[gentoo-dev] [PATCH] kernel-build.eclass: copy module signing key to tempdir in, pkg_setup

Andrew Ammerlaan Fri, 24 Nov 2023 01:10:07 -0800

Patch from https://github.com/gentoo/gentoo/pull/33850

Note that we only have this problem here, and not in linux-mod-r1.eclassor secureboot.eclass, because in the latter two eclasses the signing isdone in src_install while the kernel build system requires the key insrc_compile. src_install has root privileges, src_compile does not.

This is a better solution then simply having the key readable by theportage user on the file system directly.


Best regards,
Andrew

From aacf155e66f42a4ccd33a666e29210042659ad90 Mon Sep 17 00:00:00 2001
From: Violet Purcell <vimpro...@inventati.org>
Date: Thu, 16 Nov 2023 12:23:16 -0500

Subject: [PATCH] kernel-build.eclass: copy module signing key to tempdirin pkg_setup


Previously, it was being copied in src_prepare, and thus would fail if
the signing key was not readable by portage:portage. This commit makes
kernel-build.eclass instead copy the signing key in pkg_setup, and then
correct the permissions.

Signed-off-by: Violet Purcell <vimpro...@inventati.org>
---
 eclass/kernel-build.eclass | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index 4f7e4d0477393..6f18bc1dc9694 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -114,6 +114,16 @@ kernel-build_pkg_setup() {
        python-any-r1_pkg_setup
        if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
                secureboot_pkg_setup
+               if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* 
]]; then

+ if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} !=${MODULES_SIGN_KEY} ]]; then+ cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" >"${T}/kernel_key.pem" || die

+                       else
+                               cp "${MODULES_SIGN_KEY}" "${T}/kernel_key.pem" 
|| die
+                       fi
+                       chown portage:portage "${T}/kernel_key.pem" || die
+                       chmod 0400 "${T}/kernel_key.pem" || die
+                       export MODULES_SIGN_KEY="${T}/kernel_key.pem"
+               fi
        fi
 }

@@ -427,13 +437,6 @@ kernel-build_merge_configs() {
                                CONFIG_MODULE_SIG_FORCE=y
                                CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
                        EOF
-                       if [[ -e ${MODULES_SIGN_KEY} && -e ${MODULES_SIGN_CERT} 
&&
-                               ${MODULES_SIGN_KEY} != ${MODULES_SIGN_CERT} &&
-                               ${MODULES_SIGN_KEY} != pkcs11:* ]]
-                       then

- cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" >"${T}/kernel_key.pem" || die

-                               MODULES_SIGN_KEY="${T}/kernel_key.pem"
-                       fi

if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -r ${MODULES_SIGN_KEY} ]];then

                                echo 
"CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
                                        >> "${WORKDIR}/modules-sign.config"

[gentoo-dev] [PATCH] kernel-build.eclass: copy module signing key to tempdir in, pkg_setup

Reply via email to