From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 37F30158013 for ; Mon, 11 Dec 2023 11:13:28 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 06D602BC021; Mon, 11 Dec 2023 11:13:25 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id ACE232BC01C for ; Mon, 11 Dec 2023 11:13:24 +0000 (UTC) Message-ID: <032d787a4f6375c61c7eb010feee2b87fa3f6b80.camel@gentoo.org> Subject: Re: [gentoo-dev] [PATCH v3] kernel-build.eclass: work around permissions issue with module signing From: =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?= To: gentoo-dev@lists.gentoo.org Cc: vimproved@inventati.org Date: Mon, 11 Dec 2023 12:13:19 +0100 In-Reply-To: <8f848f1b-7f70-49df-8840-54df6ee35b66@gentoo.org> References: <20231127171224.15172-1-vimproved@inventati.org> <6b3aea364b6c4fd0cc9622216aa5add0b1c342ba.camel@gentoo.org> <8f848f1b-7f70-49df-8840-54df6ee35b66@gentoo.org> Organization: Gentoo Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-eHiZjzoUmzwoQKkcYLMl" User-Agent: Evolution 3.50.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 X-Archives-Salt: 5bc81b29-91c2-4666-a028-24e10c31b593 X-Archives-Hash: 6d71fd3741648f78d6920123f0412469 --=-eHiZjzoUmzwoQKkcYLMl Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, 2023-12-11 at 09:00 +0100, Andrew Ammerlaan wrote: > v3: >=20 > From dbf92605437b4a457bad2da92f69baab23fcfa44 Mon Sep 17 00:00:00 2001 > From: Violet Purcell > Date: Mon, 27 Nov 2023 12:12:09 -0500 > Subject: [PATCH] kernel-build.eclass: work around permissions issue with > module signing >=20 > Currently, using a custom path for MODULES_SIGN_KEY requires the key to > be readable by portage:portage. This is not ideal for security, since > the file has to be either owned by portage:portage or readable by all > users in this case. Instead, export the contents of MODULES_SIGN_KEY to > a variable in pkg_setup, and then create a temporary file with it in > src_configure to ensure that the temporary key is readable by the user > that the kernel is being built as. The variable is then unset so it does > not end up in the final environment file. >=20 > Co-authored-by: Andrew Ammerlaan > Signed-off-by: Violet Purcell > --- > eclass/kernel-build.eclass | 18 ++++++++++++------ > 1 file changed, 12 insertions(+), 6 deletions(-) >=20 > diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass > index f5529c319f9fc..94b499f82fc1e 100644 > --- a/eclass/kernel-build.eclass > +++ b/eclass/kernel-build.eclass > @@ -114,6 +114,13 @@ kernel-build_pkg_setup() { > python-any-r1_pkg_setup > if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then > secureboot_pkg_setup > + if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} !=3D pkcs11:* ]]; = then > + if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} !=3D=20 > ${MODULES_SIGN_KEY} ]]; then > + MODULES_SIGN_KEY_CONTENTS=3D"$(cat "${MODULES_SIGN_CERT}"=20 > "${MODULES_SIGN_KEY}" || die)" You can use $(<...) builtin instead of calling cat(1). > + else > + MODULES_SIGN_KEY_CONTENTS=3D"$(cat "${MODULES_SIGN_KEY}" || die)" > + fi > + fi > fi > } >=20 > @@ -422,12 +429,11 @@ kernel-build_merge_configs() { > CONFIG_MODULE_SIG_FORCE=3Dy > CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=3Dy > EOF > - if [[ -e ${MODULES_SIGN_KEY} && -e ${MODULES_SIGN_CERT} && > - ${MODULES_SIGN_KEY} !=3D ${MODULES_SIGN_CERT} && > - ${MODULES_SIGN_KEY} !=3D pkcs11:* ]] > - then > - cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" >=20 > "${T}/kernel_key.pem" || die > - MODULES_SIGN_KEY=3D"${T}/kernel_key.pem" > + if [[ -n "${MODULES_SIGN_KEY_CONTENTS}" ]]; then No quoting is needed here. > + (umask 066; touch "${T}/kernel_key.pem" || die) '&&' instead of ';', even if umask shouldn't really fail here. > + echo "${MODULES_SIGN_KEY_CONTENTS}" > "${T}/kernel_key.pem" || die > + unset MODULES_SIGN_KEY_CONTENTS > + export MODULES_SIGN_KEY=3D"${T}/kernel_key.pem" > fi > if [[ ${MODULES_SIGN_KEY} =3D=3D pkcs11:* || -r ${MODULES_SIGN_KEY} = ]];=20 > then > echo "CONFIG_MODULE_SIG_KEY=3D\"${MODULES_SIGN_KEY}\"" \ >=20 --=20 Best regards, Micha=C5=82 G=C3=B3rny --=-eHiZjzoUmzwoQKkcYLMl Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- iQFGBAABCgAwFiEEx2qEUJQJjSjMiybFY5ra4jKeJA4FAmV27s8SHG1nb3JueUBn ZW50b28ub3JnAAoJEGOa2uIyniQOW8kIAM0F6OgkRAVbXVY4ocL+CniVetJ5CRRo kw/ppBfrQuFB0fQdOXKr1p4IlYrLaSrws9xbhIcqgc23RuT4OI2wIvIZLaGos8hA bBvhUmEZnfkMoThYpiRWqI8XnJtME7jZInDBKhJlcz3D9xowE2B2O86op4hNF0GC tLsFvfpXCFW83YYqfQ2R+UI/WUQxHm6EzUtt7HWnadttiSMXUBpfZmSNf92R599L TAsWxhPNvTWxiCwbKK8rojLGnuWwJdButc7290RhZMHSYiWq06KM+sSnZwD7WshF WG7SJ83mud+oYwaKq0pRd/Nnlti6DMDWmkCpccsAra6T+ypACfVVqd4= =p/02 -----END PGP SIGNATURE----- --=-eHiZjzoUmzwoQKkcYLMl--