The packaging changes will add support for building a FIT kernel binary
blob which can be subsequently signed. These FIT-signed kernels will be
consumed by snapcraft recipes to build kernel snaps for platforms with
U-Boot bootloader enforcing secure boot.
Minimal. These patches add new signing logic and build script around
'fit_signed' variable. The current build for generic kernels should not be
Shrirang Bagul (2):
UBUNTU: [Packaging] add rules to build FIT image
UBUNTU: [Packaging] force creation of headers directory
It seems odd to me that you're putting both the vmlinuz and the fit
image into the signing tarball. Is there a reason for this other than
the fact that build-fit expects to find it there? If not, I think it
would be preferable to leave it out and pass the path to the vmlinuz to
> + # Build FIT image now that the modules folder exists
> + $(SHELL) $(DROOT)/scripts/build-fit \
> + $(CURDIR)/$(DEBIAN)/$(fit_its) \
I assume fit_its will be defined in an <arch>.mk file?
Note that there's an assumption here that the kernel image will be named
vmlinuz-*, whereas the name is actually based on the install_file
variable from the <arch>.mk file. If the path to the kernel image was
passed as an argument then it would be unnecessary.