Forum: >>> Magnum BBS <<<

[gentoo-dev] [PATCH] kernel-build.eclass: work around permissions issue

From Violet Purcell@21:1/5 to All on Mon Nov 27 18:20:01 2023

Currently, using a custom path for MODULES_SIGN_KEY requires the key to
be readable by portage:portage. This is not ideal for security, since
the file has to be either owned by portage:portage or readable by all
users in this case. Instead, export the contents of MODULES_SIGN_KEY to
a variable in pkg_setup, and then create a temporary file with it in src_configure to ensure that the temporary key is readable by the user
that the kernel is being built as. The variable is then unset so it does
not end up in the final environment file.

Signed-off-by: Violet Purcell <vimproved@inventati.org>
---
eclass/kernel-build.eclass | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index 4f7e4d047739..cf958c86ff29 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -114,6 +114,13 @@ kernel-build_pkg_setup() {
python-any-r1_pkg_setup
if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
secureboot_pkg_setup
+ if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then
+ if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} != ${MODULES_SIGN_KEY} ]]; then
+ export MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}")"
+ else
+ export MODULES_SIGN_KEY_CONTENTS="$(< "${MODULES_SIGN_KEY}")"
+ fi
+ fi
fi
}

@@ -427,12 +434,12 @@ kernel-build_merge_configs() {
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
EOF
- if [[ -e ${MODULES_SIGN_KEY} && -e ${MODULES_SIGN_CERT} &&
- ${MODUL

Who's Online
Recent Visitors
- Guest
  Wed Jan 15 06:29:08 2025
  from /bin/busybox Cat /proc/self/ex via Raw
- Guest
  Wed Jan 15 02:17:27 2025
  from /bin/busybox Cat /proc/self/ex via Raw
- Keyop
  Tue Jan 14 23:13:56 2025
  from Huddersfield, West Yorkshire via SSH
- Bob Worm
  Tue Jan 14 21:42:40 2025
  from Wales, Uk via Telnet
- Guest
  Tue Jan 14 09:13:19 2025
  from /bin/busybox Cat /proc/self/ex via Raw
- Bob Worm
  Tue Jan 14 07:58:29 2025
  from Wales, Uk via Telnet
- Guest
  Tue Jan 14 07:27:58 2025
  from /bin/busybox Cat /proc/self/ex via Raw
- Guest
  Tue Jan 14 02:15:49 2025
  from /bin/busybox Cat /proc/self/ex via Raw

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	399
Nodes:	16 (2 / 14)
Uptime:	101:27:58
Calls:	8,363
Calls today:	2
Files:	13,165
Messages:	5,897,912

[gentoo-dev] [PATCH] kernel-build.eclass: work around permissions issue

Who's Online

Recent Visitors

System Info