[gentoo-dev] [PATCH] kernel-build.eclass: fix module signing with unspecified key

public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-dev] [PATCH] kernel-build.eclass: fix module signing with unspecified key
@ 2024-08-25 15:32 Andrew Ammerlaan
  0 siblings, 0 replies; only message in thread
From: Andrew Ammerlaan @ 2024-08-25 15:32 UTC (permalink / raw
  To: gentoo-dev; +Cc: Andrew Ammerlaan

MODULES_SIGN_KEY may be unset when using USE=modules-sign. Fix an issue
introduced in e290c3c78b7acb59393f46d1d15175d6dbfc77da that breaks this
configuration due to modules-sign-key.config not existing.

Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
 eclass/kernel-build.eclass | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index 6406f5b3c0f3..be02920162f4 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -625,18 +625,6 @@ kernel-build_merge_configs() {
 			CONFIG_MODULE_SIG_FORCE=y
 			CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
 		EOF
-		if [[ -n ${MODULES_SIGN_KEY_CONTENTS} ]]; then
-			(umask 066 && touch "${T}/kernel_key.pem" || die)
-			echo "${MODULES_SIGN_KEY_CONTENTS}" > "${T}/kernel_key.pem" || die
-			unset MODULES_SIGN_KEY_CONTENTS
-			export MODULES_SIGN_KEY="${T}/kernel_key.pem"
-		fi
-		if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -r ${MODULES_SIGN_KEY} ]]; then
-			echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
-				>> "${WORKDIR}/modules-sign-key.config"
-		elif [[ -n ${MODULES_SIGN_KEY} ]]; then
-			die "MODULES_SIGN_KEY=${MODULES_SIGN_KEY} not found or not readable!"
-		fi
 		merge_configs+=( "${WORKDIR}/modules-sign.config" )
 	fi
 
@@ -657,7 +645,19 @@ kernel-build_merge_configs() {
 	fi
 
 	if [[ ${KERNEL_IUSE_MODULES_SIGN} ]] && use modules-sign; then
-		merge_configs+=( "${WORKDIR}/modules-sign-key.config" )
+		if [[ -n ${MODULES_SIGN_KEY_CONTENTS} ]]; then
+			(umask 066 && touch "${T}/kernel_key.pem" || die)
+			echo "${MODULES_SIGN_KEY_CONTENTS}" > "${T}/kernel_key.pem" || die
+			unset MODULES_SIGN_KEY_CONTENTS
+			export MODULES_SIGN_KEY="${T}/kernel_key.pem"
+		fi
+		if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -r ${MODULES_SIGN_KEY} ]]; then
+			echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
+				>> "${WORKDIR}/modules-sign-key.config"
+			merge_configs+=( "${WORKDIR}/modules-sign-key.config" )
+		elif [[ -n ${MODULES_SIGN_KEY} ]]; then
+			die "MODULES_SIGN_KEY=${MODULES_SIGN_KEY} not found or not readable!"
+		fi
 	fi
 
 	if [[ ${#user_configs[@]} -gt 0 ]]; then
-- 
2.46.0



^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2024-08-25 15:32 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-08-25 15:32 [gentoo-dev] [PATCH] kernel-build.eclass: fix module signing with unspecified key Andrew Ammerlaan

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox