Draft: [dhd] Allow bundling keys into kernel and bootloader. JB#54649 OMP#OS-7115

[dseight]

No description provided.

[Thaodan]

this looks very vendor specific is that standardized between vendors e.g other socs?

[Thaodan]

You can directly pass the find output to read, see: https://github.com/koalaman/shellcheck/wiki/SC2044

[dseight]

Passing output directly is a bash-specific thing, it won't work with plain POSIX shell. Is it okay to use bashisms here?

[Thaodan]

This looks weird how could or should come these keys from the rootfs of the build host?

[dseight]

They are supposed to be provided by system-keys-kernel package.

[Thaodan]

Shouldn't they go then into /usr/lib?

[dseight]

/usr/lib is intended for storing object files and libraries. But keys are neither of them, they are much closer to configuration files (which should go into /etc/*). Also, Linux Kernel is using /etc/keys/ path by default for storing IMA certificate.

So, /etc/keys seems to be a better fit here.

[Thaodan]

Package supplied configuration files that should not be edited are now days in /usr/lib not in /etc, etc is for file created outside of the package-manager or those that should be edit.
Also note that the FHS is out of date and doesn't reflect the current state of things (see e.g. UsrMove).

[dseight]

While I am agree on moving static data to /usr (which especially makes sense on RO filesystems), I'm not really sure that /usr/lib fits well for storing keys and certificates.

Maybe /usr/share then? As /usr/lib is primarily targeted for storing executable things (e.g. libraries and plugins), and quite rarely used for storing arbitrary data.

[dseight]

this looks very vendor specific is that standardized between vendors e.g other socs?

All of the vendors that I've seen so far use the same paths for bootloader. At least, these paths are the same on something like a 15 different device models (most of them were Mediatek-based devices and some are Qualcomm-based devices).