From d5db3bf117ff64597d61b19354baeef3eece9a57 Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Sun, 16 Mar 2025 20:11:28 +0100
Subject: T861: use custom Kernel certificate over the root shim signing
 certificate

---
 scripts/check-qemu-install                         | 12 +++++++++++-
 scripts/package-build/linux-kernel/build-kernel.sh |  5 +++--
 2 files changed, 14 insertions(+), 3 deletions(-)

(limited to 'scripts')

diff --git a/scripts/check-qemu-install b/scripts/check-qemu-install
index 551d1e7e..ab6e1b1f 100755
--- a/scripts/check-qemu-install
+++ b/scripts/check-qemu-install
@@ -398,6 +398,16 @@ try:
 
     loginVM(c, log)
 
+    #################################################
+    # Check for no private key contents within the image
+    #################################################
+    msg = 'Found private key - bailing out'
+    c.sendline(f'if sudo grep -rq "BEGIN PRIVATE KEY" /var/lib/shim-signed/mok; then echo {msg}; exit 1; fi')
+    tmp = c.expect([f'\n{msg}', op_mode_prompt])
+    if tmp == 0:
+        log.error(msg)
+        exit(1)
+
     #################################################
     # Installing into VyOS system
     #################################################
@@ -879,7 +889,7 @@ except pexpect.exceptions.ExceptionPexpect:
     EXCEPTION = 1
 
 except Exception:
-    log.error('Unknown error occured while VyOS!')
+    log.error('Unknown error occured!')
     traceback.print_exc()
     EXCEPTION = 1
 
diff --git a/scripts/package-build/linux-kernel/build-kernel.sh b/scripts/package-build/linux-kernel/build-kernel.sh
index e3efd127..62dd7829 100755
--- a/scripts/package-build/linux-kernel/build-kernel.sh
+++ b/scripts/package-build/linux-kernel/build-kernel.sh
@@ -36,12 +36,13 @@ do
 done
 
 # Change name of Signing Cert
-sed -i -e "s/CN =.*/CN=VyOS build time autogenerated kernel key/" certs/default_x509.genkey
+sed -i -e "s/CN =.*/CN=VyOS Networks build time autogenerated Kernel key/" certs/default_x509.genkey
 
 TRUSTED_KEYS_FILE=trusted_keys.pem
 # start with empty key file
 echo -n "" > $TRUSTED_KEYS_FILE
-CERTS=$(find ../../../../data/live-build-config/includes.chroot/var/lib/shim-signed/mok -name "*.pem" -type f || true)
+GIT_ROOT=$(git rev-parse --show-toplevel)
+CERTS=$(find ${GIT_ROOT}/data/certificates -name "*.pem" -type f || true)
 if [ ! -z "${CERTS}" ]; then
   # add known public keys to Kernel certificate chain
   for file in $CERTS; do
-- 
cgit v1.2.3