From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id EAE3315806E for ; Fri, 26 May 2023 04:03:19 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 32E50E0884; Fri, 26 May 2023 04:02:36 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 9DFE0E0871 for ; Fri, 26 May 2023 04:02:35 +0000 (UTC) From: Ionen Wolkens To: gentoo-dev@lists.gentoo.org Subject: [gentoo-dev] [PATCH 2/4] profiles/use.desc: create USE=modules-sign global USE flag Date: Fri, 26 May 2023 00:02:17 -0400 Message-Id: <20230526040219.10852-3-ionen@gentoo.org> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230526040219.10852-1-ionen@gentoo.org> References: <20230526040219.10852-1-ionen@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Archives-Salt: 47b434c7-3183-4a5b-a4ba-4f8bf52083e9 X-Archives-Hash: 3c57f3240225313fb57e19251a582478 Similarly to gyakovlev's proposition for signing back in 2018 (with a module-sign IUSE), linux-mod-r1.eclass will make use of this to enable/disable signing and it would be inconvenient if consumers had to define it. An alternative could be to automagic enable when the kernel has "sign by default" a bit like compression is handled -- albeit this can sometime need more configuration and may be unexpected (i.e. permissions for keys, if keys were moved to a different locations, passphrases, and dist-kernels unsurprisingly don't install the private key and would result in failure out-of-the-box). Having a USE also makes it more obvious that support exists, and attempting to enable will give bit of explanations if anything is amiss. Name-wise, debated between this and 'sign-modules' but fwiw former sorts better with the already existing 'modules'. Signed-off-by: Ionen Wolkens --- profiles/use.desc | 1 + 1 file changed, 1 insertion(+) diff --git a/profiles/use.desc b/profiles/use.desc index aa5d16dd652e..bd8cb7031ab8 100644 --- a/profiles/use.desc +++ b/profiles/use.desc @@ -192,6 +192,7 @@ mms - Support for Microsoft Media Server (MMS) streams mng - Add support for libmng (MNG images) modplug - Add libmodplug support for playing SoundTracker-style music files modules - Build the kernel modules +modules-sign - Cryptographically sign installed kernel modules (requires CONFIG_MODULE_SIG=y in the kernel) mono - Build Mono bindings to support dotnet type stuff motif - Add support for the Motif toolkit mp3 - Add support for reading mp3 files -- 2.40.1