From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-99902-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 45259158009
	for <garchives@archives.gentoo.org>; Sat, 17 Jun 2023 18:12:12 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 5ECE6E08AA;
	Sat, 17 Jun 2023 18:12:08 +0000 (UTC)
Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 03011E089B
	for <gentoo-dev@lists.gentoo.org>; Sat, 17 Jun 2023 18:12:07 +0000 (UTC)
Message-ID: <5e674e87-906e-9dd2-1f11-8c0d9fb776d2@gentoo.org>
Date: Sat, 17 Jun 2023 20:12:02 +0200
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.12.0
Subject: Re: [gentoo-dev] [PATCH 1/2 v3] kernel-build.eclass: add
 IUSE="strip", install generated keys
To: gentoo-dev@lists.gentoo.org
References: <dcdeb283-8276-6ac6-f430-5131a0e81883@gentoo.org>
Content-Language: en-US, nl-NL
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Organization: Gentoo Linux
In-Reply-To: <dcdeb283-8276-6ac6-f430-5131a0e81883@gentoo.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Archives-Salt: 0fe28b75-51f2-427a-83ef-3825f03c2317
X-Archives-Hash: ca3c1bc43e9cbb9110c2121b7976dd57

No functional changes in version 3, just renaming some variables and 
splitting the version 2 patch.

 From 969f242c3269c068ebfe5adc37ebfc92dcd56181 Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Date: Thu, 15 Jun 2023 11:50:10 +0200
Subject: [PATCH] kernel-build.eclass: add IUSE="strip", install 
generated keys

- Let the kernel build system handle stripping of the modules.
This is necessary for successfully signing and compressing modules.
Inspired by linux-mod-r1.eclass.

- If the build system has generated keys or certificates, install them.
This is required to successfully sign external kernel modules.

Closes: https://bugs.gentoo.org/814344
Closes: https://bugs.gentoo.org/881651
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
  eclass/kernel-build.eclass | 26 +++++++++++++++++++++++---
  1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index da215a055a467..abfb01720817a 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -1,4 +1,4 @@
-# Copyright 2020-2022 Gentoo Authors
+# Copyright 2020-2023 Gentoo Authors
  # Distributed under the terms of the GNU General Public License v2

  # @ECLASS: kernel-build.eclass
@@ -41,6 +41,8 @@ BDEPEND="
  	app-alternatives/yacc
  "

+IUSE="+strip"
+
  # @FUNCTION: kernel-build_src_configure
  # @DESCRIPTION:
  # Prepare the toolchain for building the kernel, get the default .config
@@ -83,7 +85,7 @@ kernel-build_src_configure() {
  		LD="${LD}"
  		AR="$(tc-getAR)"
  		NM="$(tc-getNM)"
-		STRIP=":"
+		STRIP="$(tc-getSTRIP)"
  		OBJCOPY="$(tc-getOBJCOPY)"
  		OBJDUMP="$(tc-getOBJDUMP)"

@@ -176,8 +178,18 @@ kernel-build_src_install() {
  		targets+=( dtbs_install )
  	fi

+	# Use the kernel build system to strip, this ensures the modules
+	# are stripped *before* they are signed or compressed.
+	local strip_args
+	if use strip; then
+		strip_args="--strip-unneeded"
+	fi
+	# Modules were already stripped by the kernel build system
+	dostrip -x /lib/modules
+
  	emake O="${WORKDIR}"/build "${MAKEARGS[@]}" \
-		INSTALL_MOD_PATH="${ED}" INSTALL_PATH="${ED}/boot" "${targets[@]}"
+		INSTALL_MOD_PATH="${ED}" INSTALL_MOD_STRIP="${strip_args}" \
+		INSTALL_PATH="${ED}/boot" "${targets[@]}"

  	# note: we're using mv rather than doins to save space and time
  	# install main and arch-specific headers first, and scripts
@@ -217,6 +229,14 @@ kernel-build_src_install() {
  	local image_path=$(dist-kernel_get_image_path)
  	cp -p "build/${image_path}" "${ED}${kernel_dir}/${image_path}" || die

+	# If a key was generated, copy it so external modules can be signed
+	local suffix
+	for suffix in pem x509; do
+		if [[ -f "build/certs/signing_key.${suffix}" ]]; then
+			cp -p "build/certs/signing_key.${suffix}" "${ED}${kernel_dir}/certs" 
|| die
+		fi
+	done
+
  	# building modules fails with 'vmlinux has no symtab?' if stripped
  	use ppc64 && dostrip -x "${kernel_dir}/${image_path}"