From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 49122158099 for ; Mon, 27 Nov 2023 17:13:23 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 5245A2BC053; Mon, 27 Nov 2023 17:13:18 +0000 (UTC) Received: from confino.investici.org (confino.investici.org [IPv6:2a11:7980:1::2:0]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 852E92BC024 for ; Mon, 27 Nov 2023 17:13:16 +0000 (UTC) Received: from mx1.investici.org (unknown [127.0.0.1]) by confino.investici.org (Postfix) with ESMTP id 4SfBxP49kcz10xg; Mon, 27 Nov 2023 17:13:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inventati.org; s=stigmate; t=1701105193; bh=mv8/d6JYYqUL/snG/riQ3azsiKvg8Jlsm7IouM2xNKo=; h=From:To:Cc:Subject:Date:From; b=dShss/VXRCszyRrrXuwCSvZqv+lSd+LoIl9NOTUpoXGzVFRcQemO561fcD/exFwOY +fv5jmUdDVWybq9PccNsTW3c+PDSyzOoZgVYkS4Vz7UKhY3XFztxvNExMS7qZLSa6d EzremYVjA5jF1iCs+HfrFbfQgrsHiWAr18DnDjps= From: Violet Purcell To: gentoo-dev@lists.gentoo.org Cc: Violet Purcell Subject: [gentoo-dev] [PATCH] kernel-build.eclass: work around permissions issue with module signing Date: Mon, 27 Nov 2023 12:12:09 -0500 Message-ID: <20231127171224.15172-1-vimproved@inventati.org> X-Mailer: git-send-email 2.43.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Archives-Salt: ab5cc425-bef5-4f1c-a261-1b38a236cce3 X-Archives-Hash: 9710c188e6e2ce59bc2507d46dc758f6 Currently, using a custom path for MODULES_SIGN_KEY requires the key to be readable by portage:portage. This is not ideal for security, since the file has to be either owned by portage:portage or readable by all users in this case. Instead, export the contents of MODULES_SIGN_KEY to a variable in pkg_setup, and then create a temporary file with it in src_configure to ensure that the temporary key is readable by the user that the kernel is being built as. The variable is then unset so it does not end up in the final environment file. Signed-off-by: Violet Purcell --- eclass/kernel-build.eclass | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass index 4f7e4d047739..cf958c86ff29 100644 --- a/eclass/kernel-build.eclass +++ b/eclass/kernel-build.eclass @@ -114,6 +114,13 @@ kernel-build_pkg_setup() { python-any-r1_pkg_setup if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then secureboot_pkg_setup + if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then + if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} != ${MODULES_SIGN_KEY} ]]; then + export MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}")" + else + export MODULES_SIGN_KEY_CONTENTS="$(< "${MODULES_SIGN_KEY}")" + fi + fi fi } @@ -427,12 +434,12 @@ kernel-build_merge_configs() { CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y EOF - if [[ -e ${MODULES_SIGN_KEY} && -e ${MODULES_SIGN_CERT} && - ${MODULES_SIGN_KEY} != ${MODULES_SIGN_CERT} && - ${MODULES_SIGN_KEY} != pkcs11:* ]] - then - cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" > "${T}/kernel_key.pem" || die - MODULES_SIGN_KEY="${T}/kernel_key.pem" + if [[ -n "${MODULES_SIGN_KEY_CONTENTS}" ]]; then + touch "${T}/kernel_key.pem" || die + chmod 0600 "${T}/kernel_key.pem" || die + echo "${MODULES_SIGN_KEY_CONTENTS}" > "${T}/kernel_key.pem" || die + unset MODULES_SIGN_KEY_CONTENTS + export MODULES_SIGN_KEY="${T}/kernel_key.pem" fi if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -r ${MODULES_SIGN_KEY} ]]; then echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \ -- 2.43.0