1# No default! Either this or MODSIGN_PRIVKEY/MODSIGN_X509 have to be 2# set explicitly in a local.conf before activating kernel-modsign. 3# To use the insecure (because public) example keys, use 4# MODSIGN_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" 5MODSIGN_KEY_DIR ??= "MODSIGN_KEY_DIR_NOT_SET" 6 7# Private key for modules signing. The default is okay when 8# using the example key directory. 9MODSIGN_PRIVKEY ?= "${MODSIGN_KEY_DIR}/privkey_modsign.pem" 10 11# Public part of certificates used for modules signing. 12# The default is okay when using the example key directory. 13MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt" 14 15# If this class is enabled, disable stripping signatures from modules 16INHIBIT_PACKAGE_STRIP = "1" 17 18kernel_do_configure:prepend() { 19 if [ -f "${MODSIGN_PRIVKEY}" -a -f "${MODSIGN_X509}" ]; then 20 cat "${MODSIGN_PRIVKEY}" "${MODSIGN_X509}" \ 21 > "${B}/modsign_key.pem" 22 else 23 bberror "Either modsign key or certificate are invalid" 24 fi 25} 26 27do_shared_workdir:append() { 28 cp modsign_key.pem $kerneldir/ 29} 30