From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 6580E15813A for ; Mon, 06 Jan 2025 20:26:02 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 5BFAEE07F0; Mon, 06 Jan 2025 20:26:01 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 45A06E07F0 for ; Mon, 06 Jan 2025 20:26:01 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 7EA1A340754 for ; Mon, 06 Jan 2025 20:26:00 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id DA2111D4D for ; Mon, 06 Jan 2025 20:25:58 +0000 (UTC) From: "Nowa Ammerlaan" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Nowa Ammerlaan" Message-ID: <1736195137.9163b23ef60ec34e3739e06eabe5167e36295ab7.nowa@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: eclass/ X-VCS-Repository: repo/gentoo X-VCS-Files: eclass/kernel-build.eclass eclass/kernel-install.eclass X-VCS-Directories: eclass/ X-VCS-Committer: nowa X-VCS-Committer-Name: Nowa Ammerlaan X-VCS-Revision: 9163b23ef60ec34e3739e06eabe5167e36295ab7 X-VCS-Branch: master Date: Mon, 06 Jan 2025 20:25:58 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 76346b9f-a91b-4707-985b-7595671674c7 X-Archives-Hash: f64f871a2f00a1777c988e19b1217364 commit: 9163b23ef60ec34e3739e06eabe5167e36295ab7 Author: Nowa Ammerlaan gentoo org> AuthorDate: Mon Jan 6 17:46:01 2025 +0000 Commit: Nowa Ammerlaan gentoo org> CommitDate: Mon Jan 6 20:25:37 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9163b23e kernel-{build,install}.eclass: exclude any generated keys from binpkgs The kernel build system supports generating a new module signing key if the CONFIG_MODULE_SIG_KEY is set to the default value (MODULES_SIGN_KEY is not set) and no key exists at that default location. This results in the unfortunate situation where private key material ends up in generated binary packages. That is almost never what you want since binary packages are usually readable by regular users. To avoid this we move the key out of the ED in the install phase, and move it back in the preinst phase after the binary package has been built. This also means that when distributing built binary packages to other systems the signing key will now never be installed onto all those other systems, which is probably what you want anyway. Note, there is no change for folks who use externally managed keys, i.e. for everyone who has MODULES_SIGN_KEY, MODULE_SIGN_CERT set. Signed-off-by: Nowa Ammerlaan gentoo.org> Closes: https://github.com/gentoo/gentoo/pull/40017 Signed-off-by: Nowa Ammerlaan gentoo.org> eclass/kernel-build.eclass | 6 +++++- eclass/kernel-install.eclass | 9 +++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass index 8f3346bb4874..65433d9fc9c0 100644 --- a/eclass/kernel-build.eclass +++ b/eclass/kernel-build.eclass @@ -447,6 +447,11 @@ kernel-build_src_install() { # Copy built key/certificate files cp -p build/certs/* "${ED}${kernel_dir}/certs/" || die + # If a key was generated, exclude it from the binpkg + local generated_key=${ED}${kernel_dir}/certs/signing_key.pem + if [[ -r ${generated_key} ]]; then + mv "${generated_key}" "${T}/signing_key.pem" || die + fi # building modules fails with 'vmlinux has no symtab?' if stripped use ppc64 && dostrip -x "${kernel_dir}/${image_path}" @@ -654,7 +659,6 @@ kernel-build_pkg_postinst() { ewarn "MODULES_SIGN_KEY was not set, this means the kernel build system" ewarn "automatically generated the signing key. This key was installed" ewarn "in ${EROOT}/usr/src/linux-${KV_FULL}/certs" - ewarn "and will also be included in any binary packages." ewarn "Please take appropriate action to protect the key!" ewarn ewarn "Recompiling this package causes a new key to be generated. As" diff --git a/eclass/kernel-install.eclass b/eclass/kernel-install.eclass index f70556ad41f5..1cc2bd0bb737 100644 --- a/eclass/kernel-install.eclass +++ b/eclass/kernel-install.eclass @@ -607,6 +607,15 @@ kernel-install_pkg_preinst() { [[ ! -d ${kernel_dir} ]] && die "Kernel directory ${kernel_dir} not installed!" + # We moved this in order to omit it from the binpkg, move it back + if [[ -r "${T}/signing_key.pem" ]]; then + # cp instead of mv to set owner to root in one go + ( + umask 066 && + cp "${T}/signing_key.pem" "${kernel_dir}/certs/signing_key.pem" + ) || die + fi + # perform the version check for release ebuilds only if [[ ${PV} != *9999 ]]; then local expected_ver=$(dist-kernel_PV_to_KV "${PV}")