Bug: https://bugs.gentoo.org/936402 Signed-off-by: Andrew Ammerlaan <andrewammerl...@gentoo.org> --- eclass/kernel-build.eclass | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-)
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass index cf060fa83766..fa01be28723f 100644 --- a/eclass/kernel-build.eclass +++ b/eclass/kernel-build.eclass @@ -133,8 +133,28 @@ kernel-build_pkg_setup() { python-any-r1_pkg_setup if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then secureboot_pkg_setup - if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then - if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} != ${MODULES_SIGN_KEY} ]]; then + + # Sanity check: fail early if key/cert in DER format or does not exist + local openssl_args=( + -noout -nocert + ) + if [[ -n ${MODULES_SIGN_CERT} ]]; then + openssl_args+=( -inform PEM -in "${MODULES_SIGN_CERT}" ) + else + # If no cert specified, we assume the pem key also contains the cert + openssl_args+=( -inform PEM -in "${MODULES_SIGN_KEY}" ) + fi + if [[ ${MODULES_SIGN_KEY} == pkcs11:* ]]; then + openssl_args+=( -engine pkcs11 -keyform ENGINE -key "${MODULES_SIGN_KEY}" ) + else + openssl_args+=( -keyform PEM -key "${MODULES_SIGN_KEY}" ) + fi + + openssl x509 "${openssl_args[@]}" || + die "Kernel module signing certificate or key not found or not PEM format." + + if [[ ${MODULES_SIGN_KEY} != pkcs11:* ]]; then + if [[ ${MODULES_SIGN_CERT} != ${MODULES_SIGN_KEY} ]]; then MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" || die)" else MODULES_SIGN_KEY_CONTENTS="$(< "${MODULES_SIGN_KEY}")" -- 2.45.2