-e CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE \
-e CONFIG_SYSFB_SIMPLEFB \
-e CONFIG_DRM_SIMPLEDRM \
--d CONFIG_MODULE_SIG \
+-e CONFIG_MODULE_SIG \
+-e CONFIG_MODULE_SIG_ALL \
+-e CONFIG_MODULE_SIG_FORMAT \
+--set-str CONFIG_MODULE_SIG_HASH sha512 \
+--set-str CONFIG_MODULE_SIG_KEY certs/signing_key.pem \
+-e CONFIG_MODULE_SIG_KEY_TYPE_RSA \
+-e CONFIG_MODULE_SIG_SHA512 \
-d CONFIG_MEMCG_DISABLED \
-e CONFIG_MEMCG_SWAP_ENABLED \
-e CONFIG_HYPERV \
-e CONFIG_UNWINDER_FRAME_POINTER \
--set-str CONFIG_SYSTEM_TRUSTED_KEYS ""\
--set-str CONFIG_SYSTEM_REVOCATION_KEYS ""\
--d CONFIG_SECURITY_LOCKDOWN_LSM \
--d CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
---set-str CONFIG_LSM yama,integrity,apparmor \
+-e CONFIG_SECURITY_LOCKDOWN_LSM \
+-e CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
+--set-str CONFIG_LSM lockdown,yama,integrity,apparmor \
-e CONFIG_PAGE_TABLE_ISOLATION
debian/control: $(wildcard debian/*.in)
# strip debug info
find debian/$(PMX_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do strip --strip-debug "$$f"; done
+
+ # sign modules using ephemeral, embedded key
+ if grep -q CONFIG_MODULE_SIG=y ubuntu-kernel/.config ; then \
+ find debian/$(PMX_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do \
+ ./ubuntu-kernel/scripts/sign-file sha512 ./ubuntu-kernel/certs/signing_key.pem ubuntu-kernel/certs/signing_key.x509 "$$f" ; \
+ done; \
+ rm ./ubuntu-kernel/certs/signing_key.pem ; \
+ fi
# finalize
/sbin/depmod -b debian/$(PMX_KERNEL_PKG)/ $(KVNAME)
# Autogenerate blacklist for watchdog devices (see README)