1. Forum
  2. Usenet
  3. LINUX.GENTOO.DEV

  • [gentoo-dev] [PATCH 1/2] kernel-build.eclass: sign the kernel image ear

    From Andrew Ammerlaan@21:1/5 to All on Sat Aug 26 21:50:02 2023
    Hi all,

    By signing the kernel image in src_install instead of pkg_postinst the
    signed version is
    included in any generated binpkg. This is useful for enabling secureboot
    on machines that do not have the secureboot private key available.

    This change makes it possible to distribute a signed kernel image in sys-kernel/gentoo-kernel-bin.

    Note, UKIs are always generated locally, so if UKIs are used these will
    still
    have to be signed in pkg_postinst and therefore the private key is still required on all systems with USE=secureboot and uefi=yes in dracut.conf.

    Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
    ---
    eclass/kernel-build.eclass | 5 +++++
    1 file changed, 5 insertions(+)

    diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
    index 5b324e036c5f9..035b1e7cd02ac 100644
    --- a/eclass/kernel-build.eclass
    +++ b/eclass/kernel-build.eclass
    @@ -33,6 +33,7 @@ if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
    # If we have enabled module signing IUSE
    # then we can also enable secureboot IUSE
    KERNEL_IUSE_SECUREBOOT=1
    + inherit secureboot
    fi

    inherit multiprocessing python-any-r1 savedconfig toolchain-funcs kernel-install
    @@ -348,6 +349,10 @@ kernel-build_src_install() {
    dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/build"
    dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/source"

    + if [[ ${KERNEL_IUSE_SECUREBOOT} ]]; then
    + secureboot_sign_efi_file "${ED}${kernel_dir}/${image_path}" "${ED}${kernel_dir}/${image_path}"
    + fi
    +
    # unset to at least be out of the environment file in, e.g. shared binpkgs
    unset KBUILD_SIGN_PIN

    --- SoupG
  • From Andrew Ammerlaan@21:1/5 to All on Sun Aug 27 21:40:01 2023
    From 11c08f41e858561bd71fc5f19b612a7fd365b14a Mon Sep 17 00:00:00 2001
    From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
    Date: Sat, 26 Aug 2023 21:26:46 +0200
    Subject: [PATCH] kernel-build.eclass: sign the kernel image earlier in
    src_install

    By signing it in src_install instead of pkg_postinst the signed version is included in any generated binpkg. This is useful for enabling secureboot
    on machines that do not have the secureboot private key available.

    This change makes it possible to distribute a signed kernel image in sys-kernel/gentoo-kernel-bin.

    Note, UKIs are always generated locally, so if UKIs are used these will
    still
    have to be signed in pkg_postinst and therefore the private key is still required on all systems with USE=secureboot and uefi=yes in dracut.conf.

    Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
    ---
    eclass/kernel-build.eclass | 5 +++++
    1 file changed, 5 insertions(+)

    diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
    index 5b324e036c5f9..ca105ee1f1330 100644
    --- a/eclass/kernel-build.eclass
    +++ b/eclass/kernel-build.eclass
    @@ -33,6 +33,7 @@ if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
    # If we have enabled module signing IUSE
    # then we can also enable secureboot IUSE
    KERNEL_IUSE_SECUREBOOT=1
    + inherit secureboot
    fi

    inherit multiprocessing python-any-r1 savedconfig toolchain-funcs kernel-install
    @@ -348,6 +349,10 @@ kernel-build_src_install() {
    dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/build"
    dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/source"

    + if [[ ${KERNEL_IUSE_SECUREBOOT} ]]; then
    + secureboot_sign_efi_file "${ED}${kernel_dir}/${image_path}"
    + fi
    +
    # unset to at least be out of the environment file in, e.g. shared binpkgs
    unset KBUILD_SIGN_PIN

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet U