Hello,
Here's what I am trying to achieve:
We are using the kernel signing facility to sign the kernel modules. Everything
works as expected with an hard coded key(CONFIG_MODULE_SIG_KEY) in the
defconfig. However, we would like to sign using two different keys. The dev
build would have a different key than the production build.
So far what we have is a variable set in our local.conf that points toward the
key to use during the build. This variable is also used by other application
during the build.
What we tried so far:
- Adding a do_configure_preprend with a sed that modifies ${WORKDIR}/defconfig
This didn't work, my change was getting over written.
- Adding a do_configure_preprend with a sed that modifies ${B}/.config and then
running oe_runmake old config
sed -i
"/CONFIG_MODULE_SIG_KEY=/c\CONFIG_MODULE_SIG_KEY=${RSA_KEY_FOLDER}/${RSA_KEY_NAME}.kernel.pem"
${B}/.config
yes '' | oe_runmake oldconfig
The changes are then moved to .config.old and if I copy this image to my
platform it says the signature doesn't match. If I look in the
kernel-build-artifacts folder the certs folder containt the signing_key
automatically generated by the kernel which means it didn't take my defconfig
modification.
Is their a clean way to achieve this?
Cheers,
Mathieu
--
_______________________________________________
yocto mailing list
[email protected]
https://lists.yoctoproject.org/listinfo/yocto
