Add secureboot pre-signing to the kernel

If it detects a secure boot certificate at `keys/MOK.key` and `keys/MOK.cer`,
the kernel Makefile will automatically sign the vmlinux / bzImage file that
gets generated, and that is then used in packaging.

By integrating it into the kernel build system directly, it is fully integrated
with targets like `make deb-pkg` (opposed to `make all`, sign, `make bindeb-pkg`)
and it gets added to every tree by the same mechanism that is used to apply the
other surface patches anyways.

Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>

.gitignore

@@ -132,6 +132,9 @@ signing_key.priv
 signing_key.x509
 x509.genkey
 
+# Secureboot certificate
+/keys/
+
 # Kconfig presets
 /all.config
 /alldef.config

arch/x86/Makefile

@@ -284,6 +284,7 @@ endif
 	$(Q)$(MAKE) $(build)=$(boot) $(KBUILD_IMAGE)
 	$(Q)mkdir -p $(objtree)/arch/$(UTS_MACHINE)/boot
 	$(Q)ln -fsn ../../x86/boot/bzImage $(objtree)/arch/$(UTS_MACHINE)/boot/$@
+	$(Q)$(srctree)/scripts/sign_kernel.sh $(objtree)/arch/$(UTS_MACHINE)/boot/$@
 
 $(BOOT_TARGETS): vmlinux
 	$(Q)$(MAKE) $(build)=$(boot) $@

scripts/sign_kernel.sh

@@ -0,0 +1,30 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0
+
+# The path to the compiled kernel image is passed as the first argument
+BUILDDIR=$(dirname $(dirname $0))
+VMLINUX=$1
+
+# Keys are stored in a toplevel directory called keys
+# The following files need to be there:
+#     * MOK.priv  (private key)
+#     * MOK.pem   (public key)
+#
+# If the files don't exist, this script will do nothing.
+if [[ ! -f "$BUILDDIR/keys/MOK.key" ]]; then
+    exit 0
+fi
+if [[ ! -f "$BUILDDIR/keys/MOK.crt" ]]; then
+    exit 0
+fi
+
+# Both required certificates were found. Check if sbsign is installed.
+echo "Keys for automatic secureboot signing found."
+if [[ ! -x "$(command -v sbsign)" ]]; then
+    echo "ERROR: sbsign not found!"
+    exit -2
+fi
+
+# Sign the kernel
+sbsign --key $BUILDDIR/keys/MOK.key --cert $BUILDDIR/keys/MOK.crt \
+    --output $VMLINUX $VMLINUX