From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Cc: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Subject: [gentoo-dev] [PATCH 1/3] secureboot.eclass: check and fail early if key or cert in DER format
Date: Sun, 21 Jul 2024 10:59:22 +0200 [thread overview]
Message-ID: <20240721085924.11882-1-andrewammerlaan@gentoo.org> (raw)
Bug: https://bugs.gentoo.org/936402
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
eclass/secureboot.eclass | 26 +++++++++++++++++++-------
1 file changed, 19 insertions(+), 7 deletions(-)
diff --git a/eclass/secureboot.eclass b/eclass/secureboot.eclass
index a9ba514cb7a0..4459b0341845 100644
--- a/eclass/secureboot.eclass
+++ b/eclass/secureboot.eclass
@@ -1,4 +1,4 @@
-# Copyright 1999-2023 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
# @ECLASS: secureboot.eclass
@@ -44,7 +44,12 @@ case ${EAPI} in
esac
IUSE="secureboot"
-BDEPEND="secureboot? ( app-crypt/sbsigntools )"
+BDEPEND="
+ secureboot? (
+ app-crypt/sbsigntools
+ dev-libs/openssl
+ )
+"
# @ECLASS_VARIABLE: SECUREBOOT_SIGN_KEY
# @USER_VARIABLE
@@ -75,12 +80,19 @@ _secureboot_die_if_unset() {
if [[ -z ${SECUREBOOT_SIGN_KEY} || -z ${SECUREBOOT_SIGN_CERT} ]]; then
die "USE=secureboot enabled but SECUREBOOT_SIGN_KEY and/or SECUREBOOT_SIGN_CERT not set."
fi
- if [[ ! ${SECUREBOOT_SIGN_KEY} == pkcs11:* && ! -r ${SECUREBOOT_SIGN_KEY} ]]; then
- die "SECUREBOOT_SIGN_KEY=${SECUREBOOT_SIGN_KEY} not found or not readable!"
- fi
- if [[ ! -r ${SECUREBOOT_SIGN_CERT} ]]; then
- die "SECUREBOOT_SIGN_CERT=${SECUREBOOT_SIGN_CERT} not found or not readable!"
+
+ # Sanity check: fail early if key/cert in DER format or does not exist
+ local openssl_args=(
+ -inform PEM -in "${SECUREBOOT_SIGN_CERT}"
+ -noout -nocert
+ )
+ if [[ ${SECUREBOOT_SIGN_KEY} == pkcs11:* ]]; then
+ openssl_args+=( -engine pkcs11 -keyform ENGINE -key "${SECUREBOOT_SIGN_KEY}" )
+ else
+ openssl_args+=( -keyform PEM -key "${SECUREBOOT_SIGN_KEY}" )
fi
+ openssl x509 "${openssl_args[@]}" ||
+ die "Secure Boot signing certificate or key not found or not PEM format."
}
# @FUNCTION: secureboot_pkg_setup
--
2.45.2
next reply other threads:[~2024-07-21 8:59 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-21 8:59 Andrew Ammerlaan [this message]
2024-07-21 8:59 ` [gentoo-dev] [PATCH 2/3] kernel-build.eclass: check and fail early if key or cert in DER format Andrew Ammerlaan
2024-07-21 8:59 ` [gentoo-dev] [PATCH 3/3] kernel-build.eclass: don't check key/cert if merging binary Andrew Ammerlaan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240721085924.11882-1-andrewammerlaan@gentoo.org \
--to=andrewammerlaan@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox