Draft: [dhd] Allow bundling keys into kernel and bootloader. JB#54649 OMP#OS-7115#302
Draft: [dhd] Allow bundling keys into kernel and bootloader. JB#54649 OMP#OS-7115#302dseight wants to merge 1 commit into
Conversation
…-7115 Signed-off-by: Dmitry Gerasimov <d.gerasimov@omp.ru>
Thaodan
left a comment
There was a problem hiding this comment.
this looks very vendor specific is that standardized between vendors e.g other socs?
|
|
||
| # Copy trusted keys into kernel source directory | ||
| echo "$KERNEL_DIRS" | | ||
| while IFS= read -r kernel; do |
There was a problem hiding this comment.
You can directly pass the find output to read, see: https://github.com/koalaman/shellcheck/wiki/SC2044
There was a problem hiding this comment.
Passing output directly is a bash-specific thing, it won't work with plain POSIX shell. Is it okay to use bashisms here?
| # Copy trusted keys into kernel source directory | ||
| echo "$KERNEL_DIRS" | | ||
| while IFS= read -r kernel; do | ||
| cp -r /etc/keys/kernel/* ${kernel}/ |
There was a problem hiding this comment.
This looks weird how could or should come these keys from the rootfs of the build host?
There was a problem hiding this comment.
They are supposed to be provided by system-keys-kernel package.
There was a problem hiding this comment.
Shouldn't they go then into /usr/lib?
There was a problem hiding this comment.
/usr/lib is intended for storing object files and libraries. But keys are neither of them, they are much closer to configuration files (which should go into /etc/*). Also, Linux Kernel is using /etc/keys/ path by default for storing IMA certificate.
So, /etc/keys seems to be a better fit here.
There was a problem hiding this comment.
Package supplied configuration files that should not be edited are now days in /usr/lib not in /etc, etc is for file created outside of the package-manager or those that should be edit.
Also note that the FHS is out of date and doesn't reflect the current state of things (see e.g. UsrMove).
There was a problem hiding this comment.
While I am agree on moving static data to /usr (which especially makes sense on RO filesystems), I'm not really sure that /usr/lib fits well for storing keys and certificates.
Maybe /usr/share then? As /usr/lib is primarily targeted for storing executable things (e.g. libraries and plugins), and quite rarely used for storing arbitrary data.
All of the vendors that I've seen so far use the same paths for bootloader. At least, these paths are the same on something like a 15 different device models (most of them were Mediatek-based devices and some are Qualcomm-based devices). |
No description provided.