File: README.source

package info (click to toggle)
linux-signed 4.4~bpo8%2B1
  • links: PTS, VCS
  • area: main
  • in suites: jessie-backports
  • size: 158,844 kB
  • sloc: sh: 938; python: 291; makefile: 54
file content (67 lines) | stat: -rw-r--r-- 2,842 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
 
NOTE: This package can only be updated by the holder of a signing key
trusted by the linux-image packages.  This is currently Ben Hutchings,
but in future will be the FTP masters.

All signatures are made at source preparation time, not during a
build.  This avoids the need to expose signing keys to buildds and
allows reproducible builds.

When preparing a source package, you will need python3-debian,
sbsigntool and the appropriate versions of the linux-kbuild and
linux-support packages installed.  All the linux-image package must
have already been built (but not installed).

To generate a key pair and *self-signed* certificate: for testing,
run:

    openssl genrsa -out foo.key.priv.pem 2048
    openssl req -key foo.key.priv.pem -out foo.req.pem -new
    openssl x509 -in foo.req.pem -req -signkey foo.key.priv.pem -out foo.cer.pem

For module signing you need a DER fomat certificate, so add
'-outform der' to the last comand.

To generate the signatures:

1. Uupdate debian/rules.defs:
   - KERNEL_ABINAME: The kernel ABI name as included in all
     linux-image package names, e.g. 4.5.0-trunk.
   - KERNEL_IMAGE_VERSION: Version of the linux-image packages to be
     signed.
   - KERNEL_MODULES_PRIVKEY: Name of the private key file (RSA PEM
     format) for module signing.
   - KERNEL_MODULES_CERT: Name of the certificate file (X.509 PEM
     format) for module signing.  This file must also be included in
     src:linux and listed in CONFIG_SYSTEM_TRUSTED_KEYS.
   - KERNEL_IMAGE_PRIVKEY: Name of the private key file (RSA PEM
     format) for image signing.
   - KERNEL_IMAGE_CERT: Name of the certificate file (X.509 PEM
     format) for image signing.  This certificate must be trusted by
     the boot loader for Secure Boot to work.
   - MIRROR_SUITE: Suite from which to download the linux-image
     packages, if they are not already provided in
     debian/localpackages.
2. If the packages are not yet publicly available (e.g. for a security
   update), create debian/localpackages/ and copy or link them into
   there.
3. Run 'debian/rules sign'

You may see these warnings when signing a kernel image:

    warning: file-aligned section .text extends beyond end of file
    warning: checksum areas are greater than image size. Invalid section table?

This is harmless in practice - sbsign will insert padding to fix it up.

Then, to prepare the source package:

4. Run 'debian/rules maintainerclean'
5. Update debian/rules.defs:
   - SIGNED_VERSION_SUFFIX: In case a new source upload is made
     without changing KERNEL_IMAGE_VERSION, this suffix may be set
     to e.g. +s2, +s3, etc. to distinguish the binary versions.
     Normally it should be empty.
6. Run 'debian/rules debian/control'
7. Run 'dpkg-buildpackage -uc -us -S -d'

 -- Ben Hutchings <ben@decadent.org.uk>, Sun, 26 Jun 2016 15:07:55 +0200