On Tue, 05 Apr 2016 00:02:46 +0100 Ben Hutchings <
b...@decadent.org.uk> wrote:
> Package: kernel-wedge
> Version: 2.94
> Severity: normal
>
> We will probably implement module signing using detached signatures
> which kmod will concatenate to the modules at load time (see #820010).
> mkinitramfs will need to copy the detached signatures along with all
> the modules it includes in each udeb.
This is copypasta from the initramfs-tools bug.
Since kernel-wedge runs as part of the kernel build process, before any
code is signed, it can't include signatures in module udebs unless we
revert to building udebs separately (which I really don't want to do).
> It might also be necessary to add special support for signed kernel
> images, although linux-signed may end up generating the udebs for
> that directly.
We could extend kernel-wedge to build one or more udebs containing only
the module signatures. This makes a certain amount of sense because we
will otherwise end up including all detached signature files in the
installer images (bloat) or replicating some of kernel-wedge's logic
to work out which are needed (fragile).
Ben.
--
Ben Hutchings
No political challenge can be met by shopping. - George Monbiot