From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 7B48C15800A for ; Fri, 14 Jul 2023 08:45:26 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E10C7E08E2; Fri, 14 Jul 2023 08:45:02 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 97A68E086F for ; Fri, 14 Jul 2023 08:45:02 +0000 (UTC) Message-ID: <7e76519f-b10d-8b0e-81e9-fd34f6c1aa25@gentoo.org> Date: Fri, 14 Jul 2023 10:44:59 +0200 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Content-Language: en-US, nl-NL To: gentoo-dev@lists.gentoo.org From: Andrew Ammerlaan Subject: [gentoo-dev] [PATCH 4/5]: dist-kernel-utils.eclass: optionally sign the kernels Organization: Gentoo Linux Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 43254bd3-8383-48f0-a107-251d7d9fe4dd X-Archives-Hash: ee39cd3ebfcd418bbdfa49daa41111bf From e6d996555a460e9082c6b108fa038b84bf88bcd4 Mon Sep 17 00:00:00 2001 From: Andrew Ammerlaan Date: Tue, 11 Jul 2023 13:20:12 +0200 Subject: [PATCH 04/13] dist-kernel-utils.eclass: optionally sign the kernels We put this behind a KERNEL_IUSE_SECUREBOOT var so we can enable this only if KERNEL_IUSE_MODULES_SIGN is also enabled in kernel-build.eclass Signed kernel modules is required for the kernel to actually boot with Secure Boot enabled. Signed-off-by: Andrew Ammerlaan --- eclass/dist-kernel-utils.eclass | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/eclass/dist-kernel-utils.eclass b/eclass/dist-kernel-utils.eclass index 1ef3104245c6..cb0021f8b3a7 100644 --- a/eclass/dist-kernel-utils.eclass +++ b/eclass/dist-kernel-utils.eclass @@ -12,6 +12,13 @@ # This eclass provides various utility functions related to Distribution # Kernels. +# @ECLASS_VARIABLE: KERNEL_IUSE_SECUREBOOT +# @PRE_INHERIT +# @DEFAULT_UNSET +# @DESCRIPTION: +# If set to a non-null value, inherits secureboot.eclass +# and allows signing of generated kernel images. + if [[ ! ${_DIST_KERNEL_UTILS} ]]; then case ${EAPI} in @@ -19,6 +26,10 @@ case ${EAPI} in *) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;; esac +if [[ ${KERNEL_IUSE_SECUREBOOT} ]]; then + inherit secureboot +fi + # @FUNCTION: dist-kernel_build_initramfs # @USAGE: # @DESCRIPTION: @@ -104,7 +115,7 @@ dist-kernel_install_kernel() { if [[ ${magic} == MZ ]]; then einfo "Combined UEFI kernel+initramfs executable found" # install the combined executable in place of kernel - image=${initrd}.efi + image=${initrd%/*}/uki.efi mv "${initrd}" "${image}" || die # We moved the generated initrd, prevent dracut from running again # https://github.com/dracutdevs/dracut/pull/2405 @@ -122,6 +133,11 @@ dist-kernel_install_kernel() { export KERNEL_INSTALL_PLUGINS="${KERNEL_INSTALL_PLUGINS} ${plugins[@]}" fi + if [[ ${KERNEL_IUSE_SECUREBOOT} ]]; then + # Kernel-install requires uki's are named uki.efi, sign in-place + secureboot_sign_efi_file "${image}" "${image}" + fi + ebegin "Installing the kernel via installkernel" # note: .config is taken relatively to System.map; # initrd relatively to bzImage -- 2.41.0