mirror of
https://git.yoctoproject.org/meta-security
synced 2026-01-12 03:10:13 +00:00
c1c80cf0c0
Starting with [1] kernel modules symbols is being slipped in OE-core and this breaks the kernel modules sign, so disable it. [1] https://git.openembedded.org/openembedded-core/commit/?id=e09a8fa931fe617afc05bd5e00dca5dd3fe386e8 Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Armin Kuster <akuster808@gmail.com>
32 lines
1.1 KiB
Plaintext
32 lines
1.1 KiB
Plaintext
# No default! Either this or MODSIGN_PRIVKEY/MODSIGN_X509 have to be
|
|
# set explicitly in a local.conf before activating kernel-modsign.
|
|
# To use the insecure (because public) example keys, use
|
|
# MODSIGN_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
|
|
MODSIGN_KEY_DIR ??= "MODSIGN_KEY_DIR_NOT_SET"
|
|
|
|
# Private key for modules signing. The default is okay when
|
|
# using the example key directory.
|
|
MODSIGN_PRIVKEY ?= "${MODSIGN_KEY_DIR}/privkey_modsign.pem"
|
|
|
|
# Public part of certificates used for modules signing.
|
|
# The default is okay when using the example key directory.
|
|
MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt"
|
|
|
|
# If this class is enabled, disable stripping signatures from modules
|
|
# as well disable the debug symbols split
|
|
INHIBIT_PACKAGE_STRIP = "1"
|
|
INHIBIT_PACKAGE_DEBUG_SPLIT = "1"
|
|
|
|
kernel_do_configure:prepend() {
|
|
if [ -f "${MODSIGN_PRIVKEY}" -a -f "${MODSIGN_X509}" ]; then
|
|
cat "${MODSIGN_PRIVKEY}" "${MODSIGN_X509}" \
|
|
> "${B}/modsign_key.pem"
|
|
else
|
|
bberror "Either modsign key or certificate are invalid"
|
|
fi
|
|
}
|
|
|
|
do_shared_workdir:append() {
|
|
cp modsign_key.pem $kerneldir/
|
|
}
|