mirror of
https://github.com/vyos/vyos-build.git
synced 2025-10-01 20:28:40 +02:00
d235b31a09
The shim review board (which is the secure boot base loader) recommends using ephemeral keys when signing the Linux Kernel. This commit enables the Kernel build system to generate a one-time ephemeral key that is used to: * sign all build-in Kernel modules * sign all other out-of-tree Kernel modules The key lives in /tmp and is destroyed after the build container exits and is named: "VyOS build time autogenerated kernel key". In addition the Kernel now uses CONFIG_MODULE_SIG_FORCE. This now makes it unable to load any Kernel Module to the image that is NOT signed by the ephemeral key.
10 lines
207 B
Bash
Executable File
10 lines
207 B
Bash
Executable File
#!/bin/sh
|
|
|
|
echo I: Creating Linux Kernel symbolic links
|
|
cd /boot
|
|
ln -s initrd.img-* initrd.img
|
|
ln -s vmlinuz-* vmlinuz
|
|
|
|
echo I: Remove Linux Kernel symbolic link to source folder
|
|
rm -rf /lib/modules/*/build
|