If the config file specifies a signing key, use it to sign the kernel so that machines with SecureBoot enabled can boot. See https://wiki.debian.org/SecureBoot Signed-off-by: Matthew Wilcox (Oracle) <willy@xxxxxxxxxxxxx> --- v2: - Handle private keys stored in the pem file as well as adjacent to the certificate - Handle certificate paths specified relative to both dsttree and srctree (as well as absolute) - Only try to sign the executable if EFI_STUB is enabled - Only try to execute sbsign if it's in $PATH scripts/package/builddeb | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/scripts/package/builddeb b/scripts/package/builddeb index 91a502bb97e8..9dd92fd02b12 100755 --- a/scripts/package/builddeb +++ b/scripts/package/builddeb @@ -147,7 +147,30 @@ else cp System.map "$tmpdir/boot/System.map-$version" cp $KCONFIG_CONFIG "$tmpdir/boot/config-$version" fi -cp "$($MAKE -s -f $srctree/Makefile image_name)" "$tmpdir/$installed_image_path" + +vmlinux=$($MAKE -s -f $srctree/Makefile image_name) +key= +if is_enabled CONFIG_EFI_STUB && is_enabled CONFIG_MODULE_SIG; then + cert=$(grep ^CONFIG_MODULE_SIG_KEY= include/config/auto.conf | cut -d\" -f2) + if [ ! -f $cert ]; then + cert=$srctree/$cert + fi + + key=${cert%pem}priv + if [ ! -f $key ]; then + key=$cert + fi + + if ! command -v sbsign >/dev/null; then + key= + fi +fi + +if [ -n "$key" ]; then + sbsign --key $key --cert $cert "$vmlinux" --output "$tmpdir/$installed_image_path" +else + cp "$vmlinux" "$tmpdir/$installed_image_path" +fi if is_enabled CONFIG_OF_EARLY_FLATTREE; then # Only some architectures with OF support have this target -- 2.33.0