diff options
| author | Christian Breunig <christian@breunig.cc> | 2025-03-16 20:11:28 +0100 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2025-03-18 16:24:43 +0100 |
| commit | d5db3bf117ff64597d61b19354baeef3eece9a57 (patch) | |
| tree | 01a32fa0f571603b3924057cf3c5e85c54178ee5 /scripts | |
| parent | a02b10b2ba4197c4dcd84eef053e4ab94995295b (diff) | |
| download | vyos-build-d5db3bf117ff64597d61b19354baeef3eece9a57.tar.gz vyos-build-d5db3bf117ff64597d61b19354baeef3eece9a57.zip | |
T861: use custom Kernel certificate over the root shim signing certificate
Diffstat (limited to 'scripts')
| -rwxr-xr-x | scripts/check-qemu-install | 12 | ||||
| -rwxr-xr-x | scripts/package-build/linux-kernel/build-kernel.sh | 5 |
2 files changed, 14 insertions, 3 deletions
diff --git a/scripts/check-qemu-install b/scripts/check-qemu-install index 551d1e7e..ab6e1b1f 100755 --- a/scripts/check-qemu-install +++ b/scripts/check-qemu-install @@ -399,6 +399,16 @@ try: loginVM(c, log) ################################################# + # Check for no private key contents within the image + ################################################# + msg = 'Found private key - bailing out' + c.sendline(f'if sudo grep -rq "BEGIN PRIVATE KEY" /var/lib/shim-signed/mok; then echo {msg}; exit 1; fi') + tmp = c.expect([f'\n{msg}', op_mode_prompt]) + if tmp == 0: + log.error(msg) + exit(1) + + ################################################# # Installing into VyOS system ################################################# log.info('Starting installer') @@ -879,7 +889,7 @@ except pexpect.exceptions.ExceptionPexpect: EXCEPTION = 1 except Exception: - log.error('Unknown error occured while VyOS!') + log.error('Unknown error occured!') traceback.print_exc() EXCEPTION = 1 diff --git a/scripts/package-build/linux-kernel/build-kernel.sh b/scripts/package-build/linux-kernel/build-kernel.sh index e3efd127..62dd7829 100755 --- a/scripts/package-build/linux-kernel/build-kernel.sh +++ b/scripts/package-build/linux-kernel/build-kernel.sh @@ -36,12 +36,13 @@ do done # Change name of Signing Cert -sed -i -e "s/CN =.*/CN=VyOS build time autogenerated kernel key/" certs/default_x509.genkey +sed -i -e "s/CN =.*/CN=VyOS Networks build time autogenerated Kernel key/" certs/default_x509.genkey TRUSTED_KEYS_FILE=trusted_keys.pem # start with empty key file echo -n "" > $TRUSTED_KEYS_FILE -CERTS=$(find ../../../../data/live-build-config/includes.chroot/var/lib/shim-signed/mok -name "*.pem" -type f || true) +GIT_ROOT=$(git rev-parse --show-toplevel) +CERTS=$(find ${GIT_ROOT}/data/certificates -name "*.pem" -type f || true) if [ ! -z "${CERTS}" ]; then # add known public keys to Kernel certificate chain for file in $CERTS; do |