From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: [gentoo-dev] [PATCH 1/2] kernel-build.eclass: sign the kernel image earlier in, src_install
Date: Sat, 26 Aug 2023 21:44:02 +0200 [thread overview]
Message-ID: <1d64b8dd-4958-419b-93e0-fccb28674180@gentoo.org> (raw)
Hi all,
By signing the kernel image in src_install instead of pkg_postinst the
signed version is
included in any generated binpkg. This is useful for enabling secureboot
on machines that do not have the secureboot private key available.
This change makes it possible to distribute a signed kernel image in
sys-kernel/gentoo-kernel-bin.
Note, UKIs are always generated locally, so if UKIs are used these will
still
have to be signed in pkg_postinst and therefore the private key is still
required on all systems with USE=secureboot and uefi=yes in dracut.conf.
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
eclass/kernel-build.eclass | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index 5b324e036c5f9..035b1e7cd02ac 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -33,6 +33,7 @@ if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
# If we have enabled module signing IUSE
# then we can also enable secureboot IUSE
KERNEL_IUSE_SECUREBOOT=1
+ inherit secureboot
fi
inherit multiprocessing python-any-r1 savedconfig toolchain-funcs
kernel-install
@@ -348,6 +349,10 @@ kernel-build_src_install() {
dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/build"
dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/source"
+ if [[ ${KERNEL_IUSE_SECUREBOOT} ]]; then
+ secureboot_sign_efi_file "${ED}${kernel_dir}/${image_path}"
"${ED}${kernel_dir}/${image_path}"
+ fi
+
# unset to at least be out of the environment file in, e.g. shared
binpkgs
unset KBUILD_SIGN_PIN
next reply other threads:[~2023-08-26 19:44 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-26 19:44 Andrew Ammerlaan [this message]
2023-08-26 19:44 ` [gentoo-dev] [PATCH 1/2] kernel-build.eclass: sign the kernel image earlier in, src_install Andrew Ammerlaan
2023-08-27 19:34 ` [gentoo-dev] [PATCH 2/3] dist-kernel-utils.eclass: only sign image if it is a UKI Andrew Ammerlaan
2023-08-27 19:33 ` [gentoo-dev] [PATCH 1/3 v2] kernel-build.eclass: sign the kernel image earlier in, src_install Andrew Ammerlaan
2023-08-27 19:35 ` [gentoo-dev] [PATCH 3/3 v2] secureboot.eclass: secureboot_sign_efi_file allow call with 1 Andrew Ammerlaan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1d64b8dd-4958-419b-93e0-fccb28674180@gentoo.org \
--to=andrewammerlaan@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox