[Acked/CMT] [PATCH][EOAN] UBUNTU: [Config] enable secureboot signing on s390x

Andy Whitcroft apw at canonical.com
Thu Jul 18 14:32:28 UTC 2019 

On Tue, Jul 16, 2019 at 01:02:04AM +0100, Dimitri John Ledkov wrote:
> Bug-Link: https://bugs.launchpad.net/bugs/1829749
> 
> Signed-off-by: Dimitri John Ledkov <xnox at ubuntu.com>
> ---
>  debian.master/rules.d/s390x.mk  | 2 +-
>  debian/rules                    | 2 +-
>  debian/rules.d/1-maintainer.mk  | 1 +
>  debian/rules.d/2-binary-arch.mk | 5 +++++
>  4 files changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/debian.master/rules.d/s390x.mk b/debian.master/rules.d/s390x.mk
> index dad66b1a674f..14e58db17d27 100644
> --- a/debian.master/rules.d/s390x.mk
> +++ b/debian.master/rules.d/s390x.mk
> @@ -11,7 +11,7 @@ vdso		= vdso_install
>  no_dumpfile	= true
>  
>  do_extras_package = true
> -
> +sipl_signed       = true
>  do_tools_usbip    = true
>  do_tools_cpupower = true
>  do_tools_perf     = true
> diff --git a/debian/rules b/debian/rules
> index 0953195f5ab1..80205f30b265 100755
> --- a/debian/rules
> +++ b/debian/rules
> @@ -49,7 +49,7 @@ ifneq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH))
>  endif
>  
>  # Are any of the kernel signing options enabled.
> -any_signed=$(sort $(filter-out false,$(uefi_signed) $(opal_signed)))
> +any_signed=$(sort $(filter-out false,$(uefi_signed) $(opal_signed) $(sipl_signed)))
>  ifeq ($(any_signed),true)
>  bin_pkg_name=$(bin_pkg_name_unsigned)
>  else
> diff --git a/debian/rules.d/1-maintainer.mk b/debian/rules.d/1-maintainer.mk
> index e71bf3c281ef..efc5e50841c9 100644
> --- a/debian/rules.d/1-maintainer.mk
> +++ b/debian/rules.d/1-maintainer.mk
> @@ -92,6 +92,7 @@ printenv:
>  	@echo "any_signed                = $(any_signed)"
>  	@echo " uefi_signed               = $(uefi_signed)"
>  	@echo " opal_signed               = $(opal_signed)"
> +	@echo " sipl_signed               = $(sipl_signed)"
>  	@echo "full_build                = $(full_build)"
>  	@echo "libc_dev_version          = $(libc_dev_version)"
>  	@echo "DEB_HOST_GNU_TYPE         = $(DEB_HOST_GNU_TYPE)"
> diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
> index f3ab06748cf6..083b64772439 100644
> --- a/debian/rules.d/2-binary-arch.mk
> +++ b/debian/rules.d/2-binary-arch.mk
> @@ -151,6 +151,11 @@ ifeq ($(opal_signed),true)
>  	cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
>  		$(signingv)/$(instfile)-$(abi_release)-$*.opal;
>  endif
> +ifeq ($(sipl_signed),true)
> +	install -d $(signingv)
> +	cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
> +		$(signingv)/$(instfile)-$(abi_release)-$*.sipl;
> +endif
>  
>  	install -d $(pkgdir)/boot
>  	install -m644 $(builddir)/build-$*/.config \
> -- 
> 2.20.1

Looks in the ball-park. 

Acked-by: Andy Whitcroft <apw at canonical.com>

Was there something we were waiting for before allowing the kernel to be
signed, making sure it was appropriately locked down as is done in x86 I
think.  Xnox has that landed?

-apw

More information about the kernel-team mailing list