Add signing to Makefile

This commit is contained in:
kimocoder 2022-06-06 03:27:12 +02:00
parent 2fcc00bbb3
commit 3b0cdfc23e
2 changed files with 16 additions and 58 deletions

View File

@ -167,6 +167,10 @@ CONFIG_CUSTOMER_HUAWEI_GENERAL = n
CONFIG_DRVEXT_MODULE = n CONFIG_DRVEXT_MODULE = n
ifeq ("","$(wildcard MOK.der)")
NO_SKIP_SIGN := y
endif
ifeq ($(CONFIG_RTL8812AU), ) ifeq ($(CONFIG_RTL8812AU), )
ifneq (,$(findstring /usr/lib/dkms,$(PATH))) ifneq (,$(findstring /usr/lib/dkms,$(PATH)))
export TopDIR ?= $(shell pwd) export TopDIR ?= $(shell pwd)
@ -2327,5 +2331,16 @@ clean:
cd platform ; rm -fr *.mod.c *.mod *.o .*.cmd *.ko cd platform ; rm -fr *.mod.c *.mod *.o .*.cmd *.ko
rm -fr Module.symvers ; rm -fr Module.markers ; rm -fr modules.order rm -fr Module.symvers ; rm -fr Module.markers ; rm -fr modules.order
rm -fr *.mod.c *.mod *.o .*.cmd *.ko *~ rm -fr *.mod.c *.mod *.o .*.cmd *.ko *~
rm -fr .tmp_versions rm -fr .tmp_versions *.der *.priv
endif endif
sign:
ifeq ($(NO_SKIP_SIGN), y)
@openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Custom MOK/"
@mokutil --import MOK.der
else
echo "Skipping key creation"
endif
@$(KSRC)/scripts/sign-file sha256 MOK.priv MOK.der 88XXau.ko
sign-install: all sign install

View File

@ -1,57 +0,0 @@
#!/bin/bash
if [ $(id -u) != 0 ]; then
echo " Script must be run as root"
exit
fi
if [[ "$(mokutil --sb-state)" == *enabled ]]; then
SECUREBOOT="ON"
else
SECUREBOOT="OFF"
fi
RUNASUSER="sudo -u $SUDO_USER"
# Run this block as user
$RUNASUSER bash << EOF
echo " Building the module"
make -j$(nproc)
if [ ! -d ".ssl" ] && [ $SECUREBOOT == "ON" ]; then
mkdir .ssl
fi
EOF
echo -e "\n Installing the module..."
make install
# Sign module if SecureBoot is enabled
if [ $SECUREBOOT == "ON" ]; then
echo -e "\n Creating X.509 key pair"
cd .ssl
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=local_rtl8812au/"
SIGN=/usr/src/linux-headers-$(uname -r)/scripts/sign-file
MODULE=$(modinfo -n 88XXau)
echo -e "\n Signing the following module"
echo " $MODULE"
$SIGN sha256 ./MOK.priv ./MOK.der $MODULE
# Add key to trusted list
echo -e "\n\t ATTENTION"
echo -e " MOK manager ask you to enter input password."
echo " This password will be needed once after first reboot."
mokutil --import ./MOK.der
echo ""
echo " System requires reboot."
echo " UEFI key manager will appear during the boot."
echo " Select 'Enroll MOK' and 'Continue. Then enter input password."
else
modprobe 88XXau
fi