<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Thu, Feb 25, 2016 at 6:29 PM, Sang, Oliver <span dir="ltr"><<a href="mailto:oliver.sang@intel.com" target="_blank">oliver.sang@intel.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">Thanks Akemi,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">Then how I sign my modules? I found kmod(s) from
</span><a href="http://elrepo.org/linux/elrepo/el7/x86_64/RPMS/" target="_blank">http://elrepo.org/linux/elrepo/el7/x86_64/RPMS/</a>
<span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">are normally signed. And also in kmod rpm spec file -<u></u><u></u></span></p><span class="">
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)"># Sign the modules(s)<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">%if %{?_with_modsign:1}%{!?_with_modsign:0}<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)"># If the module signing keys are not defined, define them here.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">%{!?privkey: %define privkey %{_sysconfdir}/pki/SECURE-BOOT-KEY.priv}<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">%{!?pubkey: %define pubkey %{_sysconfdir}/pki/SECURE-BOOT-KEY.der}<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">for module in $(find %{buildroot} -type f -name \*.ko);<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">do %{__perl} /usr/src/kernels/%{kversion}/scripts/sign-file \<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">sha256 %{privkey} %{pubkey} $module;<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">done<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">%endif<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)"><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<u></u> <u></u></span></p>
</span><p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">But I don’t know how to get these secure-boot key for my local build. Any help doc? Thanks!<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">BR<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)">Oliver</span><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:rgb(31,73,125)"><u></u><u></u></span></p>
</div></div></blockquote></div><br></div><div class="gmail_extra">If you are interested in signing modules for Secure Boot, this doc will help:<br><br><a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sect-signing-kernel-modules-for-secure-boot.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sect-signing-kernel-modules-for-secure-boot.html</a><br><br></div><div class="gmail_extra">For signing rpm packages, you should be able to find informative pages by Googling for it.<br><br></div><div class="gmail_extra">Akemi<br></div></div>