* [gentoo-dev] [PATCH 1/2] kernel-build.eclass: sign the kernel image earlier in, src_install
@ 2023-08-26 19:44 Andrew Ammerlaan
2023-08-26 19:44 ` Andrew Ammerlaan
2023-08-27 19:33 ` [gentoo-dev] [PATCH 1/3 v2] kernel-build.eclass: sign the kernel image earlier in, src_install Andrew Ammerlaan
0 siblings, 2 replies; 5+ messages in thread
From: Andrew Ammerlaan @ 2023-08-26 19:44 UTC (permalink / raw
To: gentoo-dev
Hi all,
By signing the kernel image in src_install instead of pkg_postinst the
signed version is
included in any generated binpkg. This is useful for enabling secureboot
on machines that do not have the secureboot private key available.
This change makes it possible to distribute a signed kernel image in
sys-kernel/gentoo-kernel-bin.
Note, UKIs are always generated locally, so if UKIs are used these will
still
have to be signed in pkg_postinst and therefore the private key is still
required on all systems with USE=secureboot and uefi=yes in dracut.conf.
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
eclass/kernel-build.eclass | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index 5b324e036c5f9..035b1e7cd02ac 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -33,6 +33,7 @@ if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
# If we have enabled module signing IUSE
# then we can also enable secureboot IUSE
KERNEL_IUSE_SECUREBOOT=1
+ inherit secureboot
fi
inherit multiprocessing python-any-r1 savedconfig toolchain-funcs
kernel-install
@@ -348,6 +349,10 @@ kernel-build_src_install() {
dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/build"
dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/source"
+ if [[ ${KERNEL_IUSE_SECUREBOOT} ]]; then
+ secureboot_sign_efi_file "${ED}${kernel_dir}/${image_path}"
"${ED}${kernel_dir}/${image_path}"
+ fi
+
# unset to at least be out of the environment file in, e.g. shared
binpkgs
unset KBUILD_SIGN_PIN
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [gentoo-dev] [PATCH 1/2] kernel-build.eclass: sign the kernel image earlier in, src_install
2023-08-26 19:44 [gentoo-dev] [PATCH 1/2] kernel-build.eclass: sign the kernel image earlier in, src_install Andrew Ammerlaan
@ 2023-08-26 19:44 ` Andrew Ammerlaan
2023-08-27 19:34 ` [gentoo-dev] [PATCH 2/3] dist-kernel-utils.eclass: only sign image if it is a UKI Andrew Ammerlaan
2023-08-27 19:33 ` [gentoo-dev] [PATCH 1/3 v2] kernel-build.eclass: sign the kernel image earlier in, src_install Andrew Ammerlaan
1 sibling, 1 reply; 5+ messages in thread
From: Andrew Ammerlaan @ 2023-08-26 19:44 UTC (permalink / raw
To: gentoo-dev
If we are not using UKIs we don't have to do anything since the kernel image
was already signed in kernel-build.eclass.
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
eclass/dist-kernel-utils.eclass | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/eclass/dist-kernel-utils.eclass
b/eclass/dist-kernel-utils.eclass
index 6903183b6efb3..2a257a7b6dc8b 100644
--- a/eclass/dist-kernel-utils.eclass
+++ b/eclass/dist-kernel-utils.eclass
@@ -131,11 +131,11 @@ dist-kernel_install_kernel() {
done
shopt -u nullglob
export KERNEL_INSTALL_PLUGINS="${KERNEL_INSTALL_PLUGINS} ${plugins[@]}"
- fi
- if [[ ${KERNEL_IUSE_SECUREBOOT} ]]; then
- # Kernel-install requires uki's are named uki.efi, sign in-place
- secureboot_sign_efi_file "${image}" "${image}"
+ if [[ ${KERNEL_IUSE_SECUREBOOT} ]]; then
+ # Ensure the uki is signed if dracut hasn't already done so.
+ secureboot_sign_efi_file "${image}" "${image}"
+ fi
fi
ebegin "Installing the kernel via installkernel"
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [gentoo-dev] [PATCH 1/3 v2] kernel-build.eclass: sign the kernel image earlier in, src_install
2023-08-26 19:44 [gentoo-dev] [PATCH 1/2] kernel-build.eclass: sign the kernel image earlier in, src_install Andrew Ammerlaan
2023-08-26 19:44 ` Andrew Ammerlaan
@ 2023-08-27 19:33 ` Andrew Ammerlaan
2023-08-27 19:35 ` [gentoo-dev] [PATCH 3/3 v2] secureboot.eclass: secureboot_sign_efi_file allow call with 1 Andrew Ammerlaan
1 sibling, 1 reply; 5+ messages in thread
From: Andrew Ammerlaan @ 2023-08-27 19:33 UTC (permalink / raw
To: gentoo-dev
From 11c08f41e858561bd71fc5f19b612a7fd365b14a Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Date: Sat, 26 Aug 2023 21:26:46 +0200
Subject: [PATCH] kernel-build.eclass: sign the kernel image earlier in
src_install
By signing it in src_install instead of pkg_postinst the signed version is
included in any generated binpkg. This is useful for enabling secureboot
on machines that do not have the secureboot private key available.
This change makes it possible to distribute a signed kernel image in
sys-kernel/gentoo-kernel-bin.
Note, UKIs are always generated locally, so if UKIs are used these will
still
have to be signed in pkg_postinst and therefore the private key is still
required on all systems with USE=secureboot and uefi=yes in dracut.conf.
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
eclass/kernel-build.eclass | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index 5b324e036c5f9..ca105ee1f1330 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -33,6 +33,7 @@ if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
# If we have enabled module signing IUSE
# then we can also enable secureboot IUSE
KERNEL_IUSE_SECUREBOOT=1
+ inherit secureboot
fi
inherit multiprocessing python-any-r1 savedconfig toolchain-funcs
kernel-install
@@ -348,6 +349,10 @@ kernel-build_src_install() {
dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/build"
dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/source"
+ if [[ ${KERNEL_IUSE_SECUREBOOT} ]]; then
+ secureboot_sign_efi_file "${ED}${kernel_dir}/${image_path}"
+ fi
+
# unset to at least be out of the environment file in, e.g. shared
binpkgs
unset KBUILD_SIGN_PIN
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [gentoo-dev] [PATCH 2/3] dist-kernel-utils.eclass: only sign image if it is a UKI
2023-08-26 19:44 ` Andrew Ammerlaan
@ 2023-08-27 19:34 ` Andrew Ammerlaan
0 siblings, 0 replies; 5+ messages in thread
From: Andrew Ammerlaan @ 2023-08-27 19:34 UTC (permalink / raw
To: gentoo-dev
From 1a1062e142cf654b43790d2a211e3d447feb055c Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Date: Sat, 26 Aug 2023 21:32:07 +0200
Subject: [PATCH] dist-kernel-utils.eclass: only sign image if it is a UKI
If we are not using UKIs we don't have to do anything since the kernel image
was already signed in kernel-build.eclass.
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
eclass/dist-kernel-utils.eclass | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/eclass/dist-kernel-utils.eclass
b/eclass/dist-kernel-utils.eclass
index 6903183b6efb3..b2e9df6746e35 100644
--- a/eclass/dist-kernel-utils.eclass
+++ b/eclass/dist-kernel-utils.eclass
@@ -131,11 +131,11 @@ dist-kernel_install_kernel() {
done
shopt -u nullglob
export KERNEL_INSTALL_PLUGINS="${KERNEL_INSTALL_PLUGINS} ${plugins[@]}"
- fi
- if [[ ${KERNEL_IUSE_SECUREBOOT} ]]; then
- # Kernel-install requires uki's are named uki.efi, sign in-place
- secureboot_sign_efi_file "${image}" "${image}"
+ if [[ ${KERNEL_IUSE_SECUREBOOT} ]]; then
+ # Ensure the uki is signed if dracut hasn't already done so.
+ secureboot_sign_efi_file "${image}"
+ fi
fi
ebegin "Installing the kernel via installkernel"
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [gentoo-dev] [PATCH 3/3 v2] secureboot.eclass: secureboot_sign_efi_file allow call with 1
2023-08-27 19:33 ` [gentoo-dev] [PATCH 1/3 v2] kernel-build.eclass: sign the kernel image earlier in, src_install Andrew Ammerlaan
@ 2023-08-27 19:35 ` Andrew Ammerlaan
0 siblings, 0 replies; 5+ messages in thread
From: Andrew Ammerlaan @ 2023-08-27 19:35 UTC (permalink / raw
To: gentoo-dev
From efd3a440e652d96b7fadc56b171e14116be59768 Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Date: Sun, 27 Aug 2023 18:24:08 +0200
Subject: [PATCH] secureboot.eclass: secureboot_sign_efi_file allow call
with 1
arg
Use the input file as the output file if it is not specified.
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
sb-fix
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
eclass/secureboot.eclass | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/eclass/secureboot.eclass b/eclass/secureboot.eclass
index 383fe7cc3afa0..a9ba514cb7a03 100644
--- a/eclass/secureboot.eclass
+++ b/eclass/secureboot.eclass
@@ -98,16 +98,18 @@ secureboot_pkg_setup() {
}
# @FUNCTION: secureboot_sign_efi_file
-# @USAGE: <input file> <output file>
+# @USAGE: <input file> [<output file>]
# @DESCRIPTION:
# Sign a file using sbsign and the requested key/certificate.
-# If the file is already signed with our key then skip.
+# If the file is already signed with our key then the file is skipped.
+# If no output file is specified the output file will be the same
+# as the input file, i.e. the file will be overwritten.
secureboot_sign_efi_file() {
debug-print-function ${FUNCNAME[0]} "${@}"
use secureboot || return
local input_file=${1}
- local output_file=${2}
+ local output_file=${2:-${1}}
_secureboot_die_if_unset
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-08-27 19:35 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-08-26 19:44 [gentoo-dev] [PATCH 1/2] kernel-build.eclass: sign the kernel image earlier in, src_install Andrew Ammerlaan
2023-08-26 19:44 ` Andrew Ammerlaan
2023-08-27 19:34 ` [gentoo-dev] [PATCH 2/3] dist-kernel-utils.eclass: only sign image if it is a UKI Andrew Ammerlaan
2023-08-27 19:33 ` [gentoo-dev] [PATCH 1/3 v2] kernel-build.eclass: sign the kernel image earlier in, src_install Andrew Ammerlaan
2023-08-27 19:35 ` [gentoo-dev] [PATCH 3/3 v2] secureboot.eclass: secureboot_sign_efi_file allow call with 1 Andrew Ammerlaan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox