The aarch64 kernel is a gzip'ed EFI image, this means that pesign needs to sign the original image and then zip it for grub to be able to validate the kernel image.
Signed-off-by: Jeremy Linton jeremy.linton@arm.com --- kernel.spec | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/kernel.spec b/kernel.spec index 25e4676a..e6601758 100644 --- a/kernel.spec +++ b/kernel.spec @@ -10,7 +10,7 @@ Summary: The Linux kernel
# Sign modules on x86. Make sure the config files match this setting if more # architectures are added. -%ifarch %{ix86} x86_64 +%ifarch %{ix86} x86_64 aarch64 %global signkernel 1 %global signmodules 1 %global zipmodules 1 @@ -1288,13 +1288,26 @@ BuildKernel() { cp arch/$Arch/boot/zImage.stub $RPM_BUILD_ROOT/lib/modules/$KernelVer/zImage.stub-$KernelVer || : fi %if %{signkernel} + # aarch64 kernels are gziped EFI images + KernelExtension=${KernelImage##*.} + if [ "$KernelExtension" == "gz" ]; then + SignImage=${KernelImage%.*} + else + SignImage=$KernelImage + fi + # Sign the image if we're using EFI - %pesign -s -i $KernelImage -o vmlinuz.signed + %pesign -s -i $SignImage -o vmlinuz.signed if [ ! -s vmlinuz.signed ]; then echo "pesigning failed" exit 1 fi - mv vmlinuz.signed $KernelImage + mv vmlinuz.signed $SignImage + + if [ "$KernelExtension" == "gz" ]; then + gzip -f9 $SignImage + fi + %endif $CopyKernel $KernelImage \ $RPM_BUILD_ROOT/%{image_install_path}/$InstallName-$KernelVer
On Tue, Oct 23, 2018 at 11:56 PM Jeremy Linton jeremy.linton@arm.com wrote:
The aarch64 kernel is a gzip'ed EFI image, this means that pesign needs to sign the original image and then zip it for grub to be able to validate the kernel image.
So ATM we don't have the actual HW which contains the signing keys available on aarch64 so to sign with the kernels so we can't do this just yet. I will open an infrastructure ticker so we can start to move this forward though.
Signed-off-by: Jeremy Linton jeremy.linton@arm.com
kernel.spec | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/kernel.spec b/kernel.spec index 25e4676a..e6601758 100644 --- a/kernel.spec +++ b/kernel.spec @@ -10,7 +10,7 @@ Summary: The Linux kernel
# Sign modules on x86. Make sure the config files match this setting if more # architectures are added. -%ifarch %{ix86} x86_64 +%ifarch %{ix86} x86_64 aarch64 %global signkernel 1 %global signmodules 1 %global zipmodules 1 @@ -1288,13 +1288,26 @@ BuildKernel() { cp arch/$Arch/boot/zImage.stub $RPM_BUILD_ROOT/lib/modules/$KernelVer/zImage.stub-$KernelVer || : fi %if %{signkernel}
- # aarch64 kernels are gziped EFI images
- KernelExtension=${KernelImage##*.}
- if [ "$KernelExtension" == "gz" ]; then
SignImage=${KernelImage%.*}
- else
SignImage=$KernelImage
- fi
- # Sign the image if we're using EFI
- %pesign -s -i $KernelImage -o vmlinuz.signed
- %pesign -s -i $SignImage -o vmlinuz.signed if [ ! -s vmlinuz.signed ]; then echo "pesigning failed" exit 1 fi
- mv vmlinuz.signed $KernelImage
- mv vmlinuz.signed $SignImage
- if [ "$KernelExtension" == "gz" ]; then
gzip -f9 $SignImage
Why gzip? Could this be xz?
- fi
- %endif $CopyKernel $KernelImage \ $RPM_BUILD_ROOT/%{image_install_path}/$InstallName-$KernelVer
-- 2.19.1 _______________________________________________ kernel mailing list -- kernel@lists.fedoraproject.org To unsubscribe send an email to kernel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org
kernel@lists.fedoraproject.org