d/b/gencontrol.py, d/rules.real: Restore config checks on kernels to be signed (!1077) · Merge requests · Debian kernel team / linux

Ben Hutchings requested to merge benh/linux:check-secureboot into master May 15, 2024

We must only sign kernel images that honour the Secure Boot setting. gencontrol_signed.py used to check the kernel config file to ensure that the required options (CONFIG_EFI_STUB and CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT) were enabled, but this was lost when its functionality was moved into gencontrol.py.

We must also list any certificates trusted by the kernel in files.json in the signing template. We used to generate this from the CONFIG_SYSTEM_TRUSTED_KEYS variable in kernel config, but that is now set to an empty string and gencontrol.py assumes that is the case.

To fix this:

In gencontrol.py, set CHECK_SECUREBOOT=True if the kernel image will be signed.
In rules.real, in the image setup target, if CHECK_SECUREBOOT is set, check that the final .config has the required options enabled and CONFIG_SYSTEM_TRUSTED_KEYS set to an empty string.

Fixes: 6601ee56 ("Don't trust Secure Boot key any longer") Fixes: 113582f8 ("Use early generated signing template info")

d/b/gencontrol.py, d/rules.real: Restore config checks on kernels to be signed

Merge request reports