On Wed, 13 Oct 2021 at 22:07, Matthew Wilcox (Oracle) <willy@xxxxxxxxxxxxx> wrote: > > If the config file specifies a signing key, use it to sign > the kernel so that machines with SecureBoot enabled can boot. > See https://wiki.debian.org/SecureBoot > > Signed-off-by: Matthew Wilcox (Oracle) <willy@xxxxxxxxxxxxx> For the change itself Acked-by: Ard Biesheuvel <ardb@xxxxxxxxxx> although I'd suggest to fix the subject not to refer to Machine Owner Keys, as I don't see anything shim related here (i.e., if you sign using a key that is listed in db, it should also work) > --- > scripts/package/builddeb | 10 +++++++++- > 1 file changed, 9 insertions(+), 1 deletion(-) > > diff --git a/scripts/package/builddeb b/scripts/package/builddeb > index 91a502bb97e8..4fa6ff2b5cac 100755 > --- a/scripts/package/builddeb > +++ b/scripts/package/builddeb > @@ -147,7 +147,15 @@ else > cp System.map "$tmpdir/boot/System.map-$version" > cp $KCONFIG_CONFIG "$tmpdir/boot/config-$version" > fi > -cp "$($MAKE -s -f $srctree/Makefile image_name)" "$tmpdir/$installed_image_path" > + > +vmlinux=$($MAKE -s -f $srctree/Makefile image_name) > +if is_enabled CONFIG_MODULE_SIG; then > + cert=$srctree/$(grep ^CONFIG_MODULE_SIG_KEY= include/config/auto.conf | cut -d\" -f2) > + key=${cert%pem}priv > + sbsign --key $key --cert $cert "$vmlinux" --output "$tmpdir/$installed_image_path" > +else > + cp "$vmlinux" "$tmpdir/$installed_image_path" > +fi > > if is_enabled CONFIG_OF_EARLY_FLATTREE; then > # Only some architectures with OF support have this target > -- > 2.32.0 >
