path"
+fi
if is_enabled CONFIG_OF_EARLY_FLATTREE; then
# Only some architectures with OF support have this target
--
2.30.2
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH] builddeb: Support signing kernels with a Machine Owner Key
2021-05-06 11:58 [PATCH] builddeb: Support signing kernels with a Machine Owner Key Matthew Wilcox (Oracle)
@ 2021-05-06 12:01 ` Ard Biesheuvel
2021-05-06 13:36 ` Matthew Wilcox
0 siblings, 1 reply; 9+ messages in thread
From: Ard Biesheuvel @ 2021-05-06 12:01 UTC (permalink / raw)
To: Matthew Wilcox (Oracle)
Cc: linux-efi, debian-efi, debian-kernel, efi, mjg59,
Masahiro Yamada, Michal Marek, Linux Kbuild mailing list
On Thu, 6 May 2021 at 14:00, Matthew Wilcox (Oracle)
<willy@infradead.org> wrote:
>
> If the config file specifies a signing key, use it to sign
> the kernel so that machines with SecureBoot enabled can boot.
> See https://wiki.debian.org/SecureBoot
>
> Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
> ---
> scripts/package/builddeb | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/scripts/package/builddeb b/scripts/package/builddeb
> index 91a502bb97e8..4fa6ff2b5cac 100755
> --- a/scripts/package/builddeb
> +++ b/scripts/package/builddeb
> @@ -147,7 +147,15 @@ else
> cp System.map "$tmpdir/boot/System.map-$version"
> cp $KCONFIG_CONFIG "$tmpdir/boot/config-$version"
> fi
> -cp "$($MAKE -s -f $srctree/Makefile image_name)" "$tmpdir/$installed_image_path"
> +
> +vmlinux=$($MAKE -s -f $srctree/Makefile image_name)
> +if is_enabled CONFIG_MODULE_SIG; then
Shouldn't this be conditional on CONFIG_EFI as well?
> + cert=$srctree/$(grep ^CONFIG_MODULE_SIG_KEY= include/config/auto.conf | cut -d\" -f2)
> + key=${cert%pem}priv
> + sbsign --key $key --cert $cert "$vmlinux" --output "$tmpdir/$installed_image_path"
> +else
> + cp "$vmlinux" "$tmpdir/$installed_image_path"
> +fi
>
> if is_enabled CONFIG_OF_EARLY_FLATTREE; then
> # Only some architectures with OF support have this target
> --
> 2.30.2
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] builddeb: Support signing kernels with a Machine Owner Key
2021-05-06 12:01 ` Ard Biesheuvel
@ 2021-05-06 13:36 ` Matthew Wilcox
2021-05-06 17:38 ` Ard Biesheuvel
0 siblings, 1 reply; 9+ messages in thread
From: Matthew Wilcox @ 2021-05-06 13:36 UTC (permalink / raw)
To: Ard Biesheuvel
Cc: linux-efi, debian-efi, debian-kernel, efi, mjg59,
Masahiro Yamada, Michal Marek, Linux Kbuild mailing list
On Thu, May 06, 2021 at 02:01:53PM +0200, Ard Biesheuvel wrote:
> On Thu, 6 May 2021 at 14:00, Matthew Wilcox (Oracle)
> <willy@infradead.org> wrote:
> >
> > If the config file specifies a signing key, use it to sign
> > the kernel so that machines with SecureBoot enabled can boot.
> > See https://wiki.debian.org/SecureBoot
> >
> > Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
> > ---
> > scripts/package/builddeb | 10 +++++++++-
> > 1 file changed, 9 insertions(+), 1 deletion(-)
> >
> > diff --git a/scripts/package/builddeb b/scripts/package/builddeb
> > index 91a502bb97e8..4fa6ff2b5cac 100755
> > --- a/scripts/package/builddeb
> > +++ b/scripts/package/builddeb
> > @@ -147,7 +147,15 @@ else
> > cp System.map "$tmpdir/boot/System.map-$version"
> > cp $KCONFIG_CONFIG "$tmpdir/boot/config-$version"
> > fi
> > -cp "$($MAKE -s -f $srctree/Makefile image_name)" "$tmpdir/$installed_image_path"
> > +
> > +vmlinux=$($MAKE -s -f $srctree/Makefile image_name)
> > +if is_enabled CONFIG_MODULE_SIG; then
>
> Shouldn't this be conditional on CONFIG_EFI as well?
Maybe! We're a long way outside my area of expertise. I'm just chuffed
I thought of using cut -d\" -f2.
There should probably also be something conditional on sbsign actually
being in $PATH, I guess?
And I wasn't sure about putting all of this in builddeb -- does make
rpm-pkg already have its own way of doing the same thing, or should this
be somewhere more generic?
> > + cert=$srctree/$(grep ^CONFIG_MODULE_SIG_KEY= include/config/auto.conf | cut -d\" -f2)
> > + key=${cert%pem}priv
> > + sbsign --key $key --cert $cert "$vmlinux" --output "$tmpdir/$installed_image_path"
> > +else
> > + cp "$vmlinux" "$tmpdir/$installed_image_path"
> > +fi
> >
> > if is_enabled CONFIG_OF_EARLY_FLATTREE; then
> > # Only some architectures with OF support have this target
> > --
> > 2.30.2
> >
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] builddeb: Support signing kernels with a Machine Owner Key
2021-05-06 13:36 ` Matthew Wilcox
@ 2021-05-06 17:38 ` Ard Biesheuvel
0 siblings, 0 replies; 9+ messages in thread
From: Ard Biesheuvel @ 2021-05-06 17:38 UTC (permalink / raw)
To: Matthew Wilcox, Peter Jones
Cc: linux-efi, debian-efi, debian-kernel, efi, mjg59,
Masahiro Yamada, Michal Marek, Linux Kbuild mailing list
(+ Peter)
On Thu, 6 May 2021 at 15:37, Matthew Wilcox <willy@infradead.org> wrote:
>
> On Thu, May 06, 2021 at 02:01:53PM +0200, Ard Biesheuvel wrote:
> > On Thu, 6 May 2021 at 14:00, Matthew Wilcox (Oracle)
> > <willy@infradead.org> wrote:
> > >
> > > If the config file specifies a signing key, use it to sign
> > > the kernel so that machines with SecureBoot enabled can boot.
> > > See https://wiki.debian.org/SecureBoot
> > >
> > > Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
> > > ---
> > > scripts/package/builddeb | 10 +++++++++-
> > > 1 file changed, 9 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/scripts/package/builddeb b/scripts/package/builddeb
> > > index 91a502bb97e8..4fa6ff2b5cac 100755
> > > --- a/scripts/package/builddeb
> > > +++ b/scripts/package/builddeb
> > > @@ -147,7 +147,15 @@ else
> > > cp System.map "$tmpdir/boot/System.map-$version"
> > > cp $KCONFIG_CONFIG "$tmpdir/boot/config-$version"
> > > fi
> > > -cp "$($MAKE -s -f $srctree/Makefile image_name)" "$tmpdir/$installed_image_path"
> > > +
> > > +vmlinux=$($MAKE -s -f $srctree/Makefile image_name)
> > > +if is_enabled CONFIG_MODULE_SIG; then
> >
> > Shouldn't this be conditional on CONFIG_EFI as well?
>
> Maybe! We're a long way outside my area of expertise. I'm just chuffed
> I thought of using cut -d\" -f2.
>
> There should probably also be something conditional on sbsign actually
> being in $PATH, I guess?
>
> And I wasn't sure about putting all of this in builddeb -- does make
> rpm-pkg already have its own way of doing the same thing, or should this
> be somewhere more generic?
>
No, sbsign is Debian/Ubuntu specific. Fedora/Redhat uses something
else IIRC. But yes, it obviously helps if the tool exists.
> > > + cert=$srctree/$(grep ^CONFIG_MODULE_SIG_KEY= include/config/auto.conf | cut -d\" -f2)
> > > + key=${cert%pem}priv
> > > + sbsign --key $key --cert $cert "$vmlinux" --output "$tmpdir/$installed_image_path"
> > > +else
> > > + cp "$vmlinux" "$tmpdir/$installed_image_path"
> > > +fi
> > >
> > > if is_enabled CONFIG_OF_EARLY_FLATTREE; then
> > > # Only some architectures with OF support have this target
> > > --
> > > 2.30.2
> > >
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] builddeb: Support signing kernels with a Machine Owner Key
2021-12-16 22:04 ` Matthew Wilcox
@ 2021-12-17 15:29 ` Masahiro Yamada
0 siblings, 0 replies; 9+ messages in thread
From: Masahiro Yamada @ 2021-12-17 15:29 UTC (permalink / raw)
To: Matthew Wilcox
Cc: Ard Biesheuvel, Michal Marek, Nick Desaulniers,
Linux Kbuild mailing list, Linux Kernel Mailing List, efi,
debian-kernel, linux-efi, Ben Hutchings
On Fri, Dec 17, 2021 at 7:04 AM Matthew Wilcox <willy@infradead.org> wrote:
>
> On Thu, Nov 04, 2021 at 06:28:40PM +0900, Masahiro Yamada wrote:
> > On Thu, Oct 14, 2021 at 6:47 PM Ard Biesheuvel <ardb@kernel.org> wrote:
> > >
> > > On Wed, 13 Oct 2021 at 22:07, Matthew Wilcox (Oracle)
> > > <willy@infradead.org> wrote:
> > > >
> > > > If the config file specifies a signing key, use it to sign
> > > > the kernel so that machines with SecureBoot enabled can boot.
> > > > See https://wiki.debian.org/SecureBoot
> > > >
> > > > Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
> > >
> > > For the change itself
> > >
> > > Acked-by: Ard Biesheuvel <ardb@kernel.org>
> > >
> > > although I'd suggest to fix the subject not to refer to Machine Owner
> > > Keys, as I don't see anything shim related here (i.e., if you sign
> > > using a key that is listed in db, it should also work)
> > >
> > >
> > > > ---
> > > > scripts/package/builddeb | 10 +++++++++-
> > > > 1 file changed, 9 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/scripts/package/builddeb b/scripts/package/builddeb
> > > > index 91a502bb97e8..4fa6ff2b5cac 100755
> > > > --- a/scripts/package/builddeb
> > > > +++ b/scripts/package/builddeb
> > > > @@ -147,7 +147,15 @@ else
> > > > cp System.map "$tmpdir/boot/System.map-$version"
> > > > cp $KCONFIG_CONFIG "$tmpdir/boot/config-$version"
> > > > fi
> > > > -cp "$($MAKE -s -f $srctree/Makefile image_name)" "$tmpdir/$installed_image_path"
> > > > +
> > > > +vmlinux=$($MAKE -s -f $srctree/Makefile image_name)
> > > > +if is_enabled CONFIG_MODULE_SIG; then
> > > > + cert=$srctree/$(grep ^CONFIG_MODULE_SIG_KEY= include/config/auto.conf | cut -d\" -f2)
> > > > + key=${cert%pem}priv
> > > > + sbsign --key $key --cert $cert "$vmlinux" --output "$tmpdir/$installed_image_path"
> > > > +else
> > > > + cp "$vmlinux" "$tmpdir/$installed_image_path"
> > > > +fi
> > > >
> > > > if is_enabled CONFIG_OF_EARLY_FLATTREE; then
> > > > # Only some architectures with OF support have this target
> > > > --
> > > > 2.32.0
> > > >
> >
> > How to compile this patch?
> >
> > "make bindeb-pkg" fails with
> > Can't load key from file './certs/signing_key.priv'
>
> I'm sorry; I missed this email.
>
> I don't know why you're seeing this error, exactly. I'm just trying to
> automate the step here:
[1] Apply your patch
[2] Enable CONFIG_MODULE_SIG
[3] make bindeb-pkg
That's all.
> https://wiki.debian.org/SecureBoot#Using_your_key_to_sign_your_kernel
>
> Have you followed the other steps on that page; ie do you have:
> signing_key.priv, signing_key.der and signing_key.pem files?
certs/signing_key.pem is automatically generated by Kbuild.
There is no such file as signing_key.priv
You can see the content of certs/signing_key.pem
This file contains both certificate and private key.
>
> >
> > Also, sbsign emits "Invalid DOS header magic" error
> > if CONFIG_EFI_STUB is not set.
> >
> > The CONFIG name might depend on arch.
> > CONFIG_EFI for ARCH=arm64, but CONFIG_EFI_STUB for ARCH=x86.
> >
> >
> > If you require sbsign, you need to update Build-Depends ?
>
> It looks like we should add a few extra checks before running sbsign ...
>
> > sh ./scripts/package/builddeb
> > Can't load key from file './certs/signing_key.priv'
> > 139999825022720:error:02001002:system library:fopen:No such file or
> > directory:../crypto/bio/bss_file.c:69:fopen('./certs/signing_key.priv','r')
> > 139999825022720:error:2006D080:BIO routines:BIO_new_file:no such
> > file:../crypto/bio/bss_file.c:76:
> > make[4]: *** [scripts/Makefile.package:87: intdeb-pkg] Error 1
> > make[3]: *** [Makefile:1539: intdeb-pkg] Error 2
> > make[2]: *** [debian/rules:13: binary-arch] Error 2
> > dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2
> > make[1]: *** [scripts/Makefile.package:83: bindeb-pkg] Error 2
> > make: *** [Makefile:1539: bindeb-pkg] Error 2
>
>
--
Best Regards
Masahiro Yamada
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] builddeb: Support signing kernels with a Machine Owner Key
2021-11-04 9:28 ` Masahiro Yamada
@ 2021-12-16 22:04 ` Matthew Wilcox
2021-12-17 15:29 ` Masahiro Yamada
0 siblings, 1 reply; 9+ messages in thread
From: Matthew Wilcox @ 2021-12-16 22:04 UTC (permalink / raw)
To: Masahiro Yamada
Cc: Ard Biesheuvel, Michal Marek, Nick Desaulniers,
Linux Kbuild mailing list, Linux Kernel Mailing List, efi,
debian-kernel, linux-efi, Ben Hutchings
On Thu, Nov 04, 2021 at 06:28:40PM +0900, Masahiro Yamada wrote:
> On Thu, Oct 14, 2021 at 6:47 PM Ard Biesheuvel <ardb@kernel.org> wrote:
> >
> > On Wed, 13 Oct 2021 at 22:07, Matthew Wilcox (Oracle)
> > <willy@infradead.org> wrote:
> > >
> > > If the config file specifies a signing key, use it to sign
> > > the kernel so that machines with SecureBoot enabled can boot.
> > > See https://wiki.debian.org/SecureBoot
> > >
> > > Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
> >
> > For the change itself
> >
> > Acked-by: Ard Biesheuvel <ardb@kernel.org>
> >
> > although I'd suggest to fix the subject not to refer to Machine Owner
> > Keys, as I don't see anything shim related here (i.e., if you sign
> > using a key that is listed in db, it should also work)
> >
> >
> > > ---
> > > scripts/package/builddeb | 10 +++++++++-
> > > 1 file changed, 9 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/scripts/package/builddeb b/scripts/package/builddeb
> > > index 91a502bb97e8..4fa6ff2b5cac 100755
> > > --- a/scripts/package/builddeb
> > > +++ b/scripts/package/builddeb
> > > @@ -147,7 +147,15 @@ else
> > > cp System.map "$tmpdir/boot/System.map-$version"
> > > cp $KCONFIG_CONFIG "$tmpdir/boot/config-$version"
> > > fi
> > > -cp "$($MAKE -s -f $srctree/Makefile image_name)" "$tmpdir/$installed_image_path"
> > > +
> > > +vmlinux=$($MAKE -s -f $srctree/Makefile image_name)
> > > +if is_enabled CONFIG_MODULE_SIG; then
> > > + cert=$srctree/$(grep ^CONFIG_MODULE_SIG_KEY= include/config/auto.conf | cut -d\" -f2)
> > > + key=${cert%pem}priv
> > > + sbsign --key $key --cert $cert "$vmlinux" --output "$tmpdir/$installed_image_path"
> > > +else
> > > + cp "$vmlinux" "$tmpdir/$installed_image_path"
> > > +fi
> > >
> > > if is_enabled CONFIG_OF_EARLY_FLATTREE; then
> > > # Only some architectures with OF support have this target
> > > --
> > > 2.32.0
> > >
>
> How to compile this patch?
>
> "make bindeb-pkg" fails with
> Can't load key from file './certs/signing_key.priv'
I'm sorry; I missed this email.
I don't know why you're seeing this error, exactly. I'm just trying to
automate the step here:
https://wiki.debian.org/SecureBoot#Using_your_key_to_sign_your_kernel
Have you followed the other steps on that page; ie do you have:
signing_key.priv, signing_key.der and signing_key.pem files?
>
> Also, sbsign emits "Invalid DOS header magic" error
> if CONFIG_EFI_STUB is not set.
>
> The CONFIG name might depend on arch.
> CONFIG_EFI for ARCH=arm64, but CONFIG_EFI_STUB for ARCH=x86.
>
>
> If you require sbsign, you need to update Build-Depends ?
It looks like we should add a few extra checks before running sbsign ...
> sh ./scripts/package/builddeb
> Can't load key from file './certs/signing_key.priv'
> 139999825022720:error:02001002:system library:fopen:No such file or
> directory:../crypto/bio/bss_file.c:69:fopen('./certs/signing_key.priv','r')
> 139999825022720:error:2006D080:BIO routines:BIO_new_file:no such
> file:../crypto/bio/bss_file.c:76:
> make[4]: *** [scripts/Makefile.package:87: intdeb-pkg] Error 1
> make[3]: *** [Makefile:1539: intdeb-pkg] Error 2
> make[2]: *** [debian/rules:13: binary-arch] Error 2
> dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2
> make[1]: *** [scripts/Makefile.package:83: bindeb-pkg] Error 2
> make: *** [Makefile:1539: bindeb-pkg] Error 2
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] builddeb: Support signing kernels with a Machine Owner Key
2021-10-14 9:46 ` Ard Biesheuvel
@ 2021-11-04 9:28 ` Masahiro Yamada
2021-12-16 22:04 ` Matthew Wilcox
0 siblings, 1 reply; 9+ messages in thread
From: Masahiro Yamada @ 2021-11-04 9:28 UTC (permalink / raw)
To: Ard Biesheuvel
Cc: Matthew Wilcox (Oracle),
Michal Marek, Nick Desaulniers, Linux Kbuild mailing list,
Linux Kernel Mailing List, efi, debian-kernel, linux-efi,
Ben Hutchings
On Thu, Oct 14, 2021 at 6:47 PM Ard Biesheuvel <ardb@kernel.org> wrote:
>
> On Wed, 13 Oct 2021 at 22:07, Matthew Wilcox (Oracle)
> <willy@infradead.org> wrote:
> >
> > If the config file specifies a signing key, use it to sign
> > the kernel so that machines with SecureBoot enabled can boot.
> > See https://wiki.debian.org/SecureBoot
> >
> > Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
>
> For the change itself
>
> Acked-by: Ard Biesheuvel <ardb@kernel.org>
>
> although I'd suggest to fix the subject not to refer to Machine Owner
> Keys, as I don't see anything shim related here (i.e., if you sign
> using a key that is listed in db, it should also work)
>
>
> > ---
> > scripts/package/builddeb | 10 +++++++++-
> > 1 file changed, 9 insertions(+), 1 deletion(-)
> >
> > diff --git a/scripts/package/builddeb b/scripts/package/builddeb
> > index 91a502bb97e8..4fa6ff2b5cac 100755
> > --- a/scripts/package/builddeb
> > +++ b/scripts/package/builddeb
> > @@ -147,7 +147,15 @@ else
> > cp System.map "$tmpdir/boot/System.map-$version"
> > cp $KCONFIG_CONFIG "$tmpdir/boot/config-$version"
> > fi
> > -cp "$($MAKE -s -f $srctree/Makefile image_name)" "$tmpdir/$installed_image_path"
> > +
> > +vmlinux=$($MAKE -s -f $srctree/Makefile image_name)
> > +if is_enabled CONFIG_MODULE_SIG; then
> > + cert=$srctree/$(grep ^CONFIG_MODULE_SIG_KEY= include/config/auto.conf | cut -d\" -f2)
> > + key=${cert%pem}priv
> > + sbsign --key $key --cert $cert "$vmlinux" --output "$tmpdir/$installed_image_path"
> > +else
> > + cp "$vmlinux" "$tmpdir/$installed_image_path"
> > +fi
> >
> > if is_enabled CONFIG_OF_EARLY_FLATTREE; then
> > # Only some architectures with OF support have this target
> > --
> > 2.32.0
> >
How to compile this patch?
"make bindeb-pkg" fails with
Can't load key from file './certs/signing_key.priv'
Also, sbsign emits "Invalid DOS header magic" error
if CONFIG_EFI_STUB is not set.
The CONFIG name might depend on arch.
CONFIG_EFI for ARCH=arm64, but CONFIG_EFI_STUB for ARCH=x86.
If you require sbsign, you need to update Build-Depends ?
My build log:
masahiro@grover:~/workspace/linux-kbuild$ make bindeb-pkg -j8
sh ./scripts/package/mkdebian
dpkg-buildpackage -r"fakeroot -u" -a$(cat debian/arch) -b -nc -uc
dpkg-buildpackage: info: source package linux-upstream
dpkg-buildpackage: info: source version 5.15.0-rc2+-1
dpkg-buildpackage: info: source distribution hirsute
dpkg-buildpackage: info: source changed by masahiro <masahiro@grover>
dpkg-buildpackage: info: host architecture amd64
dpkg-source --before-build .
debian/rules binary
make KERNELRELEASE=5.15.0-rc2+ ARCH=x86 KBUILD_BUILD_VERSION=1 -f ./Makefile
DESCEND objtool
CALL scripts/atomic/check-atomics.sh
CALL scripts/checksyscalls.sh
CHK include/generated/compile.h
Kernel: arch/x86/boot/bzImage is ready (#1)
make KERNELRELEASE=5.15.0-rc2+ ARCH=x86 KBUILD_BUILD_VERSION=1 -f
./Makefile intdeb-pkg
sh ./scripts/package/builddeb
Can't load key from file './certs/signing_key.priv'
139999825022720:error:02001002:system library:fopen:No such file or
directory:../crypto/bio/bss_file.c:69:fopen('./certs/signing_key.priv','r')
139999825022720:error:2006D080:BIO routines:BIO_new_file:no such
file:../crypto/bio/bss_file.c:76:
make[4]: *** [scripts/Makefile.package:87: intdeb-pkg] Error 1
make[3]: *** [Makefile:1539: intdeb-pkg] Error 2
make[2]: *** [debian/rules:13: binary-arch] Error 2
dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2
make[1]: *** [scripts/Makefile.package:83: bindeb-pkg] Error 2
make: *** [Makefile:1539: bindeb-pkg] Error 2
CC'ed Ben in case he has more comments.
--
Best Regards
Masahiro Yamada
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] builddeb: Support signing kernels with a Machine Owner Key
2021-10-13 20:05 Matthew Wilcox (Oracle)
@ 2021-10-14 9:46 ` Ard Biesheuvel
2021-11-04 9:28 ` Masahiro Yamada
0 siblings, 1 reply; 9+ messages in thread
From: Ard Biesheuvel @ 2021-10-14 9:46 UTC (permalink / raw)
To: Matthew Wilcox (Oracle)
Cc: Masahiro Yamada, Michal Marek, Nick Desaulniers,
Linux Kbuild mailing list, Linux Kernel Mailing List, efi,
debian-kernel, linux-efi
On Wed, 13 Oct 2021 at 22:07, Matthew Wilcox (Oracle)
<willy@infradead.org> wrote:
>
> If the config file specifies a signing key, use it to sign
> the kernel so that machines with SecureBoot enabled can boot.
> See https://wiki.debian.org/SecureBoot
>
> Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
For the change itself
Acked-by: Ard Biesheuvel <ardb@kernel.org>
although I'd suggest to fix the subject not to refer to Machine Owner
Keys, as I don't see anything shim related here (i.e., if you sign
using a key that is listed in db, it should also work)
> ---
> scripts/package/builddeb | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/scripts/package/builddeb b/scripts/package/builddeb
> index 91a502bb97e8..4fa6ff2b5cac 100755
> --- a/scripts/package/builddeb
> +++ b/scripts/package/builddeb
> @@ -147,7 +147,15 @@ else
> cp System.map "$tmpdir/boot/System.map-$version"
> cp $KCONFIG_CONFIG "$tmpdir/boot/config-$version"
> fi
> -cp "$($MAKE -s -f $srctree/Makefile image_name)" "$tmpdir/$installed_image_path"
> +
> +vmlinux=$($MAKE -s -f $srctree/Makefile image_name)
> +if is_enabled CONFIG_MODULE_SIG; then
> + cert=$srctree/$(grep ^CONFIG_MODULE_SIG_KEY= include/config/auto.conf | cut -d\" -f2)
> + key=${cert%pem}priv
> + sbsign --key $key --cert $cert "$vmlinux" --output "$tmpdir/$installed_image_path"
> +else
> + cp "$vmlinux" "$tmpdir/$installed_image_path"
> +fi
>
> if is_enabled CONFIG_OF_EARLY_FLATTREE; then
> # Only some architectures with OF support have this target
> --
> 2.32.0
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH] builddeb: Support signing kernels with a Machine Owner Key
@ 2021-10-13 20:05 Matthew Wilcox (Oracle)
2021-10-14 9:46 ` Ard Biesheuvel
0 siblings, 1 reply; 9+ messages in thread
From: Matthew Wilcox (Oracle) @ 2021-10-13 20:05 UTC (permalink / raw)
Cc: Matthew Wilcox (Oracle),
Masahiro Yamada, Michal Marek, Nick Desaulniers, linux-kbuild,
linux-kernel, efi, debian-kernel, linux-efi
If the config file specifies a signing key, use it to sign
the kernel so that machines with SecureBoot enabled can boot.
See https://wiki.debian.org/SecureBoot
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
---
scripts/package/builddeb | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/scripts/package/builddeb b/scripts/package/builddeb
index 91a502bb97e8..4fa6ff2b5cac 100755
--- a/scripts/package/builddeb
+++ b/scripts/package/builddeb
@@ -147,7 +147,15 @@ else
cp System.map "$tmpdir/boot/System.map-$version"
cp $KCONFIG_CONFIG "$tmpdir/boot/config-$version"
fi
-cp "$($MAKE -s -f $srctree/Makefile image_name)" "$tmpdir/$installed_image_path"
+
+vmlinux=$($MAKE -s -f $srctree/Makefile image_name)
+if is_enabled CONFIG_MODULE_SIG; then
+ cert=$srctree/$(grep ^CONFIG_MODULE_SIG_KEY= include/config/auto.conf | cut -d\" -f2)
+ key=${cert%pem}priv
+ sbsign --key $key --cert $cert "$vmlinux" --output "$tmpdir/$installed_image_path"
+else
+ cp "$vmlinux" "$tmpdir/$installed_image_path"
+fi
if is_enabled CONFIG_OF_EARLY_FLATTREE; then
# Only some architectures with OF support have this target
--
2.32.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
end of thread, other threads:[~2021-12-17 15:31 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-06 11:58 [PATCH] builddeb: Support signing kernels with a Machine Owner Key Matthew Wilcox (Oracle)
2021-05-06 12:01 ` Ard Biesheuvel
2021-05-06 13:36 ` Matthew Wilcox
2021-05-06 17:38 ` Ard Biesheuvel
2021-10-13 20:05 Matthew Wilcox (Oracle)
2021-10-14 9:46 ` Ard Biesheuvel
2021-11-04 9:28 ` Masahiro Yamada
2021-12-16 22:04 ` Matthew Wilcox
2021-12-17 15:29 ` Masahiro Yamada
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.