[gentoo-commits] repo/gentoo:master commit in: eclass/

Andrew Ammerlaan Mon, 21 Aug 2023 01:39:30 -0700

commit:     72bea0951c0c1fb0019855a0219126690415409a
Author:     Violet Purcell <vimproved <AT> inventati <DOT> org>
AuthorDate: Sat Aug 12 20:59:14 2023 +0000
Commit:     Andrew Ammerlaan <andrewammerlaan <AT> gentoo <DOT> org>
CommitDate: Mon Aug 21 08:38:26 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=72bea095


kernel-build.eclass: Fix separate private and public module signing keys

The kernel expects CONFIG_MODULE_SIG_KEY to be either a pkcs11 URI
containing refences to both a private and public key, or a path to a PEM
file containing both the private and public keys. However, currently the
kernel build will fail if MODULES_SIGNING_KEY is set to a PEM file
containing only the private key. This commit adds a step in
kernel-build_merge_configs that concatenates MODULES_SIGNING_KEY and
MODULES_SIGNING_CERT into ${T}/kernel_key.pem if both files exist and
are not the same path. It then sets MODULES_SIGNING_KEY to
${T}/kernel_key.pem. This should fix building with separate private and
public module signing keys.

Signed-off-by: Violet Purcell <vimproved <AT> inventati.org>
Closes: https://github.com/gentoo/gentoo/pull/32275
Signed-off-by: Andrew Ammerlaan <andrewammerlaan <AT> gentoo.org>

 eclass/kernel-build.eclass | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index 49462df7d518..8cf7222dc8ab 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -57,7 +57,8 @@ IUSE="+strip"
 # @DESCRIPTION:
 # If set to a non-null value, adds IUSE=modules-sign and required
 # logic to manipulate the kernel config while respecting the
-# MODULES_SIGN_HASH and MODULES_SIGN_KEY user variables.
+# MODULES_SIGN_HASH, MODULES_SIGN_CERT, and MODULES_SIGN_KEY  user
+# variables.
 
 # @ECLASS_VARIABLE: MODULES_SIGN_HASH
 # @USER_VARIABLE
@@ -89,6 +90,14 @@ IUSE="+strip"
 #
 # Default if unset: certs/signing_key.pem
 
+# @ECLASS_VARIABLE: MODULES_SIGN_CERT
+# @USER_VARIABLE
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# Used with USE=modules-sign.  Can be set to the path of the public
+# key in PEM format to use. Must be specified if MODULES_SIGN_KEY
+# is set to a path of a file that only contains the private key.
+
 if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
        IUSE+=" modules-sign"
        REQUIRED_USE="secureboot? ( modules-sign )"
@@ -402,6 +411,13 @@ kernel-build_merge_configs() {
                                CONFIG_MODULE_SIG_FORCE=y
                                CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
                        EOF
+                       if [[ -e ${MODULES_SIGN_KEY} && -e ${MODULES_SIGN_CERT} 
&&
+                               ${MODULES_SIGN_KEY} != ${MODULES_SIGN_CERT} &&
+                               ${MODULES_SIGN_KEY} != pkcs11:* ]]
+                       then
+                               cat "${MODULES_SIGN_CERT}" 
"${MODULES_SIGN_KEY}" > "${T}/kernel_key.pem" || die
+                               MODULES_SIGN_KEY="${T}/kernel_key.pem"
+                       fi
                        if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -e 
${MODULES_SIGN_KEY} ]]; then
                                echo 
"CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
                                        >> "${WORKDIR}/modules-sign.config"

[gentoo-commits] repo/gentoo:master commit in: eclass/

Reply via email to