[gentoo-dev] [PATCH 1/1] kernel-build.eclass: Fix separate private and public module

public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-dev] [PATCH 1/1] kernel-build.eclass: Fix separate private and public module
@ 2023-08-17  8:40 Andrew Ammerlaan
  2023-08-17 13:48 ` Michał Górny
  0 siblings, 1 reply; 2+ messages in thread
From: Andrew Ammerlaan @ 2023-08-17  8:40 UTC (permalink / raw
  To: gentoo-dev; +Cc: vimproved

Hi all,

This is a small patch from [1] that allows signing kernel modules using 
a separate key and certificate PEM file. See the commit message below 
for a more in-depth explanation.

Best regards,
Andrew

[1] https://github.com/gentoo/gentoo/pull/32275


 From 61b7db57f343ab172bcc449320c4e96cafb9cd06 Mon Sep 17 00:00:00 2001
From: Violet Purcell <vimproved@inventati.org>
Date: Sat, 12 Aug 2023 16:59:14 -0400
Subject: [PATCH] kernel-build.eclass: Fix separate private and public module
  signing keys

The kernel expects CONFIG_MODULE_SIG_KEY to be either a pkcs11 URI
containing refences to both a private and public key, or a path to a PEM
file containing both the private and public keys. However, currently the
kernel build will fail if MODULES_SIGNING_KEY is set to a PEM file
containing only the private key. This commit adds a step in
kernel-build_merge_configs that concatenates MODULES_SIGNING_KEY and
MODULES_SIGNING_CERT into ${T}/kernel_key.pem if both files exist and
are not the same path. It then sets MODULES_SIGNING_KEY to
${T}/kernel_key.pem. This should fix building with separate private and
public module signing keys.

Signed-off-by: Violet Purcell <vimproved@inventati.org>
---
  eclass/kernel-build.eclass | 17 ++++++++++++++++-
  1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index 276a08a104e0e..1a33ce2e875f2 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -57,7 +57,8 @@ IUSE="+strip"
  # @DESCRIPTION:
  # If set to a non-null value, adds IUSE=modules-sign and required
  # logic to manipulate the kernel config while respecting the
-# MODULES_SIGN_HASH and MODULES_SIGN_KEY user variables.
+# MODULES_SIGN_HASH, MODULES_SIGN_CERT, and MODULES_SIGN_KEY  user
+# variables.

  # @ECLASS_VARIABLE: MODULES_SIGN_HASH
  # @USER_VARIABLE
@@ -89,6 +90,14 @@ IUSE="+strip"
  #
  # Default if unset: certs/signing_key.pem

+# @ECLASS_VARIABLE: MODULES_SIGN_CERT
+# @USER_VARIABLE
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# Used with USE=modules-sign.  Can be set to the path of the public
+# key in PEM format to use. Must be specified if MODULES_SIGN_KEY
+# is set to a path of a file that only contains the private key.
+
  if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
  	IUSE+=" modules-sign"
  	REQUIRED_USE="secureboot? ( modules-sign )"
@@ -394,6 +403,12 @@ kernel-build_merge_configs() {
  				CONFIG_MODULE_SIG_FORCE=y
  				CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
  			EOF
+			if [[ -e ${MODULES_SIGN_KEY} ]] && [[ -e ${MODULES_SIGN_CERT} ]] \
+				&& [[ ${MODULES_SIGN_KEY} != ${MODULES_SIGN_CERT} ]] \
+				&& [[ ${MODULES_SIGN_KEY} != pkcs11:* ]]; then
+				cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" > 
"${T}/kernel_key.pem" || die
+				MODULES_SIGN_KEY="${T}/kernel_key.pem"
+			fi
  			if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -e ${MODULES_SIGN_KEY} ]]; 
then
  				echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
  					>> "${WORKDIR}/modules-sign.config"


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [gentoo-dev] [PATCH 1/1] kernel-build.eclass: Fix separate private and public module
  2023-08-17  8:40 [gentoo-dev] [PATCH 1/1] kernel-build.eclass: Fix separate private and public module Andrew Ammerlaan
@ 2023-08-17 13:48 ` Michał Górny
  0 siblings, 0 replies; 2+ messages in thread
From: Michał Górny @ 2023-08-17 13:48 UTC (permalink / raw
  To: gentoo-dev; +Cc: vimproved

On Thu, 2023-08-17 at 10:40 +0200, Andrew Ammerlaan wrote:
> Hi all,
> 
> This is a small patch from [1] that allows signing kernel modules using 
> a separate key and certificate PEM file. See the commit message below 
> for a more in-depth explanation.
> 
> Best regards,
> Andrew
> 
> [1] https://github.com/gentoo/gentoo/pull/32275
> 
> 
>  From 61b7db57f343ab172bcc449320c4e96cafb9cd06 Mon Sep 17 00:00:00 2001
> From: Violet Purcell <vimproved@inventati.org>
> Date: Sat, 12 Aug 2023 16:59:14 -0400
> Subject: [PATCH] kernel-build.eclass: Fix separate private and public module
>   signing keys
> 
> The kernel expects CONFIG_MODULE_SIG_KEY to be either a pkcs11 URI
> containing refences to both a private and public key, or a path to a PEM
> file containing both the private and public keys. However, currently the
> kernel build will fail if MODULES_SIGNING_KEY is set to a PEM file
> containing only the private key. This commit adds a step in
> kernel-build_merge_configs that concatenates MODULES_SIGNING_KEY and
> MODULES_SIGNING_CERT into ${T}/kernel_key.pem if both files exist and
> are not the same path. It then sets MODULES_SIGNING_KEY to
> ${T}/kernel_key.pem. This should fix building with separate private and
> public module signing keys.
> 
> Signed-off-by: Violet Purcell <vimproved@inventati.org>
> ---
>   eclass/kernel-build.eclass | 17 ++++++++++++++++-
>   1 file changed, 16 insertions(+), 1 deletion(-)
> 
> diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
> index 276a08a104e0e..1a33ce2e875f2 100644
> --- a/eclass/kernel-build.eclass
> +++ b/eclass/kernel-build.eclass
> @@ -57,7 +57,8 @@ IUSE="+strip"
>   # @DESCRIPTION:
>   # If set to a non-null value, adds IUSE=modules-sign and required
>   # logic to manipulate the kernel config while respecting the
> -# MODULES_SIGN_HASH and MODULES_SIGN_KEY user variables.
> +# MODULES_SIGN_HASH, MODULES_SIGN_CERT, and MODULES_SIGN_KEY  user
> +# variables.
> 
>   # @ECLASS_VARIABLE: MODULES_SIGN_HASH
>   # @USER_VARIABLE
> @@ -89,6 +90,14 @@ IUSE="+strip"
>   #
>   # Default if unset: certs/signing_key.pem
> 
> +# @ECLASS_VARIABLE: MODULES_SIGN_CERT
> +# @USER_VARIABLE
> +# @DEFAULT_UNSET
> +# @DESCRIPTION:
> +# Used with USE=modules-sign.  Can be set to the path of the public
> +# key in PEM format to use. Must be specified if MODULES_SIGN_KEY
> +# is set to a path of a file that only contains the private key.
> +
>   if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
>   	IUSE+=" modules-sign"
>   	REQUIRED_USE="secureboot? ( modules-sign )"
> @@ -394,6 +403,12 @@ kernel-build_merge_configs() {
>   				CONFIG_MODULE_SIG_FORCE=y
>   				CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
>   			EOF
> +			if [[ -e ${MODULES_SIGN_KEY} ]] && [[ -e ${MODULES_SIGN_CERT} ]] \
> +				&& [[ ${MODULES_SIGN_KEY} != ${MODULES_SIGN_CERT} ]] \
> +				&& [[ ${MODULES_SIGN_KEY} != pkcs11:* ]]; then

Please don't split [[ ... ]], and then use && for line wrapping instead
of backslashes.

> +				cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" > 
> "${T}/kernel_key.pem" || die
> +				MODULES_SIGN_KEY="${T}/kernel_key.pem"
> +			fi
>   			if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -e ${MODULES_SIGN_KEY} ]]; 
> then
>   				echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
>   					>> "${WORKDIR}/modules-sign.config"
> 

-- 
Best regards,
Michał Górny



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2023-08-17 13:48 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-08-17  8:40 [gentoo-dev] [PATCH 1/1] kernel-build.eclass: Fix separate private and public module Andrew Ammerlaan
2023-08-17 13:48 ` Michał Górny

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox