Merge pull request #763 from c-po/secure-boot

T861: add UEFI Secure Boot support

1 files changed, 24 insertions, 1 deletions

diff --git a/packages/linux-kernel/build-kernel.sh b/packages/linux-kernel/build-kernel.sh
index 2c02f5c3..3ccb15e9 100755
--- a/packages/linux-kernel/build-kernel.sh
+++ b/packages/linux-kernel/build-kernel.sh
@@ -18,7 +18,8 @@ echo "I: clean modified files"
 git reset --hard HEAD
 
 KERNEL_VERSION=$(make kernelversion)
-KERNEL_SUFFIX=-$(dpkg --print-architecture)-vyos
+KERNEL_SUFFIX=-$(awk -F "= " '/kernel_flavor/ {print $2}' ../../../data/defaults.toml | tr -d \")
+KERNEL_CONFIG=arch/x86/configs/vyos_defconfig
 
 # VyOS requires some small Kernel Patches - apply them here
 # It's easier to habe them here and make use of the upstream
@@ -31,6 +32,28 @@ do
     patch -p1 < ${PATCH_DIR}/${patch}
 done
 
+TRUSTED_KEYS_FILE=trusted_keys.pem
+# start with empty key file
+echo -n "" > $TRUSTED_KEYS_FILE
+CERTS=$(ls ../../../data/live-build-config/includes.chroot/var/lib/shim-signed/mok/*.pem)
+if [ ! -z "${CERTS}" ]; then
+  # add known public keys to Kernel certificate chain
+  for file in $CERTS; do
+    cat $file >> $TRUSTED_KEYS_FILE
+  done
+
+  # Force Kernel module signing and embed public keys
+  echo "CONFIG_MODULE_SIG_FORMAT=y" >> $KERNEL_CONFIG
+  echo "CONFIG_MODULE_SIG=y" >> $KERNEL_CONFIG
+  echo "CONFIG_MODULE_SIG_FORCE=y" >> $KERNEL_CONFIG
+  echo "# CONFIG_MODULE_SIG_ALL is not set" >> $KERNEL_CONFIG
+  echo "CONFIG_MODULE_SIG_SHA512=y" >> $KERNEL_CONFIG
+  echo "CONFIG_MODULE_SIG_HASH=\"sha512\"" >> $KERNEL_CONFIG
+  echo "CONFIG_MODULE_SIG_KEY=\"\"" >> $KERNEL_CONFIG
+  echo "CONFIG_MODULE_SIG_KEY_TYPE_RSA=y" >> $KERNEL_CONFIG
+  echo "CONFIG_SYSTEM_TRUSTED_KEYS=\"$TRUSTED_KEYS_FILE\"" >> $KERNEL_CONFIG
+fi
+
 echo "I: make vyos_defconfig"
 # Select Kernel configuration - currently there is only one
 make vyos_defconfig