[linux-signed] 02/02: debian/bin/sign.py: Only sign vmlinuz if EFI_SECURE_BOOT_SECURELEVEL=y
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Thu Nov 3 20:17:37 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch sid
in repository linux-signed.
commit e515ada2a38548a8e16f36b72e3c71dc19bd0102
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Thu Nov 3 13:52:11 2016 -0600
debian/bin/sign.py: Only sign vmlinuz if EFI_SECURE_BOOT_SECURELEVEL=y
We shouldn't be signing kernels that don't implement securelevel,
since that signature is supposed ot mean they're trusted not to load
arbitary code. The code-sign branch of linux already applies this
condition when deciding whether to upload vmlinuz for signing by dak.
Further, the one architecture that has EFI enabled but not
EFI_SECURE_BOOT_SECURELEVEL is armhf. Some armhf devices require an
appended FDT, which doesn't seem to work if a signature has previously
been appended.
---
debian/bin/sign.py | 3 ++-
debian/changelog | 6 ++++++
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/debian/bin/sign.py b/debian/bin/sign.py
index 5a29108..b5c201b 100755
--- a/debian/bin/sign.py
+++ b/debian/bin/sign.py
@@ -212,7 +212,8 @@ def sign(config_name, imageversion_str, modules_privkey_name, modules_cert_name,
'boot/config-%s' % kernelversion)) \
as kconfig_file:
kconfig = kconfig_file.readlines()
- if 'CONFIG_EFI_STUB=y\n' in kconfig:
+ if ('CONFIG_EFI_STUB=y\n' in kconfig and
+ 'CONFIG_EFI_SECURE_BOOT_SECURELEVEL=y\n' in kconfig):
sign_image_efi('%s/boot/vmlinuz-%s' %
(package_dir, kernelversion),
'%s/boot/vmlinuz-%s.sig' %
diff --git a/debian/changelog b/debian/changelog
index 94e6dc2..8a35d23 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+linux-signed (3.2) UNRELEASED; urgency=medium
+
+ * debian/bin/sign.py: Only sign vmlinuz if EFI_SECURE_BOOT_SECURELEVEL=y
+
+ -- Ben Hutchings <ben at decadent.org.uk> Thu, 03 Nov 2016 13:51:45 -0600
+
linux-signed (3.1) unstable; urgency=medium
* udeb: Add Built-Using field
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux-signed.git
More information about the Kernel-svn-changes
mailing list