From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id DBB8F15800A for ; Sun, 27 Aug 2023 19:36:15 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 2E1B22BC12D; Sun, 27 Aug 2023 19:36:15 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 18BA02BC12D for ; Sun, 27 Aug 2023 19:36:15 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 5209D335C92 for ; Sun, 27 Aug 2023 19:36:14 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id A6FBC10C0 for ; Sun, 27 Aug 2023 19:36:12 +0000 (UTC) From: "Andrew Ammerlaan" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Andrew Ammerlaan" Message-ID: <1693164966.a740d65d10a325c3a5977036eb9f410e452db925.andrewammerlaan@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: eclass/ X-VCS-Repository: repo/gentoo X-VCS-Files: eclass/kernel-build.eclass X-VCS-Directories: eclass/ X-VCS-Committer: andrewammerlaan X-VCS-Committer-Name: Andrew Ammerlaan X-VCS-Revision: a740d65d10a325c3a5977036eb9f410e452db925 X-VCS-Branch: master Date: Sun, 27 Aug 2023 19:36:12 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: b1162d7c-4518-419e-956b-ed8a44e8a4cc X-Archives-Hash: a25e1220d5e97827bed41d8a03dba38b commit: a740d65d10a325c3a5977036eb9f410e452db925 Author: Andrew Ammerlaan gentoo org> AuthorDate: Sat Aug 26 19:26:46 2023 +0000 Commit: Andrew Ammerlaan gentoo org> CommitDate: Sun Aug 27 19:36:06 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a740d65d kernel-build.eclass: sign the kernel image earlier in src_install By signing it in src_install instead of pkg_postinst the signed version is included in any generated binpkg. This is useful for enabling secureboot on machines that do not have the secureboot private key available. This change makes it possible to distribute a signed kernel image in sys-kernel/gentoo-kernel-bin. Note, UKIs are always generated locally, so if UKIs are used these will still have to be signed in pkg_postinst and therefore the private key is still required on all systems with USE=secureboot and uefi=yes in dracut.conf. Signed-off-by: Andrew Ammerlaan gentoo.org> eclass/kernel-build.eclass | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass index 5b324e036c5f..ca105ee1f133 100644 --- a/eclass/kernel-build.eclass +++ b/eclass/kernel-build.eclass @@ -33,6 +33,7 @@ if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then # If we have enabled module signing IUSE # then we can also enable secureboot IUSE KERNEL_IUSE_SECUREBOOT=1 + inherit secureboot fi inherit multiprocessing python-any-r1 savedconfig toolchain-funcs kernel-install @@ -348,6 +349,10 @@ kernel-build_src_install() { dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/build" dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/source" + if [[ ${KERNEL_IUSE_SECUREBOOT} ]]; then + secureboot_sign_efi_file "${ED}${kernel_dir}/${image_path}" + fi + # unset to at least be out of the environment file in, e.g. shared binpkgs unset KBUILD_SIGN_PIN