summaryrefslogtreecommitdiff
path: root/scripts/package-build/linux-kernel/build-kernel.sh
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/package-build/linux-kernel/build-kernel.sh')
-rwxr-xr-xscripts/package-build/linux-kernel/build-kernel.sh53
1 files changed, 42 insertions, 11 deletions
diff --git a/scripts/package-build/linux-kernel/build-kernel.sh b/scripts/package-build/linux-kernel/build-kernel.sh
index 2c02f5c3..6f3b94ec 100755
--- a/scripts/package-build/linux-kernel/build-kernel.sh
+++ b/scripts/package-build/linux-kernel/build-kernel.sh
@@ -9,16 +9,20 @@ if [ ! -d ${KERNEL_SRC} ]; then
exit 1
fi
-echo "I: Copy Kernel config (x86_64_vyos_defconfig) to Kernel Source"
-cp -rv arch/ ${KERNEL_SRC}/
-
cd ${KERNEL_SRC}
-echo "I: clean modified files"
-git reset --hard HEAD
+if [ -d .git ]; then
+ echo "I: Clean modified files - reset Git repo"
+ git reset --hard HEAD
+ git clean --force -d -x
+fi
+
+echo "I: Copy Kernel config (x86_64_vyos_defconfig) to Kernel Source"
+cp -rv ${CWD}/arch/ .
KERNEL_VERSION=$(make kernelversion)
-KERNEL_SUFFIX=-$(dpkg --print-architecture)-vyos
+KERNEL_SUFFIX=-$(awk -F "= " '/kernel_flavor/ {print $2}' ../../../data/defaults.toml | tr -d \")
+KERNEL_CONFIG=arch/x86/configs/vyos_defconfig
# VyOS requires some small Kernel Patches - apply them here
# It's easier to habe them here and make use of the upstream
@@ -31,26 +35,53 @@ do
patch -p1 < ${PATCH_DIR}/${patch}
done
+# Change name of Signing Cert
+sed -i -e "s/CN =.*/CN=VyOS build time autogenerated kernel key/" certs/default_x509.genkey
+
+TRUSTED_KEYS_FILE=trusted_keys.pem
+# start with empty key file
+echo -n "" > $TRUSTED_KEYS_FILE
+CERTS=$(find ../../../data/live-build-config/includes.chroot/var/lib/shim-signed/mok -name "*.pem" -type f || true)
+if [ ! -z "${CERTS}" ]; then
+ # add known public keys to Kernel certificate chain
+ for file in $CERTS; do
+ cat $file >> $TRUSTED_KEYS_FILE
+ done
+ # Force Kernel module signing and embed public keys
+ echo "CONFIG_SYSTEM_TRUSTED_KEYRING" >> $KERNEL_CONFIG
+ echo "CONFIG_SYSTEM_TRUSTED_KEYS=\"$TRUSTED_KEYS_FILE\"" >> $KERNEL_CONFIG
+fi
+
echo "I: make vyos_defconfig"
# Select Kernel configuration - currently there is only one
make vyos_defconfig
echo "I: Generate environment file containing Kernel variable"
+EPHEMERAL_KEY="/tmp/ephemeral.key"
+EPHEMERAL_PEM="/tmp/ephemeral.pem"
cat << EOF >${CWD}/kernel-vars
#!/bin/sh
export KERNEL_VERSION=${KERNEL_VERSION}
export KERNEL_SUFFIX=${KERNEL_SUFFIX}
export KERNEL_DIR=${CWD}/${KERNEL_SRC}
+export EPHEMERAL_KEY=${EPHEMERAL_KEY}
+export EPHEMERAL_CERT=${EPHEMERAL_PEM}
EOF
echo "I: Build Debian Kernel package"
touch .scmversion
make bindeb-pkg BUILD_TOOLS=1 LOCALVERSION=${KERNEL_SUFFIX} KDEB_PKGVERSION=${KERNEL_VERSION}-1 -j $(getconf _NPROCESSORS_ONLN)
+# Back to the old Kernel build-scripts directory
cd $CWD
-if [[ $? == 0 ]]; then
- for package in $(ls linux-*.deb)
- do
- ln -sf linux-kernel/$package ..
- done
+EPHEMERAL_KERNEL_KEY=$(grep -E "^CONFIG_MODULE_SIG_KEY=" ${KERNEL_SRC}/$KERNEL_CONFIG | awk -F= '{print $2}' | tr -d \")
+if test -f "${EPHEMERAL_KEY}"; then
+ rm -f ${EPHEMERAL_KEY}
+fi
+if test -f "${EPHEMERAL_PEM}"; then
+ rm -f ${EPHEMERAL_PEM}
+fi
+if test -f "${KERNEL_SRC}/${EPHEMERAL_KERNEL_KEY}"; then
+ openssl rsa -in ${KERNEL_SRC}/${EPHEMERAL_KERNEL_KEY} -out ${EPHEMERAL_KEY}
+ openssl x509 -in ${KERNEL_SRC}/${EPHEMERAL_KERNEL_KEY} -out ${EPHEMERAL_PEM}
fi
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-12 14:05:26 +0000