2626# Configuration file to change
2727ARCH=amd64
2828PLATFORM=
29+ SECURE_UPGRADE_MODE=" no_sign"
30+ SECURE_UPGRADE_DEV_SIGNING_CERT=
2931if [ $# -ge 1 ]; then
3032 ARCH=$1
3133fi
3234if [ $# -ge 2 ]; then
3335 PLATFORM=$2
3436fi
37+ if [ $# -ge 3 ]; then
38+ SECURE_UPGRADE_MODE=$3
39+ fi
40+ if [ $# -ge 4 ]; then
41+ SECURE_UPGRADE_DEV_SIGNING_CERT=$4
42+ fi
43+
3544case " $ARCH " in
3645 amd64)
3746 CONFIG_FILE_LOC=debian/build/build_amd64_none_amd64
@@ -58,88 +67,123 @@ function get_section_opts(){
5867 echo " $opts "
5968}
6069
61- ret=0
62- exclusion_file=" ../patch/kconfig-exclusions"
63- inclusion_file=" ../patch/kconfig-inclusions"
64- force_inclusion_file=" ../patch/kconfig-force-inclusions"
65- if [ -e ${exclusion_file} -o -e ${inclusion_file} -o -e ${force_inclusion_file} ]; then
66-
67- # Process any exclusions in the kernel
68- if [ -f ${exclusion_file} ]; then
69- exclusion_opts=$( get_section_opts ${exclusion_file} " common" ${ARCH} ${PLATFORM} )
70- while read -r opt; do
71- if [ ! -z " $opt " && [[ ! " $opt " =~ ^# .* ]]; then
72- scripts/config --file ${CONFIG_FILE} -d $opt
73- fi
74- done <<< ${exclusion_opts} ;
75- fi
70+ function process_inclusion_exclusion_files(){
71+ echo " process_inclusion_exclusion_files Start"
72+ ret=0
73+ echo " debug ret=$ret 1"
74+ if [ -e ${exclusion_file} -o -e ${inclusion_file} -o -e ${force_inclusion_file} ]; then
7675
77- # Process any inclusions in the kernel
78- if [ -f ${inclusion_file} ]; then
79- inclusion_opts=$( get_section_opts ${inclusion_file} " common" ${ARCH} ${PLATFORM} )
80- while read -r opt; do
81- if [ ! -z " $opt " && [[ ! " $opt " =~ ^# .* ]]; then
82- n= ${opt% =* }
83- v= " ${opt#* =} "
84- scripts/config --file ${CONFIG_FILE} -k --set-val " $n " " $v "
85- fi
86- done <<< ${inclusion_opts} ;
87- fi
76+ # Process any exclusions in the kernel
77+ if [ -f ${exclusion_file} ]; then
78+ exclusion_opts=$( get_section_opts ${exclusion_file} " common" ${ARCH} ${PLATFORM} )
79+ while read -r opt; do
80+ if [ ! -z " $opt " && [[ ! " $opt " =~ ^# .* ]]; then
81+ scripts/config --file ${CONFIG_FILE} -d $opt
82+ fi
83+ done <<< ${exclusion_opts} ;
84+ fi
8885
89- # Update the .config file to be sure it's consistent
90- make -C ${CONFIG_FILE_LOC} olddefconfig
86+ # Process any inclusions in the kernel
87+ if [ -f ${inclusion_file} ]; then
88+ inclusion_opts=$( get_section_opts ${inclusion_file} " common" ${ARCH} ${PLATFORM} )
89+ while read -r opt; do
90+ if [ ! -z " $opt " && [[ ! " $opt " =~ ^# .* ]]; then
91+ n= ${opt% =* }
92+ v= " ${opt#* =} "
93+ scripts/config --file ${CONFIG_FILE} -k --set-val " $n " " $v "
94+ fi
95+ done <<< ${inclusion_opts} ;
96+ fi
9197
92- # Verify that the kernel options we want to remove are not in the updated configuration
93- if [ -f ${exclusion_file} ]; then
94- echo
95- echo " Checking removed kernel options..."
96- while read -r opt; do
97- if [ ! -z " $opt " && [[ ! " $opt " =~ ^# .* ]]; then
98- s= $( scripts/config --file ${CONFIG_FILE} -k --state $opt )
99- if [ ! " $s " = " undef" -a ! " $s " = " n" ; then
100- ret=1
101- echo " Option $opt should not be set, but is set to [$s ]"
98+ # Update the .config file to be sure it's consistent
99+ make -C ${CONFIG_FILE_LOC} olddefconfig
100+
101+ # Verify that the kernel options we want to remove are not in the updated configuration
102+ if [ -f ${exclusion_file} ]; then
103+ echo
104+ echo " Checking removed kernel options..."
105+ while read -r opt; do
106+ if [ ! -z " $opt " && [[ ! " $opt " =~ ^# .* ]]; then
107+ s= $( scripts/config --file ${CONFIG_FILE} -k --state $opt )
108+ if [ ! " $s " = " undef" -a ! " $s " = " n" ; then
109+ ret=1
110+ echo " Option $opt should not be set, but is set to [$s ]"
111+ fi
102112 fi
113+ done <<< ${exclusion_opts} ;
114+ if [ $ret = 0 ]; then
115+ echo " No error"
103116 fi
104- done <<< ${exclusion_opts} ;
105- if [ $ret = 0 ]; then
106- echo " No error"
107117 fi
108- fi
109118
110- # Verify that the kernel options we want to add are now in the updated configuration
111- if [ -f ${inclusion_file} ]; then
112- echo
113- echo " Checking added kernel options..."
114- while read -r opt; do
115- if [ ! -z " $opt " && [[ ! " $opt " =~ ^# .* ]]; then
116- n= ${opt% =* }
117- v= " ${opt#* =} "
118- v= " ${v/# \" / } "
119- v= " ${v/% \" / } "
120- s= $( scripts/config --file ${CONFIG_FILE} -k --state $n )
121- if [ ! " $s " = " $v " ; then
122- ret=2
123- echo " Option $n should be set to [$v ] instead of [$s ]"
119+ # Verify that the kernel options we want to add are now in the updated configuration
120+ if [ -f ${inclusion_file} ]; then
121+ echo
122+ echo " Checking added kernel options..."
123+ while read -r opt; do
124+ if [ ! -z " $opt " && [[ ! " $opt " =~ ^# .* ]]; then
125+ n= ${opt% =* }
126+ v= " ${opt#* =} "
127+ v= " ${v/# \" / } "
128+ v= " ${v/% \" / } "
129+ s= $( scripts/config --file ${CONFIG_FILE} -k --state $n )
130+ if [ ! " $s " = " $v " ; then
131+ ret=2
132+ echo " Option $n should be set to [$v ] instead of [$s ]"
133+ fi
124134 fi
135+ done <<< ${inclusion_opts} ;
136+ if [ ! $ret = 2 ]; then
137+ echo " No error"
125138 fi
126- done <<< ${inclusion_opts} ;
127- if [ ! $ret = 2 ]; then
128- echo " No error"
129139 fi
130- fi
131140
132- # Process any force inclusions in the kernel
133- if [ -f ${force_inclusion_file} ]; then
134- force_inclusion_opts=$( get_section_opts ${force_inclusion_file} " common" ${ARCH} ${PLATFORM} )
135- while read -r opt; do
136- if [ ! -z " $opt " && [[ ! " $opt " =~ ^# .* ]]; then
137- echo $opt >> ${CONFIG_FILE}
138- fi
139- done <<< ${force_inclusion_opts} ;
141+ # Process any force inclusions in the kernel
142+ if [ -f ${force_inclusion_file} ]; then
143+ force_inclusion_opts=$( get_section_opts ${force_inclusion_file} " common" ${ARCH} ${PLATFORM} )
144+ while read -r opt; do
145+ if [ ! -z " $opt " && [[ ! " $opt " =~ ^# .* ]]; then
146+ echo $opt >> ${CONFIG_FILE}
147+ fi
148+ done <<< ${force_inclusion_opts} ;
149+ fi
150+
151+ echo
140152 fi
141153
142- echo
154+ echo " process_inclusion_exclusion_files Done"
155+ return $ret
156+ }
157+
158+ exclusion_file= " ../patch/kconfig-exclusions"
159+ inclusion_file= " ../patch/kconfig-inclusions"
160+ force_inclusion_file= " ../patch/kconfig-force-inclusions"
161+ ret_process_inc_ex= 0
162+ ret_process_inc_ex= $( process_inclusion_exclusion_files > /dev/null; echo $? )
163+
164+ # Secure Boot support
165+ if [ $ret_process_inc_ex -eq 0 ]; then
166+ echo " Secure Boot params: SECURE_UPGRADE_MODE=${SECURE_UPGRADE_MODE} , SECURE_UPGRADE_DEV_SIGNING_CERT=${SECURE_UPGRADE_DEV_SIGNING_CERT} "
167+ if [ ${SECURE_UPGRADE_MODE} == " dev" -o ${SECURE_UPGRADE_MODE} == " prod" ; then
168+ echo " set kconfig-secure-boot-exclusions & kconfig-secure-boot-inclusions"
169+
170+ if [ ! -f " ${SECURE_UPGRADE_DEV_SIGNING_CERT} " ; then
171+ echo " ERROR: SECURE_UPGRADE_DEV_SIGNING_CERT=${SECURE_UPGRADE_DEV_SIGNING_CERT} file does not exist"
172+ exit 1
173+ fi
174+
175+ exclusion_file=" ../patch/kconfig-secure-boot-exclusions"
176+ inclusion_file=" ../patch/kconfig-secure-boot-inclusions"
177+ force_inclusion_file=" ../patch/kconfig-force-secure-boot-inclusions"
178+
179+ # save the new pub key in kernel
180+ sed -i " s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\" $SECURE_UPGRADE_DEV_SIGNING_CERT \" |g" ${inclusion_file}
181+
182+ ret_process_inc_ex=$( process_inclusion_exclusion_files > /dev/null; echo $? )
183+ echo " Secure Boot kernel configuration done."
184+ else
185+ echo " no Secure Boot Kernel configuration required."
186+ fi
143187fi
144188
145- exit $ret
189+ exit $ret_process_inc_ex
0 commit comments