From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: [gentoo-dev] [PATCH] kernel-build.eclass: copy module signing key to tempdir in, pkg_setup
Date: Fri, 24 Nov 2023 10:09:58 +0100 [thread overview]
Message-ID: <282a5275-0794-4af3-8f8d-9570ca8ec1ca@gentoo.org> (raw)
Patch from https://github.com/gentoo/gentoo/pull/33850
Note that we only have this problem here, and not in linux-mod-r1.eclass
or secureboot.eclass, because in the latter two eclasses the signing is
done in src_install while the kernel build system requires the key in
src_compile. src_install has root privileges, src_compile does not.
This is a better solution then simply having the key readable by the
portage user on the file system directly.
Best regards,
Andrew
From aacf155e66f42a4ccd33a666e29210042659ad90 Mon Sep 17 00:00:00 2001
From: Violet Purcell <vimproved@inventati.org>
Date: Thu, 16 Nov 2023 12:23:16 -0500
Subject: [PATCH] kernel-build.eclass: copy module signing key to tempdir
in pkg_setup
Previously, it was being copied in src_prepare, and thus would fail if
the signing key was not readable by portage:portage. This commit makes
kernel-build.eclass instead copy the signing key in pkg_setup, and then
correct the permissions.
Signed-off-by: Violet Purcell <vimproved@inventati.org>
---
eclass/kernel-build.eclass | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index 4f7e4d0477393..6f18bc1dc9694 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -114,6 +114,16 @@ kernel-build_pkg_setup() {
python-any-r1_pkg_setup
if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
secureboot_pkg_setup
+ if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then
+ if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} !=
${MODULES_SIGN_KEY} ]]; then
+ cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" >
"${T}/kernel_key.pem" || die
+ else
+ cp "${MODULES_SIGN_KEY}" "${T}/kernel_key.pem" || die
+ fi
+ chown portage:portage "${T}/kernel_key.pem" || die
+ chmod 0400 "${T}/kernel_key.pem" || die
+ export MODULES_SIGN_KEY="${T}/kernel_key.pem"
+ fi
fi
}
@@ -427,13 +437,6 @@ kernel-build_merge_configs() {
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
EOF
- if [[ -e ${MODULES_SIGN_KEY} && -e ${MODULES_SIGN_CERT} &&
- ${MODULES_SIGN_KEY} != ${MODULES_SIGN_CERT} &&
- ${MODULES_SIGN_KEY} != pkcs11:* ]]
- then
- cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" >
"${T}/kernel_key.pem" || die
- MODULES_SIGN_KEY="${T}/kernel_key.pem"
- fi
if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -r ${MODULES_SIGN_KEY} ]];
then
echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
>> "${WORKDIR}/modules-sign.config"
reply other threads:[~2023-11-24 9:10 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=282a5275-0794-4af3-8f8d-9570ca8ec1ca@gentoo.org \
--to=andrewammerlaan@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox