Hi all,

Now that we have support for unified kernel images and signed kernel
modules in gentoo-kernel and via linux-mod-r1.eclass the logical next
step is to also make it possible to sign the kernel images, bootloaders,
and other efi executables. This makes it possible to enable Secure Boot,
i.e. the verification of these files by the system firmware prior to
booting.

For this purpose I'd like to introduce secureboot.eclass with matching
global use flag. The eclass is simple, we use the user defined variables SECUREBOOT_SIGN_KEY and SECUREBOOT_SIGN_CERT and call sbsign from app-crypt/sbsigntools to sign the efi executables (or other files).

Sure you can call sbsign manually but then you will have to do it
manually on every update of every file involved in the boot chain. This
is prone to break by accident sooner or later.

By signing the efi executables during emerge we ensure that the files on
the file system are always signed. Any tooling that then installs or
updates these files to the EFI system partition will then always use the pre-signed files. Therefore the chance of the boot process breaking with
Secure Boot enabled reduces significantly.

The following emails will contain the new eclass and small patches to
the eclasses involved in building the gentoo-kernel. Further patches to individual packages can be found in the accompanying PR [1]. Basically
all that is required to make this work in an ebuild is to: inherit the
eclass, define pkg_setup to call secureboot_pkg_setup, and call secureboot_auto_sign in src_install.

Best regards,
Andrew


[1] https://github.com/gentoo/gentoo/pull/31843

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)