On Tue, Oct 23, 2018 at 11:56 PM Jeremy Linton <jeremy.linton(a)arm.com> wrote:
The aarch64 kernel is a gzip'ed EFI image, this means
that pesign needs to sign the original image and then
zip it for grub to be able to validate the kernel image.
So ATM we don't have the actual HW which contains the signing keys
available on aarch64 so to sign with the kernels so we can't do this
just yet. I will open an infrastructure ticker so we can start to move
this forward though.
Signed-off-by: Jeremy Linton <jeremy.linton(a)arm.com>
---
kernel.spec | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/kernel.spec b/kernel.spec
index 25e4676a..e6601758 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -10,7 +10,7 @@ Summary: The Linux kernel
# Sign modules on x86. Make sure the config files match this setting if more
# architectures are added.
-%ifarch %{ix86} x86_64
+%ifarch %{ix86} x86_64 aarch64
%global signkernel 1
%global signmodules 1
%global zipmodules 1
@@ -1288,13 +1288,26 @@ BuildKernel() {
cp arch/$Arch/boot/zImage.stub
$RPM_BUILD_ROOT/lib/modules/$KernelVer/zImage.stub-$KernelVer || :
fi
%if %{signkernel}
+ # aarch64 kernels are gziped EFI images
+ KernelExtension=${KernelImage##*.}
+ if [ "$KernelExtension" == "gz" ]; then
+ SignImage=${KernelImage%.*}
+ else
+ SignImage=$KernelImage
+ fi
+
# Sign the image if we're using EFI
- %pesign -s -i $KernelImage -o vmlinuz.signed
+ %pesign -s -i $SignImage -o vmlinuz.signed
if [ ! -s vmlinuz.signed ]; then
echo "pesigning failed"
exit 1
fi
- mv vmlinuz.signed $KernelImage
+ mv vmlinuz.signed $SignImage
+
+ if [ "$KernelExtension" == "gz" ]; then
+ gzip -f9 $SignImage
Why gzip? Could this be xz?
> + fi
> +
> %endif
> $CopyKernel $KernelImage \
> $RPM_BUILD_ROOT/%{image_install_path}/$InstallName-$KernelVer
> --
> 2.19.1
> _______________________________________________
> kernel mailing list -- kernel(a)lists.fedoraproject.org
> To unsubscribe send an email to kernel-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org