From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 33874158009 for ; Mon, 19 Jun 2023 12:33:16 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8EE3CE087E; Mon, 19 Jun 2023 12:33:11 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 3DB67E07BA for ; Mon, 19 Jun 2023 12:33:11 +0000 (UTC) Message-ID: <767cad8e-3a1a-b116-2e56-dc9e367a0ae7@gentoo.org> Date: Mon, 19 Jun 2023 14:33:06 +0200 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0 To: gentoo-dev@lists.gentoo.org References: <5c62b67f-077d-1be3-655e-a72e56a60332@gentoo.org> Content-Language: en-US, nl-NL From: Andrew Ammerlaan Organization: Gentoo Linux Subject: Re: [gentoo-dev] [PATCH 2/2 v2] dist-kernel-utils.eclass: skip initrd installation when using the uki layout In-Reply-To: <5c62b67f-077d-1be3-655e-a72e56a60332@gentoo.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: c7842537-5522-4e08-af1b-493e52c546ce X-Archives-Hash: ee028f4cc1e33904a113edd31a83b131 Version 2 makes things a bit simpler by using the 'has' function and ensures things don't break if the install.d directory is empty using 'shopt -s nullglob'. After merging these patches and the previous patches to kernel-build.eclass, users of sys-kernel/gentoo-kernel will be able to not only have their internal and external modules signed but also to automatically generate, install and sign unified kernel images for use with secure boot. An example configuration would look like this: /etc/portage/make.conf: USE="dist-kernel modules-sign" # And optionally MODULES_SIGN_HASH="..." MODULES_SIGN_KEY="..." /etc/kernel/install.conf: layout=uki initrd_generator=dracut /etc/dracut.conf: uefi="yes" uefi_secureboot_cert="/usr/src/linux/certs/signing_key.pem" # or the path of MODULES_SIGN_CERT uefi_secureboot_key="/usr/src/linux/certs/signing_key.pem" # or the path of MODULES_SIGN_KEY kernel_cmdline="..." And if you are also using dkms (not in ::gentoo) for additional modules: /etc/dkms/framework.conf: mok_signing_key="/usr/src/linux/certs/signing_key.pem" # or the path of MODULES_SIGN_KEY mok_certificate="/usr/src/linux/certs/signing_key.x509" # or the path of MODULES_SIGN_CERT Of course you will still have to manually deal with getting the firmware to actually accept this key or use sys-boot/shim as a preloader. When the fix from my upstream PR[1] lands in ::gentoo this will also work when using 'make install' with manually configured kernels (i.e. sys-kernel/gentoo-sources). Currently the dracut kernel-install plugin breaks in this configuration, we work around this in the eclass but you still run into this problem when using the kernel Makefile. Best regards, Andrew [1] https://github.com/dracutdevs/dracut/pull/2405 From 08302fddf42f9c34fa0cf5647ff44a55f25f75c2 Mon Sep 17 00:00:00 2001 From: Andrew Ammerlaan Date: Fri, 16 Jun 2023 22:51:00 +0200 Subject: [PATCH] dist-kernel-utils.eclass: skip initrd installation when using uki Gets rid of a hack that prevents 50-dracut.install from regenerating the initrd when calling kernel-install. Instead instruct kernel-install to simply not run this plugin. Signed-off-by: Andrew Ammerlaan --- eclass/dist-kernel-utils.eclass | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/eclass/dist-kernel-utils.eclass b/eclass/dist-kernel-utils.eclass index c6892c2f01278..cfb6f40ac6fae 100644 --- a/eclass/dist-kernel-utils.eclass +++ b/eclass/dist-kernel-utils.eclass @@ -106,10 +106,20 @@ dist-kernel_install_kernel() { # install the combined executable in place of kernel image=${initrd}.efi mv "${initrd}" "${image}" || die - # put an empty file in place of initrd. installing a duplicate - # file would waste disk space, and removing it entirely provokes - # kernel-install to regenerate it via dracut. - > "${initrd}" + # We moved the generated initrd, prevent dracut from running again + # https://github.com/dracutdevs/dracut/pull/2405 + shopt -s nullglob + local plugins=() + for file in "${EROOT}"/usr/lib/kernel/install.d/*.install; do + if ! has "${file##*/}" 50-dracut.install 51-dracut-rescue.install; then + plugins+=( "${file}" ) + fi + done + for file in "${EROOT}"/etc/kernel/install.d/*.install; do + plugins+=( "${file}" ) + done + shopt -u nullglob + export KERNEL_INSTALL_PLUGINS="${KERNEL_INSTALL_PLUGINS} ${plugins[@]}" fi ebegin "Installing the kernel via installkernel"