From 3b0cdfc23e3ebf19c73c07aa9c45dc7f04c5886b Mon Sep 17 00:00:00 2001 From: kimocoder Date: Mon, 6 Jun 2022 03:27:12 +0200 Subject: [PATCH] Add signing to Makefile --- Makefile | 17 +++++++++- tools/install-and-sign-ubuntu.sh | 57 -------------------------------- 2 files changed, 16 insertions(+), 58 deletions(-) delete mode 100755 tools/install-and-sign-ubuntu.sh diff --git a/Makefile b/Makefile index 23ed5bd..12c44a1 100755 --- a/Makefile +++ b/Makefile @@ -167,6 +167,10 @@ CONFIG_CUSTOMER_HUAWEI_GENERAL = n CONFIG_DRVEXT_MODULE = n +ifeq ("","$(wildcard MOK.der)") +NO_SKIP_SIGN := y +endif + ifeq ($(CONFIG_RTL8812AU), ) ifneq (,$(findstring /usr/lib/dkms,$(PATH))) export TopDIR ?= $(shell pwd) @@ -2327,5 +2331,16 @@ clean: cd platform ; rm -fr *.mod.c *.mod *.o .*.cmd *.ko rm -fr Module.symvers ; rm -fr Module.markers ; rm -fr modules.order rm -fr *.mod.c *.mod *.o .*.cmd *.ko *~ - rm -fr .tmp_versions + rm -fr .tmp_versions *.der *.priv endif + +sign: +ifeq ($(NO_SKIP_SIGN), y) + @openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Custom MOK/" + @mokutil --import MOK.der +else + echo "Skipping key creation" +endif + @$(KSRC)/scripts/sign-file sha256 MOK.priv MOK.der 88XXau.ko + +sign-install: all sign install diff --git a/tools/install-and-sign-ubuntu.sh b/tools/install-and-sign-ubuntu.sh deleted file mode 100755 index dc3b026..0000000 --- a/tools/install-and-sign-ubuntu.sh +++ /dev/null @@ -1,57 +0,0 @@ -#!/bin/bash - -if [ $(id -u) != 0 ]; then - echo " Script must be run as root" - exit -fi - - -if [[ "$(mokutil --sb-state)" == *enabled ]]; then - SECUREBOOT="ON" -else - SECUREBOOT="OFF" -fi - -RUNASUSER="sudo -u $SUDO_USER" - -# Run this block as user -$RUNASUSER bash << EOF - echo " Building the module" - make -j$(nproc) - - if [ ! -d ".ssl" ] && [ $SECUREBOOT == "ON" ]; then - mkdir .ssl - fi -EOF - -echo -e "\n Installing the module..." -make install - -# Sign module if SecureBoot is enabled -if [ $SECUREBOOT == "ON" ]; then - echo -e "\n Creating X.509 key pair" - cd .ssl - openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=local_rtl8812au/" - - SIGN=/usr/src/linux-headers-$(uname -r)/scripts/sign-file - MODULE=$(modinfo -n 88XXau) - - echo -e "\n Signing the following module" - echo " $MODULE" - - $SIGN sha256 ./MOK.priv ./MOK.der $MODULE - - # Add key to trusted list - echo -e "\n\t ATTENTION" - echo -e " MOK manager ask you to enter input password." - echo " This password will be needed once after first reboot." - - mokutil --import ./MOK.der - - echo "" - echo " System requires reboot." - echo " UEFI key manager will appear during the boot." - echo " Select 'Enroll MOK' and 'Continue. Then enter input password." -else - modprobe 88XXau -fi