and this one and 2/2 are obviously for pve-kernel :-/ fixed up the git settings so that it doesn't happen again..
On July 18, 2023 11:11 am, Fabian Grünbichler wrote: > this is required for secure boot support. > > at build time, an ephemeral key pair will be generated and all built modules > will be signed with it. the private key is discarded, and the public key > embedded in the kernel image for signature validation at module load time. > > these changes allow booting the built kernel in secure boot mode after > manually > signing the kernel image with a trusted key (either MOK, or by enrolling > custom > PK/KEK/db keys and signing the whole bootchain using them). > > Tested-by: Wolfgang Bumiller <w.bumil...@proxmox.com> > Signed-off-by: Fabian Grünbichler <f.gruenbich...@proxmox.com> > --- > debian/rules | 22 ++++++++++++++++++---- > 1 file changed, 18 insertions(+), 4 deletions(-) > > diff --git a/debian/rules b/debian/rules > index 744e5cb..123c870 100755 > --- a/debian/rules > +++ b/debian/rules > @@ -53,7 +53,13 @@ PVE_CONFIG_OPTS= \ > -e CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE \ > -e CONFIG_SYSFB_SIMPLEFB \ > -e CONFIG_DRM_SIMPLEDRM \ > --d CONFIG_MODULE_SIG \ > +-e CONFIG_MODULE_SIG \ > +-e CONFIG_MODULE_SIG_ALL \ > +-e CONFIG_MODULE_SIG_FORMAT \ > +--set-str CONFIG_MODULE_SIG_HASH sha512 \ > +--set-str CONFIG_MODULE_SIG_KEY certs/signing_key.pem \ > +-e CONFIG_MODULE_SIG_KEY_TYPE_RSA \ > +-e CONFIG_MODULE_SIG_SHA512 \ > -d CONFIG_MEMCG_DISABLED \ > -e CONFIG_MEMCG_SWAP_ENABLED \ > -e CONFIG_HYPERV \ > @@ -86,9 +92,9 @@ PVE_CONFIG_OPTS= \ > -e CONFIG_UNWINDER_FRAME_POINTER \ > --set-str CONFIG_SYSTEM_TRUSTED_KEYS ""\ > --set-str CONFIG_SYSTEM_REVOCATION_KEYS ""\ > --d CONFIG_SECURITY_LOCKDOWN_LSM \ > --d CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \ > ---set-str CONFIG_LSM yama,integrity,apparmor \ > +-e CONFIG_SECURITY_LOCKDOWN_LSM \ > +-e CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \ > +--set-str CONFIG_LSM lockdown,yama,integrity,apparmor \ > -e CONFIG_PAGE_TABLE_ISOLATION > > debian/control: $(wildcard debian/*.in) > @@ -163,6 +169,14 @@ endif > > # strip debug info > find debian/$(PVE_KERNEL_PKG)/lib/modules -name \*.ko -print | while > read f ; do strip --strip-debug "$$f"; done > + > + # sign modules using ephemeral, embedded key > + if grep -q CONFIG_MODULE_SIG=y ubuntu-kernel/.config ; then \ > + find debian/$(PVE_KERNEL_PKG)/lib/modules -name \*.ko -print | > while read f ; do \ > + ./ubuntu-kernel/scripts/sign-file sha512 > ./ubuntu-kernel/certs/signing_key.pem ubuntu-kernel/certs/signing_key.x509 > "$$f" ; \ > + done; \ > + rm ./ubuntu-kernel/certs/signing_key.pem ; \ > + fi > # finalize > /sbin/depmod -b debian/$(PVE_KERNEL_PKG)/ $(KVNAME) > # Autogenerate blacklist for watchdog devices (see README) > -- > 2.39.2 > > > > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
