From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 995EE15812D for ; Sun, 05 Jan 2025 13:39:57 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D107EE0798; Sun, 05 Jan 2025 13:39:56 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 87A59E0798 for ; Sun, 05 Jan 2025 13:39:56 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 9ADD6340C9C for ; Sun, 05 Jan 2025 13:39:55 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 1CD98D81 for ; Sun, 05 Jan 2025 13:39:54 +0000 (UTC) From: "Nowa Ammerlaan" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Nowa Ammerlaan" Message-ID: <1736084365.b678c191a5e453a42b6dcf2b3406fd41fcd6d5c7.nowa@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: eclass/ X-VCS-Repository: repo/gentoo X-VCS-Files: eclass/kernel-build.eclass X-VCS-Directories: eclass/ X-VCS-Committer: nowa X-VCS-Committer-Name: Nowa Ammerlaan X-VCS-Revision: b678c191a5e453a42b6dcf2b3406fd41fcd6d5c7 X-VCS-Branch: master Date: Sun, 05 Jan 2025 13:39:54 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 441cc19a-d731-4688-a799-c97c287d7455 X-Archives-Hash: f5987166e341af1d2a1342b371e29620 commit: b678c191a5e453a42b6dcf2b3406fd41fcd6d5c7 Author: Nowa Ammerlaan gentoo org> AuthorDate: Sat Jan 4 12:56:20 2025 +0000 Commit: Nowa Ammerlaan gentoo org> CommitDate: Sun Jan 5 13:39:25 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b678c191 kernel-build.eclass: pcrpkey should be PEM not DER We sill need the call to openssl to ensure that we don't accidentally append the key itself to the UKI. Signed-off-by: Nowa Ammerlaan gentoo.org> eclass/kernel-build.eclass | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass index aae55d9e3ac5..e3175453fea7 100644 --- a/eclass/kernel-build.eclass +++ b/eclass/kernel-build.eclass @@ -587,14 +587,18 @@ kernel-build_src_install() { done if [[ ${KERNEL_IUSE_MODULES_SIGN} ]] && use secureboot; then + # --pcrpkey is appended as is. If the certificate and key + # are in the same file, we could accidentally leak the key + # into the UKI. Pass the certificate through openssl to ensure + # that it truly contains *only* the certificate. openssl x509 \ -in "${SECUREBOOT_SIGN_CERT}" -inform PEM \ - -out ${T}/pcrpkey.der -outform DER || - die "Failed to convert certificate to DER format" + -out "${T}/pcrpkey.pem" -outform PEM || + die "Failed to extract certificate" ukify_args+=( --secureboot-private-key="${SECUREBOOT_SIGN_KEY}" --secureboot-certificate="${SECUREBOOT_SIGN_CERT}" - --pcrpkey="${T}/pcrpkey.der" + --pcrpkey="${T}/pcrpkey.pem" --measure ) if [[ ${SECUREBOOT_SIGN_KEY} == pkcs11:* ]]; then