Blame - meta-security/meta-integrity/classes/kernel-modsign.bbclass - openbmc/openbmc

blob: 09025baa7db9e47defc7fa47f5e54b76a3151e21 [file] [log] [blame]

Brad Bishop	26bdd44	2019-08-16 17:08:17 -0400	[diff] [blame^]	1	# No default! Either this or MODSIGN_PRIVKEY/MODSIGN_X509 have to be
				2	# set explicitly in a local.conf before activating kernel-modsign.
				3	# To use the insecure (because public) example keys, use
				4	# MODSIGN_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
				5	MODSIGN_KEY_DIR ?= "MODSIGN_KEY_DIR_NOT_SET"
				6
				7	# Private key for modules signing. The default is okay when
				8	# using the example key directory.
				9	MODSIGN_PRIVKEY ?= "${MODSIGN_KEY_DIR}/privkey_modsign.pem"
				10
				11	# Public part of certificates used for modules signing.
				12	# The default is okay when using the example key directory.
				13	MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt"
				14
				15	# If this class is enabled, disable stripping signatures from modules
				16	INHIBIT_PACKAGE_STRIP = "1"
				17
				18	kernel_do_configure_prepend() {
				19	if [ -f "${MODSIGN_PRIVKEY}" -a -f "${MODSIGN_X509}" ]; then
				20	cat "${MODSIGN_PRIVKEY}" "${MODSIGN_X509}" \
				21	> "${B}/modsign_key.pem"
				22	else
				23	bberror "Either modsign key or certificate are invalid"
				24	fi
				25	}
				26
				27	do_shared_workdir_append() {
				28	cp modsign_key.pem $kerneldir/
				29	}