[linux-signed] 02/02: debian/bin/sign.py: Only sign vmlinuz if EFI_SECURE_BOOT_SECURELEVEL=y

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Nov 3 20:17:37 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch sid
in repository linux-signed.

commit e515ada2a38548a8e16f36b72e3c71dc19bd0102
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Thu Nov 3 13:52:11 2016 -0600

    debian/bin/sign.py: Only sign vmlinuz if EFI_SECURE_BOOT_SECURELEVEL=y
    
    We shouldn't be signing kernels that don't implement securelevel,
    since that signature is supposed ot mean they're trusted not to load
    arbitary code.  The code-sign branch of linux already applies this
    condition when deciding whether to upload vmlinuz for signing by dak.
    
    Further, the one architecture that has EFI enabled but not
    EFI_SECURE_BOOT_SECURELEVEL is armhf.  Some armhf devices require an
    appended FDT, which doesn't seem to work if a signature has previously
    been appended.
---
 debian/bin/sign.py | 3 ++-
 debian/changelog   | 6 ++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/debian/bin/sign.py b/debian/bin/sign.py
index 5a29108..b5c201b 100755
--- a/debian/bin/sign.py
+++ b/debian/bin/sign.py
@@ -212,7 +212,8 @@ def sign(config_name, imageversion_str, modules_privkey_name, modules_cert_name,
                                        'boot/config-%s' % kernelversion)) \
                      as kconfig_file:
                     kconfig = kconfig_file.readlines()
-                if 'CONFIG_EFI_STUB=y\n' in kconfig:
+                if ('CONFIG_EFI_STUB=y\n' in kconfig and
+                    'CONFIG_EFI_SECURE_BOOT_SECURELEVEL=y\n' in kconfig):
                     sign_image_efi('%s/boot/vmlinuz-%s' %
                                    (package_dir, kernelversion),
                                    '%s/boot/vmlinuz-%s.sig' %
diff --git a/debian/changelog b/debian/changelog
index 94e6dc2..8a35d23 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+linux-signed (3.2) UNRELEASED; urgency=medium
+
+  * debian/bin/sign.py: Only sign vmlinuz if EFI_SECURE_BOOT_SECURELEVEL=y
+
+ -- Ben Hutchings <ben at decadent.org.uk>  Thu, 03 Nov 2016 13:51:45 -0600
+
 linux-signed (3.1) unstable; urgency=medium
 
   * udeb: Add Built-Using field

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux-signed.git

More information about the Kernel-svn-changes mailing list