From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id D037215800A for ; Tue, 18 Jul 2023 08:20:15 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id DC785E08DB; Tue, 18 Jul 2023 08:20:11 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 5EE5AE08D3 for ; Tue, 18 Jul 2023 08:20:11 +0000 (UTC) Message-ID: <3cc16a1e-4800-fe21-2732-9e543bcc3988@gentoo.org> Date: Tue, 18 Jul 2023 10:20:06 +0200 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [gentoo-dev] [PATCH 1/5 v2]: secureboot.eclass: add new eclass To: gentoo-dev@lists.gentoo.org References: <5d102e6d-b854-57a7-e4b1-4688c62a9556@gentoo.org> Content-Language: en-US, nl-NL From: Andrew Ammerlaan Autocrypt: addr=andrewammerlaan@gentoo.org; keydata= xsBNBF3n3cUBCAC6uoDZ0XzaO29l8AzUblXQ5rxZI7nbGEnfFqjEQCK3oEXxsDa9Ez1myx3M ir53Vyx64Iz1Bq/TOS/PttgguPpiLggCpTTD2vavp5SwFmg272+P8bUJVJF2mMRm0OR/YPiA B5dNfcoLqKIj+ZMOtrZ72B7agkUn+iDt8lB2fZ7XhfZMyQBXICYSe+EiJJmTuvIhHhOn7GCT VjpwGYCCSw3F/j2VPmJPUftz6Nb4oWaiaJ6ZwroS2ECYqZKeo+dXCsmB/LZWYqIFSSPILTLZ f1Hh/TklnQqkNVO+nY/B/o9RVYAhWJbl/F4VaKlRXemE+pDZIALlK8kt0IFU6liUOHHlABEB AAHNLUFuZHJldyBBbW1lcmxhYW4gPGFuZHJld2FtbWVybGFhbkBnZW50b28ub3JnPsLAlwQT AQgAQQIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAUJB17B8hYhBAb/U0G9gF2wvH0HpqGf Y2zU7bzRBQJjZW15AhkBAAoJEKGfY2zU7bzRnzoH/35qBVzk/a2mYkQVDXxtbusEZwFJDNY5 FPVR/qKdN9C0fFdPVmStpMET/YUjltBRNjNwQ2t0Qux0pP2bcRcPXV/6uFifIDdU2wK1cHEZ XWZdhZ9kLQfGF8R0zy0ZiKem+6jIcQ0lZ+sAO5Dp2a/8AWFVWIQs7ZukQYX7bXLj3Hc5J9y3 ZWjwHStoH0fNwTmHy8qNCx02LAbeH4Tite9+wggiOWt85zlRH79aEd/SZwoXa3FQ91v/xkD3 jfv3kF2ImOXSS8lTL9iGYoOuYHQptEXzmSD1fw9fdZAj4f0MZKkFlkRWIHKJi1IMnSDk7f56 2CJ98DJexkG0v88F/ONqJ0POwE0EXefdxQEIAJtT7965MCxOTic3mISWSI6Z3mFFYmUkxQt8 gBVsTAezOrkd6xEt/HnFPZqeGnbSiV8gMFPKv4RkaXxWfQYKm+9/12qJNEFdVop1rpe77lU2 h0elVXuWiWsNmwqEhQcs1mq/awzO81Lyob9Miai2qNQ9MBikmFAp9c4n8C42kPLVrTKPmemI 95gZ1Y830W+udYg1jNqLF2ucMDUX1M1U2EfazWI0pNCwPoKnOqAJS+VQbyxtJ1IlE3+9sk+6 hjlTTF+RDYGv5hUoWkmcXDM2X/Cl0XB4XYOWr17Wa6+WXC+80/iLxxolMqM4KfuIR5OizbqK 2CRAJY7la7TSv1lTD1cAEQEAAcLAfAQYAQgAJgIbDBYhBAb/U0G9gF2wvH0HpqGfY2zU7bzR BQJjZWxoBQkHXsIjAAoJEKGfY2zU7bzR3R0IAISoT/Ev/Z1pEgqXmCMRA33L5AqS9BhpCorq rP+L6bW/3FyZj2CTp2wLvpmipSpQagvfZE/iIxdckQNfTqOvYQzVIHkzMtMWUgo9UPI2YAiT pg6izIBsU6z4CQOS+N+1cfKUax+HflVIhxmHMe//ecABUi3N7tYrKmIsptGLkCkE0mmT7VLp RscXeghS8e5m00Zdm1tDhkkmE8l+U3NbAvhShE9LsxRZpZiV+lFTXd8nBifPea2F7VYteD2j s/aPMSzH+6qmXeTu1gH8HuGZuW/REDY+lTVmhZ3Caa50yTNB5s90kprPvIfDAB6cbglpwvpD eZueZnPaHcGF1SLcC48= Organization: Gentoo Linux In-Reply-To: <5d102e6d-b854-57a7-e4b1-4688c62a9556@gentoo.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: faa5e11f-b678-432d-93e3-8804e9c1f778 X-Archives-Hash: ca05a7dfe4e1d8a89a6c08a700be10d7 v2 is mostly just some style fixes and simplifications. The only major difference is that secureboot_auto_sign now also finds .efi32, .efi64 in addition to .efi files. Furthermore, the find is now case insensitive. Best regards, Andrew From 5fa9c00477917b07cbecd1619506d6db8e978cfd Mon Sep 17 00:00:00 2001 From: Andrew Ammerlaan Date: Tue, 11 Jul 2023 19:47:52 +0200 Subject: [PATCH] eclass/secureboot.eclass: add new eclass Signed-off-by: Andrew Ammerlaan --- eclass/secureboot.eclass | 173 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 173 insertions(+) create mode 100644 eclass/secureboot.eclass diff --git a/eclass/secureboot.eclass b/eclass/secureboot.eclass new file mode 100644 index 0000000000000..477722a83bb3b --- /dev/null +++ b/eclass/secureboot.eclass @@ -0,0 +1,173 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +# @ECLASS: secureboot.eclass +# @MAINTAINER: +# Andrew Ammerlaan +# @AUTHOR: +# Author: Andrew Ammerlaan +# @SUPPORTED_EAPIS: 7 8 +# @BLURB: A small eclass to sign efi files for Secure Boot +# @DESCRIPTION: +# Eclass for packages that install .efi files. A use flag and two user +# variables allow signing these .efi files for use on systems with Secure Boot +# enabled. +# +# Signing the files during emerge ensures that any tooling that actually +# installs the bootloaders and kernels to ESP always uses a signed version. +# This prevents Secure Boot from accidentally breaking when upgrading the +# kernel or the bootloader. +# +# Example use +# @CODE +# src_install() { +# default +# secureboot_sign_efi_file in.efi out.efi.signed +# } +# @CODE +# +# Or +# @CODE +# src_install() { +# default +# secureboot_auto_sign +# } +# @CODE +# +# Some tools will automatically detect and use EFI executables with the .signed +# suffix. For tools that do not do this the --in-place argument for +# secureboot_auto_sign can be used to ensure that the signed version is used. + +case ${EAPI} in + 7|8) ;; + *) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;; +esac + +IUSE="secureboot" +BDEPEND="secureboot? ( app-crypt/sbsigntools )" + +# @ECLASS_VARIABLE: SECUREBOOT_SIGN_KEY +# @USER_VARIABLE +# @DEFAULT_UNSET +# @DESCRIPTION: +# Used with USE=secureboot. Should be set to the path of the private +# key in PEM format to use, or a PKCS#11 URI. +# +# @ECLASS_VARIABLE: SECUREBOOT_SIGN_CERT +# @USER_VARIABLE +# @DEFAULT_UNSET +# @DESCRIPTION: +# Used with USE=secureboot. Should be set to the path of the public +# key certificate in PEM format to use. + +if [[ -z ${_SECUREBOOT_ECLASS} ]]; then +_SECUREBOOT_ECLASS=1 + +# @FUNCTION: _secureboot_die_if_unset +# @INTERNAL +# @DESCRIPTION: +# If USE=secureboot is enabled die if the required user variables are unset +# and die if the keys can't be found. +_secureboot_die_if_unset() { + debug-print-function ${FUNCNAME[0]} "${@}" + use secureboot || return + + if [[ -z ${SECUREBOOT_SIGN_KEY} || -z ${SECUREBOOT_SIGN_CERT} ]]; then + die "USE=secureboot enabled but SECUREBOOT_SIGN_KEY and/or SECUREBOOT_SIGN_CERT not set." + fi + if [[ ! ${SECUREBOOT_SIGN_KEY} == pkcs11:* && ! -f ${SECUREBOOT_SIGN_KEY} ]]; then + die "SECUREBOOT_SIGN_KEY=${SECUREBOOT_SIGN_KEY} not found" + fi + if [[ ! -f ${SECUREBOOT_SIGN_CERT} ]];then + die "SECUREBOOT_SIGN_CERT=${SECUREBOOT_SIGN_CERT} not found" + fi +} + +# @FUNCTION: secureboot_pkg_setup +# @DESCRIPTION: +# Checks if required user variables are set before starting the build +secureboot_pkg_setup() { + debug-print-function ${FUNCNAME[0]} "${@}" + use secureboot || return + + # If we are merging a binary then the files in this binary + # are already signed, no need to check the variables. + if [[ ${MERGE_TYPE} != binary ]]; then + _secureboot_die_if_unset + fi +} + +# @FUNCTION: secureboot_sign_efi_file +# @USAGE: +# @DESCRIPTION: +# Sign a file using sbsign and the requested key/certificate. +# If the file is already signed with our key then skip. +secureboot_sign_efi_file() { + debug-print-function ${FUNCNAME[0]} "${@}" + use secureboot || return + + local input_file=${1} + local output_file=${2} + + _secureboot_die_if_unset + + ebegin "Signing ${input_file}" + local return=1 + if sbverify "${input_file}" --cert "${SECUREBOOT_SIGN_CERT}" &> /dev/null; then + ewarn "${input_file} already signed, skipping" + return=0 + else + local args=( + "--key=${SECUREBOOT_SIGN_KEY}" + "--cert=${SECUREBOOT_SIGN_CERT}" + ) + if [[ ${SECUREBOOT_SIGN_KEY} == pkcs11:* ]]; then + args+=( --engine=pkcs11 ) + fi + + sbsign "${args[@]}" "${input_file}" --output "${output_file}" + return=${?} + fi + eend ${return} || die "Signing ${input_file} failed" +} + +# @FUNCTION: secureboot_auto_sign +# @USAGE: [--in-place] +# @DESCRIPTION: +# Automatically discover and sign efi files in the image directory. +# +# By default signed files gain the .signed suffix. If the --in-place +# argument is given the efi files are replaced with a signed version in place. +secureboot_auto_sign() { + debug-print-function ${FUNCNAME[0]} "${@}" + use secureboot || return + + [[ ${EBUILD_PHASE} == install ]] || + die "${FUNCNAME[0]} can only be called in the src_install phase" + + local -a efi_execs + mapfile -td '' efi_execs < <( + find "${ED}" -type f \ + \( -iname '*.efi' -o -iname '*.efi32' -o -iname '*.efi64' \) \ + -print0 || die + ) + (( ${#efi_execs[@]} )) || + die "${FUNCNAME[0]} was called but no efi executables were found" + + local suffix + if [[ ${1} == --in-place ]]; then + suffix="" + elif [[ -n ${1} ]]; then + die "Invalid argument ${1}" + else + suffix=".signed" + fi + + for efi_exec in "${efi_execs[@]}"; do + secureboot_sign_efi_file "${efi_exec}" "${efi_exec}${suffix}" + done +} + +fi + +EXPORT_FUNCTIONS pkg_setup