Re: [gentoo-dev] [PATCH 2/2 v2] dist-kernel-utils.eclass: skip initrd installation when using the uki layout

[Andrew Ammerlaan <andrewammerlaan@gentoo.org>]

Version 2 makes things a bit simpler by using the 'has' function and 
ensures things don't break if the install.d directory is empty using 
'shopt -s nullglob'.

After merging these patches and the previous patches to 
kernel-build.eclass, users of sys-kernel/gentoo-kernel will be able to 
not only have their internal and external modules signed but also to 
automatically generate, install and sign unified kernel images for use 
with secure boot. An example configuration would look like this:

/etc/portage/make.conf:
USE="dist-kernel modules-sign"
# And optionally
MODULES_SIGN_HASH="..."
MODULES_SIGN_KEY="..."

/etc/kernel/install.conf:
layout=uki
initrd_generator=dracut

/etc/dracut.conf:
uefi="yes"
uefi_secureboot_cert="/usr/src/linux/certs/signing_key.pem" # or the 
path of MODULES_SIGN_CERT
uefi_secureboot_key="/usr/src/linux/certs/signing_key.pem" # or the path 
of MODULES_SIGN_KEY
kernel_cmdline="..."

And if you are also using dkms (not in ::gentoo) for additional modules:
/etc/dkms/framework.conf:
mok_signing_key="/usr/src/linux/certs/signing_key.pem" # or the path of 
MODULES_SIGN_KEY
mok_certificate="/usr/src/linux/certs/signing_key.x509" # or the path of 
MODULES_SIGN_CERT

Of course you will still have to manually deal with getting the firmware 
to actually accept this key or use sys-boot/shim as a preloader.

When the fix from my upstream PR[1] lands in ::gentoo this will also 
work when using 'make install' with manually configured kernels (i.e. 
sys-kernel/gentoo-sources). Currently the dracut kernel-install plugin 
breaks in this configuration, we work around this in the eclass but you 
still run into this problem when using the kernel Makefile.

Best regards,
Andrew

[1] https://github.com/dracutdevs/dracut/pull/2405


 From 08302fddf42f9c34fa0cf5647ff44a55f25f75c2 Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Date: Fri, 16 Jun 2023 22:51:00 +0200
Subject: [PATCH] dist-kernel-utils.eclass: skip initrd installation when 
using
  uki

Gets rid of a hack that prevents 50-dracut.install from regenerating the 
initrd
when calling kernel-install. Instead instruct kernel-install to simply 
not run
this plugin.

Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
  eclass/dist-kernel-utils.eclass | 18 ++++++++++++++----
  1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/eclass/dist-kernel-utils.eclass 
b/eclass/dist-kernel-utils.eclass
index c6892c2f01278..cfb6f40ac6fae 100644
--- a/eclass/dist-kernel-utils.eclass
+++ b/eclass/dist-kernel-utils.eclass
@@ -106,10 +106,20 @@ dist-kernel_install_kernel() {
  		# install the combined executable in place of kernel
  		image=${initrd}.efi
  		mv "${initrd}" "${image}" || die
-		# put an empty file in place of initrd.  installing a duplicate
-		# file would waste disk space, and removing it entirely provokes
-		# kernel-install to regenerate it via dracut.
-		> "${initrd}"
+		# We moved the generated initrd, prevent dracut from running again
+		# https://github.com/dracutdevs/dracut/pull/2405
+		shopt -s nullglob
+		local plugins=()
+		for file in "${EROOT}"/usr/lib/kernel/install.d/*.install; do
+			if ! has "${file##*/}" 50-dracut.install 51-dracut-rescue.install; then
+					plugins+=( "${file}" )
+			fi
+		done
+		for file in "${EROOT}"/etc/kernel/install.d/*.install; do
+			plugins+=( "${file}" )
+		done
+		shopt -u nullglob
+		export KERNEL_INSTALL_PLUGINS="${KERNEL_INSTALL_PLUGINS} ${plugins[@]}"
  	fi

  	ebegin "Installing the kernel via installkernel"