Brad Bishop | 26bdd44 | 2019-08-16 17:08:17 -0400 | [diff] [blame] | 1 | # No default! Either this or MODSIGN_PRIVKEY/MODSIGN_X509 have to be |
| 2 | # set explicitly in a local.conf before activating kernel-modsign. |
| 3 | # To use the insecure (because public) example keys, use |
| 4 | # MODSIGN_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" |
Andrew Geissler | d159c7f | 2021-09-02 21:05:58 -0500 | [diff] [blame^] | 5 | MODSIGN_KEY_DIR ??= "MODSIGN_KEY_DIR_NOT_SET" |
Brad Bishop | 26bdd44 | 2019-08-16 17:08:17 -0400 | [diff] [blame] | 6 | |
| 7 | # Private key for modules signing. The default is okay when |
| 8 | # using the example key directory. |
| 9 | MODSIGN_PRIVKEY ?= "${MODSIGN_KEY_DIR}/privkey_modsign.pem" |
| 10 | |
| 11 | # Public part of certificates used for modules signing. |
| 12 | # The default is okay when using the example key directory. |
| 13 | MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt" |
| 14 | |
| 15 | # If this class is enabled, disable stripping signatures from modules |
| 16 | INHIBIT_PACKAGE_STRIP = "1" |
| 17 | |
Patrick Williams | 213cb26 | 2021-08-07 19:21:33 -0500 | [diff] [blame] | 18 | kernel_do_configure:prepend() { |
Brad Bishop | 26bdd44 | 2019-08-16 17:08:17 -0400 | [diff] [blame] | 19 | if [ -f "${MODSIGN_PRIVKEY}" -a -f "${MODSIGN_X509}" ]; then |
| 20 | cat "${MODSIGN_PRIVKEY}" "${MODSIGN_X509}" \ |
| 21 | > "${B}/modsign_key.pem" |
| 22 | else |
| 23 | bberror "Either modsign key or certificate are invalid" |
| 24 | fi |
| 25 | } |
| 26 | |
Patrick Williams | 213cb26 | 2021-08-07 19:21:33 -0500 | [diff] [blame] | 27 | do_shared_workdir:append() { |
Brad Bishop | 26bdd44 | 2019-08-16 17:08:17 -0400 | [diff] [blame] | 28 | cp modsign_key.pem $kerneldir/ |
| 29 | } |