From: Violet Purcell <vimproved@inventati.org>
To: gentoo-dev@lists.gentoo.org
Cc: Violet Purcell <vimproved@inventati.org>
Subject: [gentoo-dev] [PATCH] kernel-build.eclass: work around permissions issue with module signing
Date: Mon, 27 Nov 2023 12:12:09 -0500 [thread overview]
Message-ID: <20231127171224.15172-1-vimproved@inventati.org> (raw)
Currently, using a custom path for MODULES_SIGN_KEY requires the key to
be readable by portage:portage. This is not ideal for security, since
the file has to be either owned by portage:portage or readable by all
users in this case. Instead, export the contents of MODULES_SIGN_KEY to
a variable in pkg_setup, and then create a temporary file with it in
src_configure to ensure that the temporary key is readable by the user
that the kernel is being built as. The variable is then unset so it does
not end up in the final environment file.
Signed-off-by: Violet Purcell <vimproved@inventati.org>
---
eclass/kernel-build.eclass | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index 4f7e4d047739..cf958c86ff29 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -114,6 +114,13 @@ kernel-build_pkg_setup() {
python-any-r1_pkg_setup
if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
secureboot_pkg_setup
+ if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then
+ if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} != ${MODULES_SIGN_KEY} ]]; then
+ export MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}")"
+ else
+ export MODULES_SIGN_KEY_CONTENTS="$(< "${MODULES_SIGN_KEY}")"
+ fi
+ fi
fi
}
@@ -427,12 +434,12 @@ kernel-build_merge_configs() {
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
EOF
- if [[ -e ${MODULES_SIGN_KEY} && -e ${MODULES_SIGN_CERT} &&
- ${MODULES_SIGN_KEY} != ${MODULES_SIGN_CERT} &&
- ${MODULES_SIGN_KEY} != pkcs11:* ]]
- then
- cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" > "${T}/kernel_key.pem" || die
- MODULES_SIGN_KEY="${T}/kernel_key.pem"
+ if [[ -n "${MODULES_SIGN_KEY_CONTENTS}" ]]; then
+ touch "${T}/kernel_key.pem" || die
+ chmod 0600 "${T}/kernel_key.pem" || die
+ echo "${MODULES_SIGN_KEY_CONTENTS}" > "${T}/kernel_key.pem" || die
+ unset MODULES_SIGN_KEY_CONTENTS
+ export MODULES_SIGN_KEY="${T}/kernel_key.pem"
fi
if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -r ${MODULES_SIGN_KEY} ]]; then
echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
--
2.43.0
next reply other threads:[~2023-11-27 17:13 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-27 17:12 Violet Purcell [this message]
2023-11-27 17:50 ` [gentoo-dev] [PATCH] kernel-build.eclass: work around permissions issue with module signing Michał Górny
2023-12-11 8:00 ` [gentoo-dev] [PATCH v3] " Andrew Ammerlaan
2023-12-11 11:13 ` Michał Górny
2023-12-11 11:28 ` [gentoo-dev] [PATCH v4] " Andrew Ammerlaan
2023-12-11 11:56 ` Michał Górny
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231127171224.15172-1-vimproved@inventati.org \
--to=vimproved@inventati.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox