Merge pull request #772 from c-po/kernel-ephemeral-keys

T861: sign all Kernel modules with an ephemeral key
author: Christian Breunig <christian@breunig.cc> 2024-09-25 20:24:47 +0200
committer: GitHub <noreply@github.com> 2024-09-25 20:24:47 +0200
commit: eff99f5eda19d5ddf324eb01abcc68577d942e62 (patch)
tree: 0a4256d787fcdda0bea8308f6a76c65ef1e7ad1b /scripts/package-build/linux-kernel/sign-modules.sh
parent: fa50a5073b6d3f3bf1f213603c43373f5a980801 (diff)
parent: d235b31a095f9b8fdb2d5c231935c8b4b4c3da6c (diff)
download: vyos-build-eff99f5eda19d5ddf324eb01abcc68577d942e62.tar.gz
vyos-build-eff99f5eda19d5ddf324eb01abcc68577d942e62.zip
1 files changed, 15 insertions, 0 deletions
diff --git a/scripts/package-build/linux-kernel/sign-modules.sh b/scripts/package-build/linux-kernel/sign-modules.sh
new file mode 100755
index 00000000..cfb368eb
--- /dev/null
+++ b/scripts/package-build/linux-kernel/sign-modules.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+BASE_DIR=$(dirname $0)
+MODULE_DIR=$1
+. ${BASE_DIR}/kernel-vars
+
+SIGN_FILE="${KERNEL_DIR}/scripts/sign-file"
+
+if [ -f ${EPHEMERAL_KEY} ] && [ -f ${EPHEMERAL_CERT} ]; then
+    find ${MODULE_DIR} -type f -name \*.ko | while read MODULE; do
+      echo "I: Signing ${MODULE} ..."
+      ${SIGN_FILE} sha512 ${EPHEMERAL_KEY} ${EPHEMERAL_CERT} ${MODULE}
+    done
+fi
+
author	Christian Breunig <christian@breunig.cc>	2024-09-25 20:24:47 +0200
committer	GitHub <noreply@github.com>	2024-09-25 20:24:47 +0200
commit	eff99f5eda19d5ddf324eb01abcc68577d942e62 (patch)
tree	0a4256d787fcdda0bea8308f6a76c65ef1e7ad1b /scripts/package-build/linux-kernel/sign-modules.sh
parent	fa50a5073b6d3f3bf1f213603c43373f5a980801 (diff)
parent	d235b31a095f9b8fdb2d5c231935c8b4b4c3da6c (diff)
download	vyos-build-eff99f5eda19d5ddf324eb01abcc68577d942e62.tar.gz vyos-build-eff99f5eda19d5ddf324eb01abcc68577d942e62.zip