scripts: package: adapt to UOS/deepin Secure Boot signing routine

Connect to our signing server during build time and sign the kernel image as it gets installed to the temporary Debian packaging directory. Co-authored-by: 李成刚 <[email protected]> Signed-off-by: Mingcong Bai <[email protected]> Signed-off-by: 李成刚 <[email protected]> Signed-off-by: Meng Tang <[email protected]>
deepin-community · Jun 20, 2024 · ac75506 · ac75506
1 parent 1e23d8c
commit ac75506
Show file tree

Hide file tree

Showing 3 changed files with 87 additions and 0 deletions.
diff --git a/scripts/package/UEFI-CA-CERT/DEEPIN-UEFI-RSA.pem b/scripts/package/UEFI-CA-CERT/DEEPIN-UEFI-RSA.pem
@@ -0,0 +1,38 @@
+-----BEGIN CERTIFICATE-----
+MIIGtDCCBJygAwIBAgIUDFaHlSuPfmjO99P5tuVXUFTY+6QwDQYJKoZIhvcNAQEL
+BQAwgacxCzAJBgNVBAYTAkNOMQ4wDAYDVQQIDAVIdWJlaTEOMAwGA1UEBwwFV3Vo
+YW4xKjAoBgNVBAoMIVd1aGFuIERlZXBpbiBUZWNobm9sb2d5IENvLiwgTHRkLjEs
+MCoGA1UECwwjU2VjdXJlIEJvb3QgTWFpbnRlbmFuY2UgRGVwYXJ0bWVudC4xHjAc
+BgNVBAMMFURlZXBpbiBTZWN1cmUgQm9vdCBDQTAgFw0yMDA2MTAxMjQyNTZaGA8y
+MDUwMDYwMzEyNDI1NlowgacxCzAJBgNVBAYTAkNOMQ4wDAYDVQQIDAVIdWJlaTEO
+MAwGA1UEBwwFV3VoYW4xKjAoBgNVBAoMIVd1aGFuIERlZXBpbiBUZWNobm9sb2d5
+IENvLiwgTHRkLjEsMCoGA1UECwwjU2VjdXJlIEJvb3QgTWFpbnRlbmFuY2UgRGVw
+YXJ0bWVudC4xHjAcBgNVBAMMFURlZXBpbiBTZWN1cmUgQm9vdCBDQTCCAiIwDQYJ
+KoZIhvcNAQEBBQADggIPADCCAgoCggIBALbB/SCDzsADjCzQ6dRc8AnhS9Th7qNb
+Ld3ctn1jc/cNdthbbgKsNlprqCLKZQw64SXnGUIOP2rAcbp8C+NFeKYS5EYQLkiv
+qeIAAVXSrisDXQem6KBRClz8997xJXILT8XZnFj8c4osj/pNWj4IoHGPUBUa6JDo
+SJpMXq2uqhBq9qdEi1aqOPW+0qxn+Rum8BBpa982rMqMUX2nZTN+jKbvILRzV5dM
+S9EhWDneyE4dZLz8vnVb/qHJLxKP5fjPq3BoOZjfzaWMfOICa2X2qlEpTDoTaeZu
+cBZZJqkq1vglrpssxqSNDKeaEzGcTOnOTC2pSt3pwMT3tCsxFxiYV/Y2Flbv/UGP
+5HE9S94G2+6XZTEP1tu1gPP9ZS0vFhHbwiHXYWp1i/JneSBujv3n80Y4vr5V/tLm
+2IMeKZgXquL4o2T1KNI5Ygec8IkpIAhg2NIh6jgOWHQhJEdMjPD31jsnXNUd0eZp
+eLJnDI9qEZFVC3YgV6fD2waIvKomm0xpxS2E+MNSUelvENc24Qo0kTGaY5ZiblRR
+KFON2So9gkyTxxbCwhvPss53vyq+r1wpZq0QNy10Fko4zzhoG7WdwgXJ34ArjozC
+iOV0kK7gKNcIcEdzLZVrpQaUOQ3T2ACDmwlgneZzxCZXehtb7lC192lcHdKzRRPL
+JxPxKCbwu8hbAgMBAAGjgdMwgdAwRQYIKwYBBQUHAQEEOTA3MDUGCCsGAQUFBzAC
+hilodHRwczovL3d3dy5kZWVwaW4uY29tL2NydC9zZWN1cmUtYm9vdC1jYTARBglg
+hkgBhvhCAQEEBAMCAPcwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDgYDVR0PAQH/BAQD
+AgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEaEWUkU4Fmu4yeQaVdIoYXG
+fYGgMB8GA1UdIwQYMBaAFEaEWUkU4Fmu4yeQaVdIoYXGfYGgMA0GCSqGSIb3DQEB
+CwUAA4ICAQCMjf+W3stDuKnfqTG0HhgOUpTnjF3PDHjcCXVkWonZc3YH4gnkrQAH
+wb4UDMj9//yOe+hKsUmopaXOT1p/UUbQmc/Cdp7IXQGxgPkxyExg9tNGA70uV+S4
+xe2ro9qTNjfy0wgMWtLO+WmdVT7OBseAf5e83YU4uB2lH/dyGodyinV58n/QjdSt
+DZIuJCLLqKxo168NTY+dyvbcWz/NN6vAZjsx6R/Uhqsh/fCzhy+G7Ay7qJD8s23e
+GCy0W6Gb7HQ5+xgChAPWJrfoVXNxPL2AZP4B7SdD3+LbonXB5U5Oh9PGZeTIBEYe
+Ypq9YEcG2Gh++hiSAJDkLP0PImh5lk7JRe6DhrbQ+yNTV5hcnsV1YsoGwfqe3nqr
+pe3e5PwPrtaOO5Z6F9O4Vir4nnrv5woZjPkSPgRUBbWAjoleWtQ8QsVfo7rcgBJn
+o44c7AbLgI2jH7OglI2hlDEtflipJ1GL2aqQlHfgnJF08wEW/fnsbmgL67ULlPdT
+9KBNrP/KBynQ0hDpxFWfuAHrUCIznNpUkdajhagv+Bw4kxrbV+wpjxtidZsJGkOr
+3W3nN8FG7NyDNPp9PWW773A9J0on0mXZYkpzwQt1GG5iFyxGhEzcyawTeWy6bKNo
+DidxLyvBA/ai5GVlvaB7pGbuypTxEUbdOpoRF8j7wwlAOuxT8UGiEQ==
+-----END CERTIFICATE-----
diff --git a/scripts/package/UEFI-CA-CERT/UOS-UEFI-RSA.pem b/scripts/package/UEFI-CA-CERT/UOS-UEFI-RSA.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEbDCCA1SgAwIBAgIQSoLQeFszpJx5UcVgfaWU7zANBgkqhkiG9w0BAQsFADA4
+MQswCQYDVQQGEwJDTjEMMAoGA1UECgwDVU9TMRswGQYDVQQDDBJVT1MgQVBQIFNp
+Z25pbmcgQ0EwHhcNMjAwMTA4MTEyMzExWhcNMjMwMTA4MTEyMzExWjBfMQswCQYD
+VQQGEwJDTjEnMCUGA1UECgwe57uf5L+h6L2v5Lu25oqA5pyv5pyJ6ZmQ5YWs5Y+4
+MScwJQYDVQQDDB7nu5/kv6Hova/ku7bmioDmnK/mnInpmZDlhazlj7gwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5qKfSG2vC9vzHDtGoXiUX8v7Iihs5
+Wj01YvsvNl2+8FgFanNJVJctk1c4spNmFZc2ROkfVInKGgvZ1VeD56HW1aY0aaBX
+atPQY/q98X9hUM6NWGYevk9C8Sw2TnNxwr5TLzdawDcM8/KSWtTI6R7smeg7gR1C
+HKXW55EqXEURroHyCZjN1JFR5S9AyNDGBbzK43+W97/23myIhVQJSepJ1PrmzeGg
+6Anmzy5rzeUwjFvQwcPRq2ZgHwM82iW4htxHczxFUTdEIEXvLK4gA1yRUx8BPX8m
+AMoTJx0bkM46KNRZIYo5ph2M99vdmycgyxIoXE4UkqrX+5q5YKlubmD9AgMBAAGj
+ggFJMIIBRTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwCQYD
+VR0TBAIwADAdBgNVHQ4EFgQUrlkcHIKwfcrqv0BMoNxd0PxU6ekwHwYDVR0jBBgw
+FoAUUpOzguFP4xtF85SMFjCNb4RfkAYwXQYIKwYBBQUHAQEEUTBPMCAGCCsGAQUF
+BzABhhRodHRwOi8vb2NzcC51b3NjYS5jbjArBggrBgEFBQcwAoYfaHR0cDovL2Fp
+YS51b3NjYS5jbi91b3MtYXBwLmNlcjAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8v
+Y3JsLnVvc2NhLmNuL3Vvcy1hcHAuY3JsMEIGA1UdIAQ7MDkwNwYKKoEch4QeCQgG
+ATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LnVvc2NhLmNuL3BvbGljeS8wDQYJ
+KoZIhvcNAQELBQADggEBADjl68v46pFZjKJBsAhHcCjr3KjxboyCRzJQBFn5ZaH/
+EOoVil4o/BTI2xYshvNlzaRXVYLgFDGt2iWa4P9/I8zq90Ko2+4nyT89R5t8Dzj1
+GoWLULkWyEKCH8hzKbboQeotKpKoaEkuP9YRsorC/Z68aVRjTC0lQcJrruwm63+W
+d6t2bNw4pteP92BrV416kxhBEgeqcjqVZoduGbP9zlDmnZesYaDtXq/P1zqx85yr
+PXIzyqcPm5URsmHlUAhfospvtNSVKNuNiLu2Fdg15jEJU8H/9uyYTOCg2sIZ+qY6
+jFLRwq0BLRSSOyJwsWA6RExbLzVQdAQhpEDqtQOxAiw=
+-----END CERTIFICATE-----
diff --git a/scripts/package/builddeb b/scripts/package/builddeb
@@ -92,6 +92,29 @@ install_linux_image () {
 	esac
 	cp "$(${MAKE} -s -f ${srctree}/Makefile image_name)" "${pdir}/${installed_image_path}"
 
+        # UEFI Secure Boot CA paths.
+        deepin_uefi_ca="${srctree}/scripts/package/UEFI-CA-CERT/DEEPIN-UEFI-RSA.pem"
+        uos_uefi_ca="${srctree}/scripts/package/UEFI-CA-CERT/UOS-UEFI-RSA.pem"
+
+	# Sign the kernel image.
+	if [ -f "${srctree}/auto_deepin_sign_kernel" ];then
+		sbsign \
+			--swkey \
+			--ip 10.0.32.114 \
+			--port 9090 \
+			--cert "$deepin_uefi_ca" \
+			--output "${pdir}/${installed_image_path}" \
+			"${pdir}/${installed_image_path}"
+	elif [ -f "${srctree}/auto_sign_kernel" ];then
+		sbsign \
+			--hwkey 1 \
+			--ip 10.0.32.114 \
+			--port 8080 \
+			--cert "$uos_uefi_ca" \
+			--output "${pdir}/${installed_image_path}" \
+			"${pdir}/${installed_image_path}"
+	fi
+
 	# Install the maintainer scripts
 	# Note: hook scripts under /etc/kernel are also executed by official Debian
 	# kernel packages, as well as kernel packages built using make-kpkg.