Store build time signing key encrypted

(cherry picked from commit ca3d0e60f5)
2026-01-16 23:12:23 +00:00 · 2025-02-21 18:14:45 +01:00 · 2025-02-21 18:14:45 +01:00 · 3e2a574473
commit 3e2a574473
parent f966af394d
3 changed files with 17 additions and 0 deletions
--- a/debian/bin/buildcheck.py
+++ b/debian/bin/buildcheck.py
@ -295,6 +295,10 @@ class CheckSecureBootConfig:
                              f' {kconfig[name].value}\n')
                    fail = 1

+            if kconfig.get('MODULE_SIG_KEY').value == '"certs/signing_key.pem"':
+                out.write('Secure Boot: CONFIG_MODULE_SIG_KEY has default value\n')
+                fail = 1
+
        return fail


--- a/debian/changelog
+++ b/debian/changelog
@ -6,6 +6,7 @@ linux (6.1.147-2) UNRELEASED; urgency=medium
    - Set MODULE_SIG_ALL to sign all modules.
    - Not longer request Secure Boot signing for modules.
    - Don't trust Secure Boot key any longer.
+  * Store build time signing key encrypted.

  [ Ben Hutchings ]
  * d/b/buildcheck.py, d/rules.real: Run buildcheck.py in setup as well
--- a/debian/rules.real
+++ b/debian/rules.real
@ -68,6 +68,7 @@ source: $(STAMPS_DIR)/source_$(FEATURESET)
 $(BUILD_DIR)/config.$(ARCH)_$(FEATURESET)_$(FLAVOUR): $(KCONFIG)
 	mkdir -p '$(dir $@)'
 	debian/bin/kconfig.py '$@' $(KCONFIG) $(KCONFIG_OPTIONS) \
+		-o MODULE_SIG_KEY=\"output/signing_key.pem\" \
 		$(call if_profile, pkg.linux.nokerneldbginfo pkg.linux.quick,-o DEBUG_INFO_NONE=y -o DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=n)

 define copy_source
@ -165,9 +166,18 @@ endif
 $(STAMPS_DIR)/build_$(ARCH)_$(FEATURESET)_$(FLAVOUR): DIR=$(BUILD_DIR)/build_$(ARCH)_$(FEATURESET)_$(FLAVOUR)
 $(STAMPS_DIR)/build_$(ARCH)_$(FEATURESET)_$(FLAVOUR): OUTPUT_DIR=$(DIR)/output/image
 $(STAMPS_DIR)/build_$(ARCH)_$(FEATURESET)_$(FLAVOUR): OUTPUT_DIR_DBG=$(DIR)/output/image-dbg
+$(STAMPS_DIR)/build_$(ARCH)_$(FEATURESET)_$(FLAVOUR): export KBUILD_SIGN_PIN = $(shell dd if=/dev/random bs=16 count=1 status=none | base64)
 $(STAMPS_DIR)/build_$(ARCH)_$(FEATURESET)_$(FLAVOUR): $(STAMPS_DIR)/setup_$(ARCH)_$(FEATURESET)_$(FLAVOUR)
 $(STAMPS_DIR)/build_$(ARCH)_$(FEATURESET)_$(FLAVOUR):
 	rm -rf '$(DIR)/output'
+	install -d '$(DIR)/output'
+
+	openssl req -new -utf8 -sha256 -days 36500 \
+		-batch -x509 -config certs/default_x509.genkey \
+		-passout env:KBUILD_SIGN_PIN \
+		-outform PEM -out $(DIR)/output/signing_key.pem \
+		-keyout $(DIR)/output/signing_key.pem \
+		-newkey ec -pkeyopt ec_paramgen_curve:secp384r1 2>&1

 	+$(MAKE_CLEAN) -C '$(DIR)'
 	debian/bin/buildcheck.py $(DIR) $(ARCH) $(FEATURESET) $(FLAVOUR) build
@ -177,6 +187,8 @@ $(STAMPS_DIR)/build_$(ARCH)_$(FEATURESET)_$(FLAVOUR):
 		INSTALL_MOD_PATH='$(CURDIR)/$(OUTPUT_DIR)' \
 		INSTALL_MOD_STRIP=1

+	rm $(DIR)/output/signing_key.pem
+
 # cmd_sign=: Don't sign modules
 	+$(MAKE_CLEAN) -C $(DIR) modules_install \
 		cmd_sign= \