Fix secure boot signing of 5.10 kernel

The 5.10 kernel moved /boot/vmlinuz from the kernel package to the kernel-core package. Adjust the signing scripts to look for it at the new location. Closes-Bug: 1951461 Change-Id: I4f49b9ac48fa50397aa98b8075386400b62ec6fa Signed-off-by: Scott Little <scott.little@windriver.com>
2021-11-18 13:34:24 -05:00 · 2021-11-18 13:34:24 -05:00 · bccb327f15
parent a6bf770a05
commit bccb327f15
1 changed files with 36 additions and 16 deletions
--- a/build-tools/sign-secure-boot
+++ b/build-tools/sign-secure-boot
@ -228,23 +228,43 @@ function sign_kernels
 #              unsigned binaries
 function sign_kernel
 {
-	local KERNEL_PATH=$1
-	local KERNEL_EXTRA=$2
-	KERNEL=`find $MY_WORKSPACE/${KERNEL_PATH}/rpmbuild/RPMS -name "kernel${KERNEL_EXTRA}-[1-9]*.$ARCH.rpm"`
-	UNSIGNED_KERNEL=`find $MY_WORKSPACE/${KERNEL_PATH}/rpmbuild/RPMS -name "kernel${KERNEL_EXTRA}-unsigned-[1-9]*.$ARCH.rpm"`
-	if [ "x${KERNEL}" == "x" ]; then
-	    echo "Warning -- cannot find kernel package to sign in ${KERNEL_PATH}"
-	    return 0
-	fi
-	if [ "x${UNSIGNED_KERNEL}" == "x" ]; then
-	    echo "Warning -- cannot find unsigned kernel package to sign in ${KERNEL_PATH}"
-	    return 0
-	fi
+    local KERNEL_PATH=$1
+    local KERNEL_EXTRA=$2

-	sign kernel $KERNEL $UNSIGNED_KERNEL
-	if [ $? -ne 0 ]; then
-		return $?
-	fi
+    local KERNEL=""
+    local UNSIGNED_KERNEL=""
+    local RPM=""
+    local VMLINUZ=""
+
+    # 5.xx series kernels store vmlinuz in the 'kernel-core' package
+    KERNEL=$(find $MY_WORKSPACE/${KERNEL_PATH}/rpmbuild/RPMS -name "kernel${KERNEL_EXTRA}-core-[1-9]*.$ARCH.rpm")
+    if [ "x${KERNEL}" == "x" ]; then
+        # Older kernels store vmlinuz in the 'kernel' package
+        KERNEL=$(find $MY_WORKSPACE/${KERNEL_PATH}/rpmbuild/RPMS -name "kernel${KERNEL_EXTRA}-[1-9]*.$ARCH.rpm")
+        if [ "x${KERNEL}" == "x" ]; then
+            echo "Warning -- cannot find kernel package to sign in ${KERNEL_PATH}"
+            return 0
+        fi
+    fi
+
+    # The unsigned vmlinuz is in the 'kernel-unsigned' package for ALL kernels.
+    UNSIGNED_KERNEL=$(find $MY_WORKSPACE/${KERNEL_PATH}/rpmbuild/RPMS -name "kernel${KERNEL_EXTRA}-unsigned-[1-9]*.$ARCH.rpm")
+    if [ "x${UNSIGNED_KERNEL}" == "x" ]; then
+        echo "Warning -- cannot find unsigned kernel package to sign in ${KERNEL_PATH}"
+        return 0
+    fi
+
+    # check for vmlinuz
+    for RPM in $KERNEL $UNSIGNED_KERNEL; do
+        VMLINUZ=$(rpm -q -l -p $RPM | grep '/boot/vmlinuz')
+        if [ $? -ne 0 ]; then
+            echo "Error -- cannot find /boot/vmlinuz in ${RPM}"
+            return 1
+        fi
+    done
+
+    sign kernel $KERNEL $UNSIGNED_KERNEL
+    return $?
 }

 # rebuild_pkgs - rebuild any packages that need to be updated from the newly