T861: use custom Kernel certificate over the root shim signing certificate

author: Christian Breunig <christian@breunig.cc> 2025-03-16 20:11:28 +0100
committer: Christian Breunig <christian@breunig.cc> 2025-03-18 16:24:43 +0100
commit: d5db3bf117ff64597d61b19354baeef3eece9a57 (patch)
tree: 01a32fa0f571603b3924057cf3c5e85c54178ee5 /scripts/package-build/linux-kernel
parent: a02b10b2ba4197c4dcd84eef053e4ab94995295b (diff)
download: vyos-build-d5db3bf117ff64597d61b19354baeef3eece9a57.tar.gz
vyos-build-d5db3bf117ff64597d61b19354baeef3eece9a57.zip
1 files changed, 3 insertions, 2 deletions
diff --git a/scripts/package-build/linux-kernel/build-kernel.sh b/scripts/package-build/linux-kernel/build-kernel.sh
index e3efd127..62dd7829 100755
--- a/scripts/package-build/linux-kernel/build-kernel.sh
+++ b/scripts/package-build/linux-kernel/build-kernel.sh
@@ -36,12 +36,13 @@ do
 done
 
 # Change name of Signing Cert
-sed -i -e "s/CN =.*/CN=VyOS build time autogenerated kernel key/" certs/default_x509.genkey
+sed -i -e "s/CN =.*/CN=VyOS Networks build time autogenerated Kernel key/" certs/default_x509.genkey
 
 TRUSTED_KEYS_FILE=trusted_keys.pem
 # start with empty key file
 echo -n "" > $TRUSTED_KEYS_FILE
-CERTS=$(find ../../../../data/live-build-config/includes.chroot/var/lib/shim-signed/mok -name "*.pem" -type f || true)
+GIT_ROOT=$(git rev-parse --show-toplevel)
+CERTS=$(find ${GIT_ROOT}/data/certificates -name "*.pem" -type f || true)
 if [ ! -z "${CERTS}" ]; then
   # add known public keys to Kernel certificate chain
   for file in $CERTS; do
author	Christian Breunig <christian@breunig.cc>	2025-03-16 20:11:28 +0100
committer	Christian Breunig <christian@breunig.cc>	2025-03-18 16:24:43 +0100
commit	d5db3bf117ff64597d61b19354baeef3eece9a57 (patch)
tree	01a32fa0f571603b3924057cf3c5e85c54178ee5 /scripts/package-build/linux-kernel
parent	a02b10b2ba4197c4dcd84eef053e4ab94995295b (diff)
download	vyos-build-d5db3bf117ff64597d61b19354baeef3eece9a57.tar.gz vyos-build-d5db3bf117ff64597d61b19354baeef3eece9a57.zip