ning Posted March 27, 2020 Posted March 27, 2020 before you start: Armbian already provides kernel build script in armbian build framework, and you can download these packages via `apt` in common cases, you shouldn't build kernel yourself, even you want to build a customer kernel package, you should use armbian build framework. because you can get best supports. so below content is only for experts. prepare source code: 1, stable linux kernel source code: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux.git 2, armbian build framework, for patches and kernel config https://github.com/armbian/build 3, debian linux build rules: git clone https://salsa.debian.org/kernel-team/linux.git --depth=1 optional: checkout to a branch to build a different kernel version, current version is 5.5.8 4, add patches to debian linux build rules: copy all family patches to <debian-rules>/debian/patches/ add all your patches to <debian-rules>/debian/patches/series make sure all your patch are appliable to mainline kernel. optional: remove all debian's kernel patch, only leave armbian kernel patch. 5, apply the patches. apt install devscripts cd <debian-rules> debian/bin/genorig.py <path-to-stable-linux> debian/rules orig 6, copy kernel config to <debian-rules>/config/[armhf, arm64]/config prepare native armhf/arm64 build env 1, donwload armbian's prebuild rootfs, or use debootstrap. 2, mount dev, sys, proc, tmp to armhf/arm64 rootfs. reference: https://github.com/armbian/build/blob/master/lib/image-helpers.sh#L27 3, mount <debian-rules> to armhf/arm64 rootfs. start build, in chroot rootfs 1, cd <debian-rule> 2, apt install devscripts fakeroot 3, debian/rules debian/control DEBIAN_KERNEL_DISABLE_INSTALLER=true 4, debuild -i -us -uc -b # do it only once, to let build system promt missing build depends. you need to install all build depends at this step. 5, fakeroot debian/rules binary or fakeroot debian/rules binary-arch 6, long wait. 1
ning Posted April 22, 2020 Author Posted April 22, 2020 after you understanding how to build Debian-flavor kernel packages for armbian, the next task is how to build a signed kernel debs, because the output of 1st step is unsigned kernel package. in this part I will give you two methods to build a signed kernel packages. 1, the "kernel" way just follow https://www.kernel.org/doc/html/latest/admin-guide/module-signing.html to edit your kernel config, enable below configs: CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_SHA256=y CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" CONFIG_MODULE_SIG_ALL=y and rebuild your kernel packages. during build, kernel modules will be signed automatically with build-time-generated sign key. or you can provide your own key to replace "certs/signing_key.pem" but in this step you will still get "unsigned" kernel packages. we can use linux-image-arm64-signed-template to rebuild kernel packages. a, install unsigned linux-image, linux-support, linux-image-arm64-signed-template. b, cd /usr/share/code-signing/linux-image-arm64-signed-template/source-template c, run debuild -i -us -uc -b d, get signed linux-image packages. 2, the "Debian" way. we need https://github.com/helen-fornazier/dsigning-box to sign kernel modules. build and install this tool. Note: this tool is used for UEFI trusted boot, we can also use it for kernel module sign. if we need to enable ARM Trusted Boot, we also need this tool. 1, use debuild -i -us -uc -b to build dsigning-box and install it. 2, prepare your owner key, public/provate key pair. 3, enable below config: CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_SHA256=y CONFIG_SYSTEM_TRUSTED_KEYS="path/to/your/public_key.pem" 4, rebuild kernel 5, install unsigned linux-image, linux-kbuild, linux-support, linux-image-arm64-signed-template 6, decompress unsigned linux-image, remove vmlinux from boot/, and compress to tar.xz 7, configure dsigning-box: edit secure-boot-code-sign.conf set: IMG_DIR to where you can find your newly created tar.xz SIG_DIR to where you want to put signed file. LINUX_SIGNFILE to you kernel sign-file, changed according to kernel version. LINUX_MODULES_PRIVKEY to abs path to your kernel private_key.pem LINUX_MODULES_CERT to abs path to you kernel public_key.pem 8, sign kernel module, secure-boot-code-sign <linux-image-xxxx>.tar.xz 9, find signed-linux-image-xxxx.tar.xz from SIG_DIR and decompress it to /usr/share/code-signing/linux-image-arm64-signed-template/source-template/debian/signature [you need to correct the folder name according failures in next step] 10, cd /usr/share/code-signing/linux-image-arm64-signed-template/source-template, run debuild -i -us -uc -b, [you will get error msg, but build still finishes, please use the error msg to correct step 9, and rebuild.] 11, get signed linux-image packages.
ning Posted May 6, 2020 Author Posted May 6, 2020 from 1st and 2nd posts, you already knows how to use debian linux build framework to build a module signed kernel for your armbian with your own kernel configure. but you may ask is my kernel missing some features required by debian? how can I know it? and how to fix it. the answer to these 3 questions are depends on your current kernel configurations, but it difficult to read and compare each kernel configuration with debian's kernel configuration. let me tell you how debian build its own kernel configurations, then you can answer these questions yourself. The formula: Debian kernel configuration = common configs + arch specific configs + flavor configs + kernel autoselected configs. here common configs are core debian features, which is in file debian/config/config arch configs are needed for debian to run on an arch, which are in files: debian/<arch>/config flavor configs are tune debian kernel into some flavor, eg rt kernel. debian/config/config.rt the 3 kinds of configs are write in config files, only define 5% kernel configs, and the rest are kernel autoselected. at this point, you need only to change arch related configs to make the kernel runs on your device. here are steps to make the change. 1, use debian defualt config to rebuild your kernel. stop after .config is created. 2, use meld to compare your config file and .config. only take care the configs missing in .config, do not touch the configs added in .config. 3, add missing config in arch config now you get the missing configs to run on your devices. 1
Recommended Posts