[gentoo-dev] [PATCH 1/2] dist-kernel-utils.eclass: fix extension of generated efi file

[gentoo-dev] [PATCH 1/2] dist-kernel-utils.eclass: fix extension of generated efi file

[Andrew Ammerlaan]

This fixes a bug. The 90-uki-copy.install kernel-install plugin insists 
uki's have the .efi extension. You only hit this if you set layout=uki 
in /etc/kernel/install.conf.

layout=uki is probably what you want if you set uefi=yes in dracut.conf 
because in this layout the uki's end up on the ESP. This is required to 
load the uki directly from efi firmware.


 From 1c406ada60d3493203c1fbd6333caf74e53ee8ac Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Date: Fri, 16 Jun 2023 16:33:56 +0200
Subject: [PATCH] dist-kernel-utils.eclass: fix extension of generated 
efi file

If kernel-install is configured to use the uki layout the extension of 
the efi
file that we install has to be .efi otherwise kernel-install returns an 
error.

Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
  eclass/dist-kernel-utils.eclass | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/eclass/dist-kernel-utils.eclass 
b/eclass/dist-kernel-utils.eclass
index 439bdc87695df..c6892c2f01278 100644
--- a/eclass/dist-kernel-utils.eclass
+++ b/eclass/dist-kernel-utils.eclass
@@ -1,4 +1,4 @@
-# Copyright 2020-2022 Gentoo Authors
+# Copyright 2020-2023 Gentoo Authors
  # Distributed under the terms of the GNU General Public License v2

  # @ECLASS: dist-kernel-utils.eclass
@@ -104,7 +104,7 @@ dist-kernel_install_kernel() {
  	if [[ ${magic} == MZ ]]; then
  		einfo "Combined UEFI kernel+initramfs executable found"
  		# install the combined executable in place of kernel
-		image=${initrd}.uefi
+		image=${initrd}.efi
  		mv "${initrd}" "${image}" || die
  		# put an empty file in place of initrd.  installing a duplicate
  		# file would waste disk space, and removing it entirely provokes

Re: [gentoo-dev] [PATCH 2/2] dist-kernel-utils.eclass: skip initrd installation when using the uki layout

[Andrew Ammerlaan]

This replaces a workaround with a better one. Instead of tricking 
50-dracut.install with an empty inird file we instruct kernel-install to 
simply skip this plugin.

This way we don't end up with a bunch of confusing empty initrd files in 
/boot. End result is the same.

I've got an upstream PR open to fix the underlying issue (i.e make 
50-dracut.install work properly with uefi=yes and layout=uki): 
https://github.com/dracutdevs/dracut/pull/2405


 From c2d6ecb074d25c70677fa9c371801a0002c9a216 Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Date: Fri, 16 Jun 2023 22:51:00 +0200
Subject: [PATCH] dist-kernel-utils.eclass: skip initrd installation when 
using
  uki

Gets rid of a hack that prevents 50-dracut.install from regenerating the 
initrd
when calling kernel-install. Instead instruct kernel-install to simply 
not run
this plugin.

Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
  eclass/dist-kernel-utils.eclass | 19 +++++++++++++++----
  1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/eclass/dist-kernel-utils.eclass 
b/eclass/dist-kernel-utils.eclass
index c6892c2f01278..e371e035c8565 100644
--- a/eclass/dist-kernel-utils.eclass
+++ b/eclass/dist-kernel-utils.eclass
@@ -106,10 +106,21 @@ dist-kernel_install_kernel() {
  		# install the combined executable in place of kernel
  		image=${initrd}.efi
  		mv "${initrd}" "${image}" || die
-		# put an empty file in place of initrd.  installing a duplicate
-		# file would waste disk space, and removing it entirely provokes
-		# kernel-install to regenerate it via dracut.
-		> "${initrd}"
+		# We moved the generated initrd, prevent dracut from running again
+		local plugins=()
+		for file in "${EROOT}"/usr/lib/kernel/install.d/*; do
+			if [[ ${file} != */50-dracut.install && \
+				${file} != */51-dracut-rescue.install && \
+				${file} == *.install ]]; then
+					plugins+=( "${file}" )
+			fi
+		done
+		for file in "${EROOT}"/etc/kernel/install.d/*; do
+			if [[ ${file} == *.install ]]; then
+					plugins+=( "${file}" )
+			fi
+		done
+		export KERNEL_INSTALL_PLUGINS="${KERNEL_INSTALL_PLUGINS} ${plugins[@]}"
  	fi

  	ebegin "Installing the kernel via installkernel"

Re: [gentoo-dev] [PATCH 2/2 v2] dist-kernel-utils.eclass: skip initrd installation when using the uki layout

[Andrew Ammerlaan]

Version 2 makes things a bit simpler by using the 'has' function and 
ensures things don't break if the install.d directory is empty using 
'shopt -s nullglob'.

After merging these patches and the previous patches to 
kernel-build.eclass, users of sys-kernel/gentoo-kernel will be able to 
not only have their internal and external modules signed but also to 
automatically generate, install and sign unified kernel images for use 
with secure boot. An example configuration would look like this:

/etc/portage/make.conf:
USE="dist-kernel modules-sign"
# And optionally
MODULES_SIGN_HASH="..."
MODULES_SIGN_KEY="..."

/etc/kernel/install.conf:
layout=uki
initrd_generator=dracut

/etc/dracut.conf:
uefi="yes"
uefi_secureboot_cert="/usr/src/linux/certs/signing_key.pem" # or the 
path of MODULES_SIGN_CERT
uefi_secureboot_key="/usr/src/linux/certs/signing_key.pem" # or the path 
of MODULES_SIGN_KEY
kernel_cmdline="..."

And if you are also using dkms (not in ::gentoo) for additional modules:
/etc/dkms/framework.conf:
mok_signing_key="/usr/src/linux/certs/signing_key.pem" # or the path of 
MODULES_SIGN_KEY
mok_certificate="/usr/src/linux/certs/signing_key.x509" # or the path of 
MODULES_SIGN_CERT

Of course you will still have to manually deal with getting the firmware 
to actually accept this key or use sys-boot/shim as a preloader.

When the fix from my upstream PR[1] lands in ::gentoo this will also 
work when using 'make install' with manually configured kernels (i.e. 
sys-kernel/gentoo-sources). Currently the dracut kernel-install plugin 
breaks in this configuration, we work around this in the eclass but you 
still run into this problem when using the kernel Makefile.

Best regards,
Andrew

[1] https://github.com/dracutdevs/dracut/pull/2405


 From 08302fddf42f9c34fa0cf5647ff44a55f25f75c2 Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Date: Fri, 16 Jun 2023 22:51:00 +0200
Subject: [PATCH] dist-kernel-utils.eclass: skip initrd installation when 
using
  uki

Gets rid of a hack that prevents 50-dracut.install from regenerating the 
initrd
when calling kernel-install. Instead instruct kernel-install to simply 
not run
this plugin.

Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
  eclass/dist-kernel-utils.eclass | 18 ++++++++++++++----
  1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/eclass/dist-kernel-utils.eclass 
b/eclass/dist-kernel-utils.eclass
index c6892c2f01278..cfb6f40ac6fae 100644
--- a/eclass/dist-kernel-utils.eclass
+++ b/eclass/dist-kernel-utils.eclass
@@ -106,10 +106,20 @@ dist-kernel_install_kernel() {
  		# install the combined executable in place of kernel
  		image=${initrd}.efi
  		mv "${initrd}" "${image}" || die
-		# put an empty file in place of initrd.  installing a duplicate
-		# file would waste disk space, and removing it entirely provokes
-		# kernel-install to regenerate it via dracut.
-		> "${initrd}"
+		# We moved the generated initrd, prevent dracut from running again
+		# https://github.com/dracutdevs/dracut/pull/2405
+		shopt -s nullglob
+		local plugins=()
+		for file in "${EROOT}"/usr/lib/kernel/install.d/*.install; do
+			if ! has "${file##*/}" 50-dracut.install 51-dracut-rescue.install; then
+					plugins+=( "${file}" )
+			fi
+		done
+		for file in "${EROOT}"/etc/kernel/install.d/*.install; do
+			plugins+=( "${file}" )
+		done
+		shopt -u nullglob
+		export KERNEL_INSTALL_PLUGINS="${KERNEL_INSTALL_PLUGINS} ${plugins[@]}"
  	fi

  	ebegin "Installing the kernel via installkernel"