diff options
author | Bastian Blank <waldi@debian.org> | 2021-07-27 13:46:40 +0200 |
---|---|---|
committer | Bastian Blank <waldi@debian.org> | 2021-07-28 09:58:35 +0200 |
commit | 72dab622297a435fa3aa96334d777de29d0d8322 (patch) | |
tree | e9c527e3bc6afad12f883e003b002af5fb21400c | |
parent | a1f1189163a6a0d357d244282705ff02625d4b19 (diff) | |
download | kernel_replicant_linux-72dab622297a435fa3aa96334d777de29d0d8322.tar.gz kernel_replicant_linux-72dab622297a435fa3aa96334d777de29d0d8322.tar.bz2 kernel_replicant_linux-72dab622297a435fa3aa96334d777de29d0d8322.zip |
Specify trusted certs file in package config
-rwxr-xr-x | debian/bin/gencontrol.py | 3 | ||||
-rw-r--r-- | debian/changelog | 1 | ||||
-rw-r--r-- | debian/config/config | 4 | ||||
-rw-r--r-- | debian/config/defines | 1 | ||||
-rw-r--r-- | debian/config/featureset-rt/config | 6 |
5 files changed, 5 insertions, 10 deletions
diff --git a/debian/bin/gencontrol.py b/debian/bin/gencontrol.py index 0963132216ab..3afe38e94f02 100755 --- a/debian/bin/gencontrol.py +++ b/debian/bin/gencontrol.py @@ -630,6 +630,9 @@ class Gencontrol(Base): # Add "salt" to fix #872263 makeflags['KCONFIG_OPTIONS'] += \ ' -o "BUILD_SALT=\\"%(abiname)s%(localversion)s\\""' % vars + if config_entry_build.get('trusted-certs'): + makeflags['KCONFIG_OPTIONS'] += \ + f' -o "SYSTEM_TRUSTED_KEYS=\\"${{CURDIR}}/{config_entry_build["trusted-certs"]}\\""' cmds_binary_arch = ["$(MAKE) -f debian/rules.real binary-arch-flavour " "%s" % diff --git a/debian/changelog b/debian/changelog index bd322fc5ae00..998ac4658d9a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,7 @@ linux (5.10.46-4) UNRELEASED; urgency=medium * Always build-depend on native libelf-dev. + * Specify trusted certs file in package config. -- Bastian Blank <waldi@debian.org> Thu, 27 May 2021 12:25:51 +0200 diff --git a/debian/config/config b/debian/config/config index 7ac1a23f12d9..92b7c13a1a5a 100644 --- a/debian/config/config +++ b/debian/config/config @@ -66,10 +66,6 @@ CONFIG_EFI_PARTITION=y ## #. Signatures are added in linux-signed CONFIG_MODULE_SIG_KEY="" -#. Actually a file containing X.509 certificates, not keys. -#. Whenever the filename changes, this also needs to be updated in -#. debian/featureset-*/config -CONFIG_SYSTEM_TRUSTED_KEYS="debian/certs/debian-uefi-certs.pem" #. Add secondary keyring with keys from UEFI db and MOK. CONFIG_SECONDARY_TRUSTED_KEYRING=y CONFIG_SYSTEM_BLACKLIST_KEYRING=y diff --git a/debian/config/defines b/debian/config/defines index e6b024f8c774..af693df946ee 100644 --- a/debian/config/defines +++ b/debian/config/defines @@ -149,6 +149,7 @@ featuresets: debug-info: true # Disable code signing by default; this can be overridden per-architecture signed-code: false +trusted-certs: debian/certs/debian-uefi-certs.pem [featureset-rt_base] enabled: true diff --git a/debian/config/featureset-rt/config b/debian/config/featureset-rt/config index 731d4fcdd080..b1d657f8b7b6 100644 --- a/debian/config/featureset-rt/config +++ b/debian/config/featureset-rt/config @@ -1,10 +1,4 @@ ## -## file: certs/Kconfig -## -#. Certificate paths are resolved relative to debian/build/source_rt -CONFIG_SYSTEM_TRUSTED_KEYS="../../certs/debian-uefi-certs.pem" - -## ## file: kernel/Kconfig.preempt ## ## choice: Preemption Model |