From a29a2dfa0fa34743508664ca3d0564a923f904d5 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Tue, 28 Apr 2026 16:25:48 +0200 Subject: Kernel: T861: add custom VyOS CA to Kernel builds for later module signing With this addition we can always sign a Kernel module later and ship it if needed, without re-compiling the Kernel. Kernel will report: [ 1.223891] Loaded X.509 cert 'VyOS Networks Secure Boot Signer 2025 - linux: 6ca57e2add335babd08da69b48c70693edd2b037' Issuer: CN = VyOS Networks Secure Boot CA Validity Not Before: Apr 26 09:07:06 2025 GMT Not After : Apr 24 09:07:06 2035 GMT Subject: CN = VyOS Networks Secure Boot Signer 2025 - linux --- scripts/package-build/linux-kernel/build-kernel.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'scripts') diff --git a/scripts/package-build/linux-kernel/build-kernel.sh b/scripts/package-build/linux-kernel/build-kernel.sh index a0364897..5411494d 100755 --- a/scripts/package-build/linux-kernel/build-kernel.sh +++ b/scripts/package-build/linux-kernel/build-kernel.sh @@ -1,6 +1,7 @@ #!/bin/bash CWD=$(pwd) KERNEL_SRC=linux +GIT_ROOT=$(git rev-parse --show-toplevel) set -e @@ -60,7 +61,6 @@ sed -i -e "s/CN =.*/CN=VyOS Networks build time autogenerated Kernel key/" certs TRUSTED_KEYS_FILE=trusted_keys.pem # start with empty key file echo -n "" > $TRUSTED_KEYS_FILE -GIT_ROOT=$(git rev-parse --show-toplevel) CERTS=$(find ${GIT_ROOT}/data/certificates -name "*.pem" -type f || true) if [ ! -z "${CERTS}" ]; then # add known public keys to Kernel certificate chain -- cgit v1.2.3