diff mbox series

[1/3] meta/recipes-kernel/linux-module: Allow use of external scripts to sign modules

Message ID 20250123145131.1142290-2-gokhan.cetin@siemens.com
State Accepted, archived
Headers show
Series Allow use of external scripts to sign modules | expand

Commit Message

Gokhan Cetin Jan. 23, 2025, 2:51 p.m. UTC 
This facilitates the integration of scripts developed for signing solutions like HSM
where private keys are not accessible and allows the use of detached signatures
produced by such solutions.

Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com>
---
 meta/recipes-kernel/linux-module/files/debian/rules.tmpl | 4 ++++
 meta/recipes-kernel/linux-module/module.inc              | 2 ++
 2 files changed, 6 insertions(+)
diff mbox series

Patch

diff --git a/meta/recipes-kernel/linux-module/files/debian/rules.tmpl b/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
index ad743437..30d7ce0f 100755
--- a/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
+++ b/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
@@ -56,6 +56,10 @@  endif
 ifneq ($(filter pkg.sign,$(DEB_BUILD_PROFILES)),)
 	find . -name "*.ko" -print -exec $(KDIR)/scripts/sign-file ${SIGNATURE_HASHFN} ${SIGNATURE_KEYFILE} ${SIGNATURE_CERTFILE} {} \;
 endif
+ifneq ($(filter pkg.signwith,$(DEB_BUILD_PROFILES)),)
+	find . -name "*.ko" | xargs -i ${SIGNATURE_SIGNWITH} {} {}.signature ${SIGNATURE_HASHFN} ${SIGNATURE_CERTFILE}
+	find . -name "*.ko" | xargs -i $(KDIR)/scripts/sign-file -s {}.signature ${SIGNATURE_HASHFN} ${SIGNATURE_CERTFILE} {}
+endif
 
 override_dh_auto_install:
 	$(MAKE) -C $(KDIR) M=${MODULE_DIR} INSTALL_MOD_PATH=$(PWD)/debian/${PN} modules_install
diff --git a/meta/recipes-kernel/linux-module/module.inc b/meta/recipes-kernel/linux-module/module.inc
index 3e8e5e7a..d7432bf7 100644
--- a/meta/recipes-kernel/linux-module/module.inc
+++ b/meta/recipes-kernel/linux-module/module.inc
@@ -25,6 +25,7 @@  DEB_BUILD_OPTIONS += "noautodbgsym"
 SIGNATURE_KEYFILE ??= ""
 SIGNATURE_CERTFILE ??= ""
 SIGNATURE_HASHFN ??= "sha256"
+SIGNATURE_SIGNWITH ??= ""
 
 SRC_URI += "file://debian/"
 
@@ -57,6 +58,7 @@  TEMPLATE_VARS += " \
     SIGNATURE_KEYFILE \
     SIGNATURE_CERTFILE \
     SIGNATURE_HASHFN \
+    SIGNATURE_SIGNWITH \
     PN \
     DEBIAN_COMPAT"