Patch from https://github.com/gentoo/gentoo/pull/33850

Note that we only have this problem here, and not in linux-mod-r1.eclass
or secureboot.eclass, because in the latter two eclasses the signing is
done in src_install while the kernel build system requires the key in src_compile. src_install has root privileges, src_compile does not.

This is a better solution then simply having the key readable by the
portage user on the file system directly.

Best regards,
Andrew

From aacf155e66f42a4ccd33a666e29210042659ad90 Mon Sep 17 00:00:00 2001
From: Violet Purcell <vimproved@inventati.org>
Date: Thu, 16 Nov 2023 12:23:16 -0500
Subject: [PATCH] kernel-build.eclass: copy module signing key to tempdir
in pkg_setup

Previously, it was being copied in src_prepare, and thus would fail if
the signing key was not readable by portage:portage. This commit makes kernel-build.eclass instead copy the signing key in pkg_setup, and then
correct the permissions.

Signed-off-by: Violet Purcell <vimproved@inventati.org>
---
eclass/kernel-build.eclass | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index 4f7e4d0477393..6f18bc1dc9694 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -114,6 +114,16 @@ kernel-build_pkg_setup() {
python-any-r1_pkg_setup
if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
secureboot_pkg_setup
+ if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then
+ if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} !=
${MODULES_SIGN_KEY} ]]; then
+ cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" >
"${T}/kernel_key.pem" || die
+ else
+ cp "${MODULES_SIGN_KEY}" "${T}/kernel_key.pem" || die
+ fi
+ chown portage:portage "${T}/kernel_key.pem" || die
+ chmod 0400 "${T}/kernel_key.pem" || die
+ export MODULES_SIGN_KEY="${T}/kernel_key.pem"
+ fi
fi
}

@@ -427,13 +437,6 @@ kernel-build_merge_configs() {
CONFIG_MODULE_S