[gentoo-dev] [PATCH 1/2] kernel-build.eclass: sign the kernel image earlier in, src_install

[gentoo-dev] [PATCH 1/2] kernel-build.eclass: sign the kernel image earlier in, src_install

[Andrew Ammerlaan]

Hi all,

By signing the kernel image in src_install instead of pkg_postinst the 
signed version is
included in any generated binpkg. This is useful for enabling secureboot
on machines that do not have the secureboot private key available.

This change makes it possible to distribute a signed kernel image in
sys-kernel/gentoo-kernel-bin.

Note, UKIs are always generated locally, so if UKIs are used these will 
still
have to be signed in pkg_postinst and therefore the private key is still
required on all systems with USE=secureboot and uefi=yes in dracut.conf.

Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
  eclass/kernel-build.eclass | 5 +++++
  1 file changed, 5 insertions(+)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index 5b324e036c5f9..035b1e7cd02ac 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -33,6 +33,7 @@ if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
  	# If we have enabled module signing IUSE
  	# then we can also enable secureboot IUSE
  	KERNEL_IUSE_SECUREBOOT=1
+	inherit secureboot
  fi

  inherit multiprocessing python-any-r1 savedconfig toolchain-funcs 
kernel-install
@@ -348,6 +349,10 @@ kernel-build_src_install() {
  	dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/build"
  	dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/source"

+	if [[ ${KERNEL_IUSE_SECUREBOOT} ]]; then
+		secureboot_sign_efi_file "${ED}${kernel_dir}/${image_path}" 
"${ED}${kernel_dir}/${image_path}"
+	fi
+
  	# unset to at least be out of the environment file in, e.g. shared 
binpkgs
  	unset KBUILD_SIGN_PIN

Re: [gentoo-dev] [PATCH 1/2] kernel-build.eclass: sign the kernel image earlier in, src_install

[Andrew Ammerlaan]

If we are not using UKIs we don't have to do anything since the kernel image
was already signed in kernel-build.eclass.

Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
  eclass/dist-kernel-utils.eclass | 8 ++++----
  1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/eclass/dist-kernel-utils.eclass 
b/eclass/dist-kernel-utils.eclass
index 6903183b6efb3..2a257a7b6dc8b 100644
--- a/eclass/dist-kernel-utils.eclass
+++ b/eclass/dist-kernel-utils.eclass
@@ -131,11 +131,11 @@ dist-kernel_install_kernel() {
  		done
  		shopt -u nullglob
  		export KERNEL_INSTALL_PLUGINS="${KERNEL_INSTALL_PLUGINS} ${plugins[@]}"
-	fi

-	if [[ ${KERNEL_IUSE_SECUREBOOT} ]]; then
-		# Kernel-install requires uki's are named uki.efi, sign in-place
-		secureboot_sign_efi_file "${image}" "${image}"
+		if [[ ${KERNEL_IUSE_SECUREBOOT} ]]; then
+			# Ensure the uki is signed if dracut hasn't already done so.
+			secureboot_sign_efi_file "${image}" "${image}"
+		fi
  	fi

  	ebegin "Installing the kernel via installkernel"

Re: [gentoo-dev] [PATCH 1/3 v2] kernel-build.eclass: sign the kernel image earlier in, src_install

[Andrew Ammerlaan]

 From 11c08f41e858561bd71fc5f19b612a7fd365b14a Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Date: Sat, 26 Aug 2023 21:26:46 +0200
Subject: [PATCH] kernel-build.eclass: sign the kernel image earlier in
  src_install

By signing it in src_install instead of pkg_postinst the signed version is
included in any generated binpkg. This is useful for enabling secureboot
on machines that do not have the secureboot private key available.

This change makes it possible to distribute a signed kernel image in
sys-kernel/gentoo-kernel-bin.

Note, UKIs are always generated locally, so if UKIs are used these will 
still
have to be signed in pkg_postinst and therefore the private key is still
required on all systems with USE=secureboot and uefi=yes in dracut.conf.

Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
  eclass/kernel-build.eclass | 5 +++++
  1 file changed, 5 insertions(+)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index 5b324e036c5f9..ca105ee1f1330 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -33,6 +33,7 @@ if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
  	# If we have enabled module signing IUSE
  	# then we can also enable secureboot IUSE
  	KERNEL_IUSE_SECUREBOOT=1
+	inherit secureboot
  fi

  inherit multiprocessing python-any-r1 savedconfig toolchain-funcs 
kernel-install
@@ -348,6 +349,10 @@ kernel-build_src_install() {
  	dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/build"
  	dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/source"

+	if [[ ${KERNEL_IUSE_SECUREBOOT} ]]; then
+		secureboot_sign_efi_file "${ED}${kernel_dir}/${image_path}"
+	fi
+
  	# unset to at least be out of the environment file in, e.g. shared 
binpkgs
  	unset KBUILD_SIGN_PIN

Re: [gentoo-dev] [PATCH 2/3] dist-kernel-utils.eclass: only sign image if it is a UKI

[Andrew Ammerlaan]

 From 1a1062e142cf654b43790d2a211e3d447feb055c Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Date: Sat, 26 Aug 2023 21:32:07 +0200
Subject: [PATCH] dist-kernel-utils.eclass: only sign image if it is a UKI

If we are not using UKIs we don't have to do anything since the kernel image
was already signed in kernel-build.eclass.

Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
  eclass/dist-kernel-utils.eclass | 8 ++++----
  1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/eclass/dist-kernel-utils.eclass 
b/eclass/dist-kernel-utils.eclass
index 6903183b6efb3..b2e9df6746e35 100644
--- a/eclass/dist-kernel-utils.eclass
+++ b/eclass/dist-kernel-utils.eclass
@@ -131,11 +131,11 @@ dist-kernel_install_kernel() {
  		done
  		shopt -u nullglob
  		export KERNEL_INSTALL_PLUGINS="${KERNEL_INSTALL_PLUGINS} ${plugins[@]}"
-	fi

-	if [[ ${KERNEL_IUSE_SECUREBOOT} ]]; then
-		# Kernel-install requires uki's are named uki.efi, sign in-place
-		secureboot_sign_efi_file "${image}" "${image}"
+		if [[ ${KERNEL_IUSE_SECUREBOOT} ]]; then
+			# Ensure the uki is signed if dracut hasn't already done so.
+			secureboot_sign_efi_file "${image}"
+		fi
  	fi

  	ebegin "Installing the kernel via installkernel"

Re: [gentoo-dev] [PATCH 3/3 v2] secureboot.eclass: secureboot_sign_efi_file allow call with 1

[Andrew Ammerlaan]

 From efd3a440e652d96b7fadc56b171e14116be59768 Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Date: Sun, 27 Aug 2023 18:24:08 +0200
Subject: [PATCH] secureboot.eclass: secureboot_sign_efi_file allow call 
with 1
  arg

Use the input file as the output file if it is not specified.

Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>

sb-fix

Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
  eclass/secureboot.eclass | 8 +++++---
  1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/eclass/secureboot.eclass b/eclass/secureboot.eclass
index 383fe7cc3afa0..a9ba514cb7a03 100644
--- a/eclass/secureboot.eclass
+++ b/eclass/secureboot.eclass
@@ -98,16 +98,18 @@ secureboot_pkg_setup() {
  }

  # @FUNCTION: secureboot_sign_efi_file
-# @USAGE: <input file> <output file>
+# @USAGE: <input file> [<output file>]
  # @DESCRIPTION:
  # Sign a file using sbsign and the requested key/certificate.
-# If the file is already signed with our key then skip.
+# If the file is already signed with our key then the file is skipped.
+# If no output file is specified the output file will be the same
+# as the input file, i.e. the file will be overwritten.
  secureboot_sign_efi_file() {
  	debug-print-function ${FUNCNAME[0]} "${@}"
  	use secureboot || return

  	local input_file=${1}
-	local output_file=${2}
+	local output_file=${2:-${1}}

  	_secureboot_die_if_unset