From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id E1C3A158099 for ; Fri, 24 Nov 2023 09:10:08 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 5700D2BC031; Fri, 24 Nov 2023 09:10:04 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 072262BC01B for ; Fri, 24 Nov 2023 09:10:04 +0000 (UTC) Message-ID: <282a5275-0794-4af3-8f8d-9570ca8ec1ca@gentoo.org> Date: Fri, 24 Nov 2023 10:09:58 +0100 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US, nl-NL To: gentoo-dev@lists.gentoo.org From: Andrew Ammerlaan Subject: [gentoo-dev] [PATCH] kernel-build.eclass: copy module signing key to tempdir in, pkg_setup Autocrypt: addr=andrewammerlaan@gentoo.org; keydata= xsBNBF3n3cUBCAC6uoDZ0XzaO29l8AzUblXQ5rxZI7nbGEnfFqjEQCK3oEXxsDa9Ez1myx3M ir53Vyx64Iz1Bq/TOS/PttgguPpiLggCpTTD2vavp5SwFmg272+P8bUJVJF2mMRm0OR/YPiA B5dNfcoLqKIj+ZMOtrZ72B7agkUn+iDt8lB2fZ7XhfZMyQBXICYSe+EiJJmTuvIhHhOn7GCT VjpwGYCCSw3F/j2VPmJPUftz6Nb4oWaiaJ6ZwroS2ECYqZKeo+dXCsmB/LZWYqIFSSPILTLZ f1Hh/TklnQqkNVO+nY/B/o9RVYAhWJbl/F4VaKlRXemE+pDZIALlK8kt0IFU6liUOHHlABEB AAHNLUFuZHJldyBBbW1lcmxhYW4gPGFuZHJld2FtbWVybGFhbkBnZW50b28ub3JnPsLAlwQT AQgAQQIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAIZARYhBAb/U0G9gF2wvH0HpqGfY2zU 7bzRBQJlNiYEBQkJL3u/AAoJEKGfY2zU7bzRUeYH/33eX3sOyo3++xcqR/KrTNodkgWAknPe Jl8BiYdIn7zEgif5Fz6Uu8IzjfDpPd8uR82sbV2uQWarrpNmnPrAACKuAuYN9vnuLZ+9UWz6 ybGqMm545+qsFtUTTzdveMPEWr2nr+payfxthK6OdgZU5ZseLxDS9KYmBeAC7RVnIWMVDn9n opmuFK5iGxIUvIbYIl/xrk2HPAIsh1ScLBy4z7r8PFmWT1XGC0Na6PJyEG2KiQXwjKxwsljQ 6mKEAkKOkbifD0CSO8eg56ccf8WYo0s/+SiYjBjI9SEhbgZbiUbpTSw3eT/g4V2SKX1CYs1z 717XjlMKzqBNaw+AzWgrk0TOwE0EXefdxQEIAJtT7965MCxOTic3mISWSI6Z3mFFYmUkxQt8 gBVsTAezOrkd6xEt/HnFPZqeGnbSiV8gMFPKv4RkaXxWfQYKm+9/12qJNEFdVop1rpe77lU2 h0elVXuWiWsNmwqEhQcs1mq/awzO81Lyob9Miai2qNQ9MBikmFAp9c4n8C42kPLVrTKPmemI 95gZ1Y830W+udYg1jNqLF2ucMDUX1M1U2EfazWI0pNCwPoKnOqAJS+VQbyxtJ1IlE3+9sk+6 hjlTTF+RDYGv5hUoWkmcXDM2X/Cl0XB4XYOWr17Wa6+WXC+80/iLxxolMqM4KfuIR5OizbqK 2CRAJY7la7TSv1lTD1cAEQEAAcLAfAQYAQgAJgIbDBYhBAb/U0G9gF2wvH0HpqGfY2zU7bzR BQJlNiHABQkJL3d7AAoJEKGfY2zU7bzRjDwH/1fp/87km2YYVgrfP1aWLjAA/TwcEVycRJQQ S9Q6xuzgD5AYhjzBSONoN46cwf+gla6xndY0lCawsZN7whtJ/DhqSZEfL0HgHkJ6T8FCXexf n1s6XmIAxqIrMmfsuOkAPLJIHzAAGzQX8DXcRSj1cIDUpa1Uy7ncVvI4EzJBRtJVJXIbl+53 NGauXU8ZuprPYkMSPuW3eHATFc0F5DhmlFUXh+HYYK+2QTO73TENMhngkrYcw63je5bRp/+f 72XFKlf1gXHK1ivg8nYueyUfrxZTBGKagusOiQeOao2I1uYcHoFhPYJrQWePMyZiYyB6PR0K DR4B/Ulo3v0eBXaaYzo= Organization: Gentoo Linux Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: f2b5f123-831d-4ad5-8234-aa10c4c8cbfd X-Archives-Hash: e2e962578e104f5e32c5b1a5650347df Patch from https://github.com/gentoo/gentoo/pull/33850 Note that we only have this problem here, and not in linux-mod-r1.eclass or secureboot.eclass, because in the latter two eclasses the signing is done in src_install while the kernel build system requires the key in src_compile. src_install has root privileges, src_compile does not. This is a better solution then simply having the key readable by the portage user on the file system directly. Best regards, Andrew From aacf155e66f42a4ccd33a666e29210042659ad90 Mon Sep 17 00:00:00 2001 From: Violet Purcell Date: Thu, 16 Nov 2023 12:23:16 -0500 Subject: [PATCH] kernel-build.eclass: copy module signing key to tempdir in pkg_setup Previously, it was being copied in src_prepare, and thus would fail if the signing key was not readable by portage:portage. This commit makes kernel-build.eclass instead copy the signing key in pkg_setup, and then correct the permissions. Signed-off-by: Violet Purcell --- eclass/kernel-build.eclass | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass index 4f7e4d0477393..6f18bc1dc9694 100644 --- a/eclass/kernel-build.eclass +++ b/eclass/kernel-build.eclass @@ -114,6 +114,16 @@ kernel-build_pkg_setup() { python-any-r1_pkg_setup if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then secureboot_pkg_setup + if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then + if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} != ${MODULES_SIGN_KEY} ]]; then + cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" > "${T}/kernel_key.pem" || die + else + cp "${MODULES_SIGN_KEY}" "${T}/kernel_key.pem" || die + fi + chown portage:portage "${T}/kernel_key.pem" || die + chmod 0400 "${T}/kernel_key.pem" || die + export MODULES_SIGN_KEY="${T}/kernel_key.pem" + fi fi } @@ -427,13 +437,6 @@ kernel-build_merge_configs() { CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y EOF - if [[ -e ${MODULES_SIGN_KEY} && -e ${MODULES_SIGN_CERT} && - ${MODULES_SIGN_KEY} != ${MODULES_SIGN_CERT} && - ${MODULES_SIGN_KEY} != pkcs11:* ]] - then - cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" > "${T}/kernel_key.pem" || die - MODULES_SIGN_KEY="${T}/kernel_key.pem" - fi if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -r ${MODULES_SIGN_KEY} ]]; then echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \ >> "${WORKDIR}/modules-sign.config"