Fix module signing so secure boot works again
This commit is contained in:
parent
67001e89f7
commit
7a2a6ee340
11
kernel.spec
11
kernel.spec
|
@ -62,7 +62,7 @@ Summary: The Linux kernel
|
|||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 100
|
||||
%global baserelease 101
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
@ -1908,13 +1908,13 @@ find Documentation -type d | xargs chmod u+w
|
|||
%define __modsign_install_post \
|
||||
if [ "%{signmodules}" -eq "1" ]; then \
|
||||
if [ "%{with_pae}" -ne "0" ]; then \
|
||||
%{modsign_cmd} signing_key.priv.sign.%{pae} signing_key.x509.sign+%{pae} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.%{pae}/ \
|
||||
%{modsign_cmd} signing_key.priv.sign.%{pae} signing_key.x509.sign.%{pae} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.%{pae}/ \
|
||||
fi \
|
||||
if [ "%{with_debug}" -ne "0" ]; then \
|
||||
%{modsign_cmd} signing_key.priv.sign.debug signing_key.x509.sign+debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.debug/ \
|
||||
%{modsign_cmd} signing_key.priv.sign.debug signing_key.x509.sign.debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.debug/ \
|
||||
fi \
|
||||
if [ "%{with_pae_debug}" -ne "0" ]; then \
|
||||
%{modsign_cmd} signing_key.priv.sign.%{pae}debug signing_key.x509.sign+%{pae}debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.%{pae}debug/ \
|
||||
%{modsign_cmd} signing_key.priv.sign.%{pae}debug signing_key.x509.sign.%{pae}debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.%{pae}debug/ \
|
||||
fi \
|
||||
if [ "%{with_up}" -ne "0" ]; then \
|
||||
%{modsign_cmd} signing_key.priv.sign signing_key.x509.sign $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/ \
|
||||
|
@ -2305,6 +2305,9 @@ fi
|
|||
# and build.
|
||||
|
||||
%changelog
|
||||
* Tue Feb 25 2015 Justin M. Forbes <jforbes@fedoraproject.org> - 3.13.5-101
|
||||
* Fix module signing so secure boot works again
|
||||
|
||||
* Tue Feb 25 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Fix mounting issues on cifs (rhbz 1068862)
|
||||
|
||||
|
|
22
mod-sign.sh
22
mod-sign.sh
|
@ -9,20 +9,28 @@
|
|||
# This essentially duplicates the 'modules_sign' Kbuild target and runs the
|
||||
# same commands for those modules.
|
||||
|
||||
moddir=$1
|
||||
MODSECKEY=$1
|
||||
MODPUBKEY=$2
|
||||
|
||||
moddir=$3
|
||||
|
||||
modules=`find $moddir -name *.ko`
|
||||
|
||||
MODSECKEY="./signing_key.priv"
|
||||
MODPUBKEY="./signing_key.x509"
|
||||
|
||||
for mod in $modules
|
||||
do
|
||||
dir=`dirname $mod`
|
||||
file=`basename $mod`
|
||||
|
||||
./scripts/sign-file sha256 ${MODSECKEY} ${MODPUBKEY} ${dir}/${file} \
|
||||
${dir}/${file}.signed
|
||||
mv ${dir}/${file}.signed ${dir}/${file}
|
||||
./scripts/sign-file sha256 ${MODSECKEY} ${MODPUBKEY} ${dir}/${file}
|
||||
rm -f ${dir}/${file}.{sig,dig}
|
||||
done
|
||||
|
||||
RANDOMMOD=$(find $moddir -type f -name '*.ko' | sort -R | head -n 1)
|
||||
if [ "~Module signature appended~" != "$(tail -c 28 $RANDOMMOD)" ]; then
|
||||
echo "*****************************"
|
||||
echo "*** Modules are unsigned! ***"
|
||||
echo "*****************************"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
exit 0
|
||||
|
|
Loading…
Reference in New Issue