* [gentoo-dev] [PATCH 1/1] kernel-build.eclass: Fix separate private and public module
@ 2023-08-17 8:40 Andrew Ammerlaan
2023-08-17 13:48 ` Michał Górny
0 siblings, 1 reply; 2+ messages in thread
From: Andrew Ammerlaan @ 2023-08-17 8:40 UTC (permalink / raw
To: gentoo-dev; +Cc: vimproved
Hi all,
This is a small patch from [1] that allows signing kernel modules using
a separate key and certificate PEM file. See the commit message below
for a more in-depth explanation.
Best regards,
Andrew
[1] https://github.com/gentoo/gentoo/pull/32275
From 61b7db57f343ab172bcc449320c4e96cafb9cd06 Mon Sep 17 00:00:00 2001
From: Violet Purcell <vimproved@inventati.org>
Date: Sat, 12 Aug 2023 16:59:14 -0400
Subject: [PATCH] kernel-build.eclass: Fix separate private and public module
signing keys
The kernel expects CONFIG_MODULE_SIG_KEY to be either a pkcs11 URI
containing refences to both a private and public key, or a path to a PEM
file containing both the private and public keys. However, currently the
kernel build will fail if MODULES_SIGNING_KEY is set to a PEM file
containing only the private key. This commit adds a step in
kernel-build_merge_configs that concatenates MODULES_SIGNING_KEY and
MODULES_SIGNING_CERT into ${T}/kernel_key.pem if both files exist and
are not the same path. It then sets MODULES_SIGNING_KEY to
${T}/kernel_key.pem. This should fix building with separate private and
public module signing keys.
Signed-off-by: Violet Purcell <vimproved@inventati.org>
---
eclass/kernel-build.eclass | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index 276a08a104e0e..1a33ce2e875f2 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -57,7 +57,8 @@ IUSE="+strip"
# @DESCRIPTION:
# If set to a non-null value, adds IUSE=modules-sign and required
# logic to manipulate the kernel config while respecting the
-# MODULES_SIGN_HASH and MODULES_SIGN_KEY user variables.
+# MODULES_SIGN_HASH, MODULES_SIGN_CERT, and MODULES_SIGN_KEY user
+# variables.
# @ECLASS_VARIABLE: MODULES_SIGN_HASH
# @USER_VARIABLE
@@ -89,6 +90,14 @@ IUSE="+strip"
#
# Default if unset: certs/signing_key.pem
+# @ECLASS_VARIABLE: MODULES_SIGN_CERT
+# @USER_VARIABLE
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# Used with USE=modules-sign. Can be set to the path of the public
+# key in PEM format to use. Must be specified if MODULES_SIGN_KEY
+# is set to a path of a file that only contains the private key.
+
if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
IUSE+=" modules-sign"
REQUIRED_USE="secureboot? ( modules-sign )"
@@ -394,6 +403,12 @@ kernel-build_merge_configs() {
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
EOF
+ if [[ -e ${MODULES_SIGN_KEY} ]] && [[ -e ${MODULES_SIGN_CERT} ]] \
+ && [[ ${MODULES_SIGN_KEY} != ${MODULES_SIGN_CERT} ]] \
+ && [[ ${MODULES_SIGN_KEY} != pkcs11:* ]]; then
+ cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" >
"${T}/kernel_key.pem" || die
+ MODULES_SIGN_KEY="${T}/kernel_key.pem"
+ fi
if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -e ${MODULES_SIGN_KEY} ]];
then
echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
>> "${WORKDIR}/modules-sign.config"
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [gentoo-dev] [PATCH 1/1] kernel-build.eclass: Fix separate private and public module
2023-08-17 8:40 [gentoo-dev] [PATCH 1/1] kernel-build.eclass: Fix separate private and public module Andrew Ammerlaan
@ 2023-08-17 13:48 ` Michał Górny
0 siblings, 0 replies; 2+ messages in thread
From: Michał Górny @ 2023-08-17 13:48 UTC (permalink / raw
To: gentoo-dev; +Cc: vimproved
On Thu, 2023-08-17 at 10:40 +0200, Andrew Ammerlaan wrote:
> Hi all,
>
> This is a small patch from [1] that allows signing kernel modules using
> a separate key and certificate PEM file. See the commit message below
> for a more in-depth explanation.
>
> Best regards,
> Andrew
>
> [1] https://github.com/gentoo/gentoo/pull/32275
>
>
> From 61b7db57f343ab172bcc449320c4e96cafb9cd06 Mon Sep 17 00:00:00 2001
> From: Violet Purcell <vimproved@inventati.org>
> Date: Sat, 12 Aug 2023 16:59:14 -0400
> Subject: [PATCH] kernel-build.eclass: Fix separate private and public module
> signing keys
>
> The kernel expects CONFIG_MODULE_SIG_KEY to be either a pkcs11 URI
> containing refences to both a private and public key, or a path to a PEM
> file containing both the private and public keys. However, currently the
> kernel build will fail if MODULES_SIGNING_KEY is set to a PEM file
> containing only the private key. This commit adds a step in
> kernel-build_merge_configs that concatenates MODULES_SIGNING_KEY and
> MODULES_SIGNING_CERT into ${T}/kernel_key.pem if both files exist and
> are not the same path. It then sets MODULES_SIGNING_KEY to
> ${T}/kernel_key.pem. This should fix building with separate private and
> public module signing keys.
>
> Signed-off-by: Violet Purcell <vimproved@inventati.org>
> ---
> eclass/kernel-build.eclass | 17 ++++++++++++++++-
> 1 file changed, 16 insertions(+), 1 deletion(-)
>
> diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
> index 276a08a104e0e..1a33ce2e875f2 100644
> --- a/eclass/kernel-build.eclass
> +++ b/eclass/kernel-build.eclass
> @@ -57,7 +57,8 @@ IUSE="+strip"
> # @DESCRIPTION:
> # If set to a non-null value, adds IUSE=modules-sign and required
> # logic to manipulate the kernel config while respecting the
> -# MODULES_SIGN_HASH and MODULES_SIGN_KEY user variables.
> +# MODULES_SIGN_HASH, MODULES_SIGN_CERT, and MODULES_SIGN_KEY user
> +# variables.
>
> # @ECLASS_VARIABLE: MODULES_SIGN_HASH
> # @USER_VARIABLE
> @@ -89,6 +90,14 @@ IUSE="+strip"
> #
> # Default if unset: certs/signing_key.pem
>
> +# @ECLASS_VARIABLE: MODULES_SIGN_CERT
> +# @USER_VARIABLE
> +# @DEFAULT_UNSET
> +# @DESCRIPTION:
> +# Used with USE=modules-sign. Can be set to the path of the public
> +# key in PEM format to use. Must be specified if MODULES_SIGN_KEY
> +# is set to a path of a file that only contains the private key.
> +
> if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
> IUSE+=" modules-sign"
> REQUIRED_USE="secureboot? ( modules-sign )"
> @@ -394,6 +403,12 @@ kernel-build_merge_configs() {
> CONFIG_MODULE_SIG_FORCE=y
> CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
> EOF
> + if [[ -e ${MODULES_SIGN_KEY} ]] && [[ -e ${MODULES_SIGN_CERT} ]] \
> + && [[ ${MODULES_SIGN_KEY} != ${MODULES_SIGN_CERT} ]] \
> + && [[ ${MODULES_SIGN_KEY} != pkcs11:* ]]; then
Please don't split [[ ... ]], and then use && for line wrapping instead
of backslashes.
> + cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" >
> "${T}/kernel_key.pem" || die
> + MODULES_SIGN_KEY="${T}/kernel_key.pem"
> + fi
> if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -e ${MODULES_SIGN_KEY} ]];
> then
> echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
> >> "${WORKDIR}/modules-sign.config"
>
--
Best regards,
Michał Górny
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-08-17 13:48 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-08-17 8:40 [gentoo-dev] [PATCH 1/1] kernel-build.eclass: Fix separate private and public module Andrew Ammerlaan
2023-08-17 13:48 ` Michał Górny
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox