From fc8894ff62b45cc7a4148a9f6ba51f1afe7b920a Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <andrewammerl...@gentoo.org>
Date: Thu, 8 Jun 2023 20:44:58 +0200
Subject: [PATCH] sys-kernel/gentoo-kernel: add USE="modules-sign"
- Enable module signing configure options if requested by the user.
- Respect the linux-mod-r1.eclass variables MODULES_SIGN_HASH and
MODULES_SIGN_KEY,
- Warn the user if we are letting the kernel build system generate
the signing key. This key will end up binary packages. Plus external
modules will have to be resigned if gentoo-kernel is re-emerged (i.e. a
new key was generated).
Bug: https://bugs.gentoo.org/881651
Bug: https://bugs.gentoo.org/814344
Signed-off-by: Andrew Ammerlaan <andrewammerl...@gentoo.org>
---
...8.ebuild => gentoo-kernel-6.3.8.ebuild} | 45 ++++++++++++++++++-
1 file changed, 44 insertions(+), 1 deletion(-)
rename sys-kernel/gentoo-kernel/{gentoo-kernel-6.3.8.ebuild =>
gentoo-kernel-6.3.8-r1.ebuild} (71%)
diff --git a/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8.ebuild
b/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8-r1.ebuild
similarity index 71%
rename from sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8.ebuild
rename to sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8-r1.ebuild
index fd81855a6140a..4bc03564efbe0 100644
--- a/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8.ebuild
+++ b/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8-r1.ebuild
@@ -44,7 +44,7 @@ S=${WORKDIR}/${MY_P}
LICENSE="GPL-2"
KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~riscv ~x86"
-IUSE="debug hardened"
+IUSE="debug hardened modules-sign"
REQUIRED_USE="arm? ( savedconfig )
hppa? ( savedconfig )
riscv? ( savedconfig )"
@@ -136,5 +136,48 @@ src_prepare() {
merge_configs+=( "${dist_conf_path}/big-endian.config" )
fi
+ if use modules-sign; then
+ : "${MODULES_SIGN_HASH:=sha512}"
+ cat <<-EOF > "${WORKDIR}/modules-sign.config" || die
+ ## Enable module signing
+ CONFIG_MODULE_SIG=y
+ CONFIG_MODULE_SIG_ALL=y
+ CONFIG_MODULE_SIG_FORCE=y
+ CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
+ EOF
+ if [[ -n "${MODULES_SIGN_KEY}" ]]; then
+ if [[ -e "${MODULES_SIGN_KEY}" ]]; then
+ echo
"CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
+ >> "${WORKDIR}/modules-sign.config"
+ else
+ die "MODULES_SIGN_KEY=${MODULES_SIGN_KEY} not
found!"
+ fi
+ fi
+ merge_configs+=( "${WORKDIR}/modules-sign.config" )
+ fi
+
kernel-build_merge_configs "${merge_configs[@]}"
}
+
+pkg_postinst() {
+ kernel-build_pkg_postinst
+ if use modules-sign; then
+ if [[ -z "${MODULES_SIGN_KEY}" ]]; then
+ ewarn ""
+ ewarn "MODULES_SIGN_KEY was not set, this means the kernel
build system"
+ ewarn "automatically generated the signing key. This key was
installed"
+ ewarn "in
${EROOT}/usr/src/linux-${PV}${KV_LOCALVERSION}/certs"
+ ewarn "and will also be included in any binary
packages."
+ ewarn "Please take appropriate action to protect the
key!"
+ ewarn ""
+ ewarn "Recompiling this package causes a new key to be
generated. As"
+ ewarn "a result any external kernel modules will need to be
resigned."
+ ewarn "Use emerge @module-rebuild, or manually sign the
modules as"
+ ewarn "described on the wiki [1]"
+ ewarn ""
+ ewarn "Consider using the MODULES_SIGN_KEY variable to use an
external key."
+ ewarn ""
+ ewarn "[1]:
https://wiki.gentoo.org/wiki/Signed_kernel_module_support";
+ fi
+ fi
+}
