Merge pull request #930 from c-po/T861-secure-boot

T861: minor improvements to secure-boot certificate handling

3 files changed, 14 insertions, 15 deletions

diff --git a/data/certificates/.gitignore b/data/certificates/.gitignore
new file mode 100644
index 00000000..c996e507
--- /dev/null
+++ b/data/certificates/.gitignore
@@ -0,0 +1 @@
+*.key
diff --git a/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot b/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot
index 1dc03186..8494a5c8 100755
--- a/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot
+++ b/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot
@@ -1,7 +1,7 @@
 #!/bin/sh
 SIGN_FILE=$(find /usr/lib -name sign-file)
-MOK_KEY="/var/lib/shim-signed/mok/MOK.key"
-MOK_CERT="/var/lib/shim-signed/mok/MOK.pem"
+KERNEL_KEY="/var/lib/shim-signed/mok/vyos-dev-2025-linux.key"
+KERNEL_CERT="/var/lib/shim-signed/mok/vyos-dev-2025-linux.pem"
 VMLINUZ=$(readlink /boot/vmlinuz)
 
 # All Linux Kernel modules need to be cryptographically signed
@@ -13,10 +13,19 @@ find /lib/modules -type f -name \*.ko | while read MODULE; do
     fi
 done
 
-if [ ! -f ${MOK_KEY} ]; then
+if [ ! -f ${KERNEL_KEY} ] && [ ! -f ${KERNEL_CERT} ]; then
     echo "I: Signing key for Linux Kernel not found - Secure Boot not possible"
 else
     echo "I: Signing Linux Kernel for Secure Boot"
-    sbsign --key ${MOK_KEY} --cert ${MOK_CERT} /boot/${VMLINUZ} --output /boot/${VMLINUZ}
+    sbsign --key ${KERNEL_KEY} --cert ${KERNEL_CERT} /boot/${VMLINUZ} --output /boot/${VMLINUZ}
     sbverify --list /boot/${VMLINUZ}
+    rm -f ${KERNEL_KEY}
 fi
+
+for cert in $(ls /var/lib/shim-signed/mok/); do
+    if grep -rq "BEGIN PRIVATE KEY" /var/lib/shim-signed/mok/${cert}; then
+        echo "Found private key - bailing out"
+        exit 1
+    fi
+done
+
diff --git a/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md b/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
deleted file mode 100644
index abaaa97a..00000000
--- a/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
+++ /dev/null
@@ -1,11 +0,0 @@
-# Secure Boot
-
-## CA
-
-Create Certificate Authority used for Kernel signing. CA is loaded into the
-Machine Owner Key store on the target system.
-
-```bash
-openssl req -new -x509 -newkey rsa:4096 -keyout MOK.key -outform DER -out MOK.der -days 36500 -subj "/CN=VyOS Secure Boot CA/" -nodes
-openssl x509 -inform der -in MOK.der -out MOK.pem
-```