From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 71B3B15812D for ; Thu, 02 Jan 2025 17:08:56 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C59EAE082B; Thu, 02 Jan 2025 17:08:54 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 84C79E0826 for ; Thu, 02 Jan 2025 17:08:54 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 6A0D633BF60 for ; Thu, 02 Jan 2025 17:08:53 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 7C4FC1992 for ; Thu, 02 Jan 2025 17:08:50 +0000 (UTC) From: "Michał Górny" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Michał Górny" Message-ID: <1735837707.fde53f23bb5aceee88ca188ffcfb522ffc6b419d.mgorny@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: eclass/ X-VCS-Repository: repo/gentoo X-VCS-Files: eclass/kernel-build.eclass eclass/kernel-install.eclass X-VCS-Directories: eclass/ X-VCS-Committer: mgorny X-VCS-Committer-Name: Michał Górny X-VCS-Revision: fde53f23bb5aceee88ca188ffcfb522ffc6b419d X-VCS-Branch: master Date: Thu, 02 Jan 2025 17:08:50 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 045d4213-0b76-4f41-9d3a-2365c353484a X-Archives-Hash: 5c448862df0f08db3bf8794966b2fef5 commit: fde53f23bb5aceee88ca188ffcfb522ffc6b419d Author: Nowa Ammerlaan gentoo org> AuthorDate: Mon Dec 23 17:31:08 2024 +0000 Commit: Michał Górny gentoo org> CommitDate: Thu Jan 2 17:08:27 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fde53f23 kernel-{build,install}.eclass: create multi-profile generic UKIs systemd 257's ukify gains the ability to specify multiple "profiles" for an UKI. This allows us to finally solve Bug 921195, which made it impossible to simultaneously enforce verification of the kernel image (secureboot) and enforce verification of the kernel modules (lockdown=integrity). We also add a profile for "quiet splash", and change KERNEL_GENERIC_UKI_CMDLINE to add another profile instead of overwriting the built-in kernel cmdline. To support splash we add the plymouth and drm dracut modules but omit the drm kernel modules that pull in huge firmware files. This will result in a less visually smooth boot, but significantly decreases the size of the image. Ukify can now also pass on the signing engine argument to systemd-measure which enables the usage of pkcs11 uri's for measured boot. Minimal version of systemd for USE=generic-uki is bumped to 257. Closes: https://bugs.gentoo.org/921195 Signed-off-by: Nowa Ammerlaan gentoo.org> Signed-off-by: Michał Górny gentoo.org> eclass/kernel-build.eclass | 84 +++++++++++++++++++++++++++++++++++--------- eclass/kernel-install.eclass | 6 ++-- 2 files changed, 71 insertions(+), 19 deletions(-) diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass index 831027216321..aae55d9e3ac5 100644 --- a/eclass/kernel-build.eclass +++ b/eclass/kernel-build.eclass @@ -1,4 +1,4 @@ -# Copyright 2020-2024 Gentoo Authors +# Copyright 2020-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: kernel-build.eclass @@ -108,10 +108,14 @@ IUSE="+strip" # @ECLASS_VARIABLE: KERNEL_GENERIC_UKI_CMDLINE # @USER_VARIABLE # @DESCRIPTION: -# If KERNEL_IUSE_GENERIC_UKI is set, this variable allows setting the -# built-in kernel command line for the UKI. If unset, the default is -# root=/dev/gpt-auto-root ro -: "${KERNEL_GENERIC_UKI_CMDLINE:="root=/dev/gpt-auto-root ro"}" +# If KERNEL_IUSE_GENERIC_UKI is set, and this variable is not +# empty, then the contents are used as the first kernel cmdline +# option of the multi-profile generic UKI. Supplementing the four +# standard options of: +# - root=/dev/gpt-auto-root ro +# - root=/dev/gpt-auto-root ro quiet splash +# - root=/dev/gpt-auto-root ro lockdown=integrity +# - root=/dev/gpt-auto-root ro quiet splash lockdown=integrity if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then IUSE+=" modules-sign" @@ -497,10 +501,10 @@ kernel-build_src_install() { local dracut_modules=( base bash btrfs cifs crypt crypt-gpg crypt-loop dbus dbus-daemon - dm dmraid dracut-systemd fido2 i18n fs-lib kernel-modules + dm dmraid dracut-systemd drm fido2 i18n fs-lib kernel-modules kernel-network-modules kernel-modules-extra lunmask lvm nbd mdraid modsign network network-manager nfs nvdimm nvmf pcsc - pkcs11 qemu qemu-net resume rngd rootfs-block shutdown + pkcs11 plymouth qemu qemu-net resume rngd rootfs-block shutdown systemd systemd-ac-power systemd-ask-password systemd-initrd systemd-integritysetup systemd-pcrphase systemd-sysusers systemd-udevd systemd-veritysetup terminfo tpm2-tss udev-rules @@ -526,7 +530,7 @@ kernel-build_src_install() { --ro-mnt --modules "${dracut_modules[*]}" # Pulls in huge firmware files - --omit-drivers "nfp" + --omit-drivers "amdgpu i915 nfp nouveau nvidia xe" ) # Tries to update ld cache @@ -534,29 +538,77 @@ kernel-build_src_install() { dracut "${dracut_args[@]}" "${image%/*}/initrd" || die "Failed to generate initramfs" + # Note, we cannot use an associative array here because those are + # not ordered. + local profiles=() + local cmdlines=() + + # If defined, make the user entry the first and default + if [[ -n ${KERNEL_GENERIC_UKI_CMDLINE} ]]; then + profiles+=( + $'TITLE=User specified at build time\nID=user' + ) + cmdlines+=( "${KERNEL_GENERIC_UKI_CMDLINE}" ) + fi + + profiles+=( + $'TITLE=Default\nID=default' + $'TITLE=Default with splash\nID=splash' + $'TITLE=Default with lockdown\nID=lockdown' + $'TITLE=Default with splash and lockdown\nID=splash-lockdown' + ) + + cmdlines+=( + "root=/dev/gpt-auto-root ro" + "root=/dev/gpt-auto-root ro quiet splash" + "root=/dev/gpt-auto-root ro lockdown=integrity" + "root=/dev/gpt-auto-root ro quiet splash lockdown=integrity" + ) + local ukify_args=( --linux="${image}" --initrd="${image%/*}/initrd" - --cmdline="${KERNEL_GENERIC_UKI_CMDLINE}" --uname="${KV_FULL}" --output="${image%/*}/uki.efi" - ) + --profile="${profiles[0]}" + --cmdline="${cmdlines[0]}" + ) # 0th profile is default + + # Additional profiles have to be added with --join-profile + local i + for (( i=1; i<"${#profiles[@]}"; i++ )); do + ukify build \ + --profile="${profiles[i]}" \ + --cmdline="${cmdlines[i]}" \ + --output="${T}/profile${i}.efi" || + die "Failed to create profile ${i}" + + ukify_args+=( --join-profile="${T}/profile${i}.efi" ) + done if [[ ${KERNEL_IUSE_MODULES_SIGN} ]] && use secureboot; then + openssl x509 \ + -in "${SECUREBOOT_SIGN_CERT}" -inform PEM \ + -out ${T}/pcrpkey.der -outform DER || + die "Failed to convert certificate to DER format" ukify_args+=( - --signtool=sbsign --secureboot-private-key="${SECUREBOOT_SIGN_KEY}" --secureboot-certificate="${SECUREBOOT_SIGN_CERT}" + --pcrpkey="${T}/pcrpkey.der" + --measure ) if [[ ${SECUREBOOT_SIGN_KEY} == pkcs11:* ]]; then ukify_args+=( --signing-engine="pkcs11" + --pcr-private-key="${SECUREBOOT_SIGN_KEY}" + --pcr-public-key="${SECUREBOOT_SIGN_CERT}" + --phases="enter-initrd" + --pcr-private-key="${SECUREBOOT_SIGN_KEY}" + --pcr-public-key="${SECUREBOOT_SIGN_CERT}" + --phases="enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit enter-initrd:leave-initrd:sysinit:ready" ) else - # Sytemd-measure does not currently support pkcs11 ukify_args+=( - --measure - --pcrpkey="${ED}${kernel_dir}/certs/signing_key.x509" --pcr-private-key="${SECUREBOOT_SIGN_KEY}" --phases="enter-initrd" --pcr-private-key="${SECUREBOOT_SIGN_KEY}" @@ -565,9 +617,7 @@ kernel-build_src_install() { fi fi - # systemd<255 does not install ukify in /usr/bin - PATH="${PATH}:${BROOT}/usr/lib/systemd:${BROOT}/lib/systemd" \ - ukify build "${ukify_args[@]}" || die "Failed to generate UKI" + ukify build "${ukify_args[@]}" || die "Failed to generate UKI" # Overwrite unnecessary image types to save space > "${image}" || die diff --git a/eclass/kernel-install.eclass b/eclass/kernel-install.eclass index a341dd9426ff..5b4f3b096c41 100644 --- a/eclass/kernel-install.eclass +++ b/eclass/kernel-install.eclass @@ -1,4 +1,4 @@ -# Copyright 2020-2024 Gentoo Authors +# Copyright 2020-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: kernel-install.eclass @@ -162,9 +162,10 @@ if [[ ${KERNEL_IUSE_GENERIC_UKI} ]]; then ["sys-apps/rng-tools"]="GPL-2" ["sys-apps/sed"]="GPL-3+" ["sys-apps/shadow"]="BSD GPL-2" - ["sys-apps/systemd[boot(-),cryptsetup,pkcs11,policykit,tpm,ukify(-)]"]="GPL-2 LGPL-2.1 MIT public-domain" + [">=sys-apps/systemd-257[boot(-),cryptsetup,pkcs11,policykit,tpm,ukify(-)]"]="GPL-2 LGPL-2.1 MIT public-domain" ["sys-apps/util-linux"]="GPL-2 GPL-3 LGPL-2.1 BSD-4 MIT public-domain" ["sys-auth/polkit"]="LGPL-2" + ["sys-boot/plymouth[drm,systemd(+),udev]"]="GPL-2+" ["sys-block/nbd"]="GPL-2" ["sys-devel/gcc"]="GPL-3+ LGPL-3+ || ( GPL-3+ libgcc libstdc++ gcc-runtime-library-exception-3.1 ) FDL-1.3+" ["sys-fs/btrfs-progs"]="GPL-2" @@ -190,6 +191,7 @@ if [[ ${KERNEL_IUSE_GENERIC_UKI} ]]; then ["sys-libs/readline"]="GPL-3+" ["sys-libs/zlib"]="ZLIB" ["sys-process/procps"]="GPL-2+ LGPL-2+ LGPL-2.1+" + ["x11-libs/libdrm"]="MIT" ["amd64? ( sys-firmware/intel-microcode )"]="amd64? ( intel-ucode )" ["x86? ( sys-firmware/intel-microcode )"]="x86? ( intel-ucode )" )