On Tue, Oct 23, 2018 at 11:56 PM Jeremy Linton <jeremy.linton@xxxxxxx> wrote:
>
> The aarch64 kernel is a gzip'ed EFI image, this means
> that pesign needs to sign the original image and then
> zip it for grub to be able to validate the kernel image.
So ATM we don't have the actual HW which contains the signing keys
available on aarch64 so to sign with the kernels so we can't do this
just yet. I will open an infrastructure ticker so we can start to move
this forward though.
> Signed-off-by: Jeremy Linton <jeremy.linton@xxxxxxx>
> ---
> kernel.spec | 19 ++++++++++++++++---
> 1 file changed, 16 insertions(+), 3 deletions(-)
>
> diff --git a/kernel.spec b/kernel.spec
> index 25e4676a..e6601758 100644
> --- a/kernel.spec
> +++ b/kernel.spec
> @@ -10,7 +10,7 @@ Summary: The Linux kernel
>
> # Sign modules on x86. Make sure the config files match this setting if more
> # architectures are added.
> -%ifarch %{ix86} x86_64
> +%ifarch %{ix86} x86_64 aarch64
> %global signkernel 1
> %global signmodules 1
> %global zipmodules 1
> @@ -1288,13 +1288,26 @@ BuildKernel() {
> cp arch/$Arch/boot/zImage.stub $RPM_BUILD_ROOT/lib/modules/$KernelVer/zImage.stub-$KernelVer || :
> fi
> %if %{signkernel}
> + # aarch64 kernels are gziped EFI images
> + KernelExtension=${KernelImage##*.}
> + if [ "$KernelExtension" == "gz" ]; then
> + SignImage=${KernelImage%.*}
> + else
> + SignImage=$KernelImage
> + fi
> +
> # Sign the image if we're using EFI
> - %pesign -s -i $KernelImage -o vmlinuz.signed
> + %pesign -s -i $SignImage -o vmlinuz.signed
> if [ ! -s vmlinuz.signed ]; then
> echo "pesigning failed"
> exit 1
> fi
> - mv vmlinuz.signed $KernelImage
> + mv vmlinuz.signed $SignImage
> +
> + if [ "$KernelExtension" == "gz" ]; then
> + gzip -f9 $SignImage
Why gzip? Could this be xz?
> + fi
> +
> %endif
> $CopyKernel $KernelImage \
> $RPM_BUILD_ROOT/%{image_install_path}/$InstallName-$KernelVer
> --
> 2.19.1
> _______________________________________________
> kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
