diff options
| author | Christian Breunig <christian@breunig.cc> | 2025-03-16 20:11:28 +0100 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2025-03-18 16:24:43 +0100 |
| commit | d5db3bf117ff64597d61b19354baeef3eece9a57 (patch) | |
| tree | 01a32fa0f571603b3924057cf3c5e85c54178ee5 /data | |
| parent | a02b10b2ba4197c4dcd84eef053e4ab94995295b (diff) | |
| download | vyos-build-d5db3bf117ff64597d61b19354baeef3eece9a57.tar.gz vyos-build-d5db3bf117ff64597d61b19354baeef3eece9a57.zip | |
T861: use custom Kernel certificate over the root shim signing certificate
Diffstat (limited to 'data')
| -rwxr-xr-x | data/live-build-config/hooks/live/93-sb-sign-kernel.chroot | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot b/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot index 1dc03186..8494a5c8 100755 --- a/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot +++ b/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot @@ -1,7 +1,7 @@ #!/bin/sh SIGN_FILE=$(find /usr/lib -name sign-file) -MOK_KEY="/var/lib/shim-signed/mok/MOK.key" -MOK_CERT="/var/lib/shim-signed/mok/MOK.pem" +KERNEL_KEY="/var/lib/shim-signed/mok/vyos-dev-2025-linux.key" +KERNEL_CERT="/var/lib/shim-signed/mok/vyos-dev-2025-linux.pem" VMLINUZ=$(readlink /boot/vmlinuz) # All Linux Kernel modules need to be cryptographically signed @@ -13,10 +13,19 @@ find /lib/modules -type f -name \*.ko | while read MODULE; do fi done -if [ ! -f ${MOK_KEY} ]; then +if [ ! -f ${KERNEL_KEY} ] && [ ! -f ${KERNEL_CERT} ]; then echo "I: Signing key for Linux Kernel not found - Secure Boot not possible" else echo "I: Signing Linux Kernel for Secure Boot" - sbsign --key ${MOK_KEY} --cert ${MOK_CERT} /boot/${VMLINUZ} --output /boot/${VMLINUZ} + sbsign --key ${KERNEL_KEY} --cert ${KERNEL_CERT} /boot/${VMLINUZ} --output /boot/${VMLINUZ} sbverify --list /boot/${VMLINUZ} + rm -f ${KERNEL_KEY} fi + +for cert in $(ls /var/lib/shim-signed/mok/); do + if grep -rq "BEGIN PRIVATE KEY" /var/lib/shim-signed/mok/${cert}; then + echo "Found private key - bailing out" + exit 1 + fi +done + |