* [gentoo-dev] [PATCH] kernel-build.eclass: work around permissions issue with module signing @ 2023-11-27 17:12 Violet Purcell 2023-11-27 17:50 ` Michał Górny 0 siblings, 1 reply; 6+ messages in thread From: Violet Purcell @ 2023-11-27 17:12 UTC (permalink / raw) To: gentoo-dev; +Cc: Violet Purcell Currently, using a custom path for MODULES_SIGN_KEY requires the key to be readable by portage:portage. This is not ideal for security, since the file has to be either owned by portage:portage or readable by all users in this case. Instead, export the contents of MODULES_SIGN_KEY to a variable in pkg_setup, and then create a temporary file with it in src_configure to ensure that the temporary key is readable by the user that the kernel is being built as. The variable is then unset so it does not end up in the final environment file. Signed-off-by: Violet Purcell <vimproved@inventati.org> --- eclass/kernel-build.eclass | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass index 4f7e4d047739..cf958c86ff29 100644 --- a/eclass/kernel-build.eclass +++ b/eclass/kernel-build.eclass @@ -114,6 +114,13 @@ kernel-build_pkg_setup() { python-any-r1_pkg_setup if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then secureboot_pkg_setup + if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then + if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} != ${MODULES_SIGN_KEY} ]]; then + export MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}")" + else + export MODULES_SIGN_KEY_CONTENTS="$(< "${MODULES_SIGN_KEY}")" + fi + fi fi } @@ -427,12 +434,12 @@ kernel-build_merge_configs() { CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y EOF - if [[ -e ${MODULES_SIGN_KEY} && -e ${MODULES_SIGN_CERT} && - ${MODULES_SIGN_KEY} != ${MODULES_SIGN_CERT} && - ${MODULES_SIGN_KEY} != pkcs11:* ]] - then - cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" > "${T}/kernel_key.pem" || die - MODULES_SIGN_KEY="${T}/kernel_key.pem" + if [[ -n "${MODULES_SIGN_KEY_CONTENTS}" ]]; then + touch "${T}/kernel_key.pem" || die + chmod 0600 "${T}/kernel_key.pem" || die + echo "${MODULES_SIGN_KEY_CONTENTS}" > "${T}/kernel_key.pem" || die + unset MODULES_SIGN_KEY_CONTENTS + export MODULES_SIGN_KEY="${T}/kernel_key.pem" fi if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -r ${MODULES_SIGN_KEY} ]]; then echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \ -- 2.43.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [gentoo-dev] [PATCH] kernel-build.eclass: work around permissions issue with module signing 2023-11-27 17:12 [gentoo-dev] [PATCH] kernel-build.eclass: work around permissions issue with module signing Violet Purcell @ 2023-11-27 17:50 ` Michał Górny 2023-12-11 8:00 ` [gentoo-dev] [PATCH v3] " Andrew Ammerlaan 0 siblings, 1 reply; 6+ messages in thread From: Michał Górny @ 2023-11-27 17:50 UTC (permalink / raw) To: gentoo-dev; +Cc: Violet Purcell [-- Attachment #1: Type: text/plain, Size: 2734 bytes --] On Mon, 2023-11-27 at 12:12 -0500, Violet Purcell wrote: > Currently, using a custom path for MODULES_SIGN_KEY requires the key to > be readable by portage:portage. This is not ideal for security, since > the file has to be either owned by portage:portage or readable by all > users in this case. Instead, export the contents of MODULES_SIGN_KEY to > a variable in pkg_setup, and then create a temporary file with it in > src_configure to ensure that the temporary key is readable by the user > that the kernel is being built as. The variable is then unset so it does > not end up in the final environment file. > > Signed-off-by: Violet Purcell <vimproved@inventati.org> > --- > eclass/kernel-build.eclass | 19 +++++++++++++------ > 1 file changed, 13 insertions(+), 6 deletions(-) > > diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass > index 4f7e4d047739..cf958c86ff29 100644 > --- a/eclass/kernel-build.eclass > +++ b/eclass/kernel-build.eclass > @@ -114,6 +114,13 @@ kernel-build_pkg_setup() { > python-any-r1_pkg_setup > if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then > secureboot_pkg_setup > + if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then > + if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} != ${MODULES_SIGN_KEY} ]]; then > + export MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}")" > + else > + export MODULES_SIGN_KEY_CONTENTS="$(< "${MODULES_SIGN_KEY}")" You don't need to export it. Unexported variables are also preserved. > + fi > + fi > fi > } > > @@ -427,12 +434,12 @@ kernel-build_merge_configs() { > CONFIG_MODULE_SIG_FORCE=y > CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y > EOF > - if [[ -e ${MODULES_SIGN_KEY} && -e ${MODULES_SIGN_CERT} && > - ${MODULES_SIGN_KEY} != ${MODULES_SIGN_CERT} && > - ${MODULES_SIGN_KEY} != pkcs11:* ]] > - then > - cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" > "${T}/kernel_key.pem" || die > - MODULES_SIGN_KEY="${T}/kernel_key.pem" > + if [[ -n "${MODULES_SIGN_KEY_CONTENTS}" ]]; then > + touch "${T}/kernel_key.pem" || die > + chmod 0600 "${T}/kernel_key.pem" || die This creates a race condition whereupon the file can be opened between the call to touch and chmod. It's better to use a subshell and set umask. > + echo "${MODULES_SIGN_KEY_CONTENTS}" > "${T}/kernel_key.pem" || die > + unset MODULES_SIGN_KEY_CONTENTS > + export MODULES_SIGN_KEY="${T}/kernel_key.pem" > fi > if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -r ${MODULES_SIGN_KEY} ]]; then > echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \ -- Best regards, Michał Górny [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 512 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-dev] [PATCH v3] kernel-build.eclass: work around permissions issue with module signing 2023-11-27 17:50 ` Michał Górny @ 2023-12-11 8:00 ` Andrew Ammerlaan 2023-12-11 11:13 ` Michał Górny 0 siblings, 1 reply; 6+ messages in thread From: Andrew Ammerlaan @ 2023-12-11 8:00 UTC (permalink / raw) To: gentoo-dev; +Cc: Michał Górny, vimproved v3: From dbf92605437b4a457bad2da92f69baab23fcfa44 Mon Sep 17 00:00:00 2001 From: Violet Purcell <vimproved@inventati.org> Date: Mon, 27 Nov 2023 12:12:09 -0500 Subject: [PATCH] kernel-build.eclass: work around permissions issue with module signing Currently, using a custom path for MODULES_SIGN_KEY requires the key to be readable by portage:portage. This is not ideal for security, since the file has to be either owned by portage:portage or readable by all users in this case. Instead, export the contents of MODULES_SIGN_KEY to a variable in pkg_setup, and then create a temporary file with it in src_configure to ensure that the temporary key is readable by the user that the kernel is being built as. The variable is then unset so it does not end up in the final environment file. Co-authored-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org> Signed-off-by: Violet Purcell <vimproved@inventati.org> --- eclass/kernel-build.eclass | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass index f5529c319f9fc..94b499f82fc1e 100644 --- a/eclass/kernel-build.eclass +++ b/eclass/kernel-build.eclass @@ -114,6 +114,13 @@ kernel-build_pkg_setup() { python-any-r1_pkg_setup if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then secureboot_pkg_setup + if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then + if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} != ${MODULES_SIGN_KEY} ]]; then + MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" || die)" + else + MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_KEY}" || die)" + fi + fi fi } @@ -422,12 +429,11 @@ kernel-build_merge_configs() { CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y EOF - if [[ -e ${MODULES_SIGN_KEY} && -e ${MODULES_SIGN_CERT} && - ${MODULES_SIGN_KEY} != ${MODULES_SIGN_CERT} && - ${MODULES_SIGN_KEY} != pkcs11:* ]] - then - cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" > "${T}/kernel_key.pem" || die - MODULES_SIGN_KEY="${T}/kernel_key.pem" + if [[ -n "${MODULES_SIGN_KEY_CONTENTS}" ]]; then + (umask 066; touch "${T}/kernel_key.pem" || die) + echo "${MODULES_SIGN_KEY_CONTENTS}" > "${T}/kernel_key.pem" || die + unset MODULES_SIGN_KEY_CONTENTS + export MODULES_SIGN_KEY="${T}/kernel_key.pem" fi if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -r ${MODULES_SIGN_KEY} ]]; then echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \ On 27/11/2023 18:50, Michał Górny wrote: > On Mon, 2023-11-27 at 12:12 -0500, Violet Purcell wrote: >> Currently, using a custom path for MODULES_SIGN_KEY requires the key to >> be readable by portage:portage. This is not ideal for security, since >> the file has to be either owned by portage:portage or readable by all >> users in this case. Instead, export the contents of MODULES_SIGN_KEY to >> a variable in pkg_setup, and then create a temporary file with it in >> src_configure to ensure that the temporary key is readable by the user >> that the kernel is being built as. The variable is then unset so it does >> not end up in the final environment file. >> >> Signed-off-by: Violet Purcell <vimproved@inventati.org> >> --- >> eclass/kernel-build.eclass | 19 +++++++++++++------ >> 1 file changed, 13 insertions(+), 6 deletions(-) >> >> diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass >> index 4f7e4d047739..cf958c86ff29 100644 >> --- a/eclass/kernel-build.eclass >> +++ b/eclass/kernel-build.eclass >> @@ -114,6 +114,13 @@ kernel-build_pkg_setup() { >> python-any-r1_pkg_setup >> if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then >> secureboot_pkg_setup >> + if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then >> + if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} != ${MODULES_SIGN_KEY} ]]; then >> + export MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}")" >> + else >> + export MODULES_SIGN_KEY_CONTENTS="$(< "${MODULES_SIGN_KEY}")" > > You don't need to export it. Unexported variables are also preserved. > >> + fi >> + fi >> fi >> } >> >> @@ -427,12 +434,12 @@ kernel-build_merge_configs() { >> CONFIG_MODULE_SIG_FORCE=y >> CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y >> EOF >> - if [[ -e ${MODULES_SIGN_KEY} && -e ${MODULES_SIGN_CERT} && >> - ${MODULES_SIGN_KEY} != ${MODULES_SIGN_CERT} && >> - ${MODULES_SIGN_KEY} != pkcs11:* ]] >> - then >> - cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" > "${T}/kernel_key.pem" || die >> - MODULES_SIGN_KEY="${T}/kernel_key.pem" >> + if [[ -n "${MODULES_SIGN_KEY_CONTENTS}" ]]; then >> + touch "${T}/kernel_key.pem" || die >> + chmod 0600 "${T}/kernel_key.pem" || die > > This creates a race condition whereupon the file can be opened between > the call to touch and chmod. It's better to use a subshell and set > umask. > >> + echo "${MODULES_SIGN_KEY_CONTENTS}" > "${T}/kernel_key.pem" || die >> + unset MODULES_SIGN_KEY_CONTENTS >> + export MODULES_SIGN_KEY="${T}/kernel_key.pem" >> fi >> if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -r ${MODULES_SIGN_KEY} ]]; then >> echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \ > ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [gentoo-dev] [PATCH v3] kernel-build.eclass: work around permissions issue with module signing 2023-12-11 8:00 ` [gentoo-dev] [PATCH v3] " Andrew Ammerlaan @ 2023-12-11 11:13 ` Michał Górny 2023-12-11 11:28 ` [gentoo-dev] [PATCH v4] " Andrew Ammerlaan 0 siblings, 1 reply; 6+ messages in thread From: Michał Górny @ 2023-12-11 11:13 UTC (permalink / raw) To: gentoo-dev; +Cc: vimproved [-- Attachment #1: Type: text/plain, Size: 3009 bytes --] On Mon, 2023-12-11 at 09:00 +0100, Andrew Ammerlaan wrote: > v3: > > From dbf92605437b4a457bad2da92f69baab23fcfa44 Mon Sep 17 00:00:00 2001 > From: Violet Purcell <vimproved@inventati.org> > Date: Mon, 27 Nov 2023 12:12:09 -0500 > Subject: [PATCH] kernel-build.eclass: work around permissions issue with > module signing > > Currently, using a custom path for MODULES_SIGN_KEY requires the key to > be readable by portage:portage. This is not ideal for security, since > the file has to be either owned by portage:portage or readable by all > users in this case. Instead, export the contents of MODULES_SIGN_KEY to > a variable in pkg_setup, and then create a temporary file with it in > src_configure to ensure that the temporary key is readable by the user > that the kernel is being built as. The variable is then unset so it does > not end up in the final environment file. > > Co-authored-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org> > Signed-off-by: Violet Purcell <vimproved@inventati.org> > --- > eclass/kernel-build.eclass | 18 ++++++++++++------ > 1 file changed, 12 insertions(+), 6 deletions(-) > > diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass > index f5529c319f9fc..94b499f82fc1e 100644 > --- a/eclass/kernel-build.eclass > +++ b/eclass/kernel-build.eclass > @@ -114,6 +114,13 @@ kernel-build_pkg_setup() { > python-any-r1_pkg_setup > if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then > secureboot_pkg_setup > + if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then > + if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} != > ${MODULES_SIGN_KEY} ]]; then > + MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}" > "${MODULES_SIGN_KEY}" || die)" You can use $(<...) builtin instead of calling cat(1). > + else > + MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_KEY}" || die)" > + fi > + fi > fi > } > > @@ -422,12 +429,11 @@ kernel-build_merge_configs() { > CONFIG_MODULE_SIG_FORCE=y > CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y > EOF > - if [[ -e ${MODULES_SIGN_KEY} && -e ${MODULES_SIGN_CERT} && > - ${MODULES_SIGN_KEY} != ${MODULES_SIGN_CERT} && > - ${MODULES_SIGN_KEY} != pkcs11:* ]] > - then > - cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" > > "${T}/kernel_key.pem" || die > - MODULES_SIGN_KEY="${T}/kernel_key.pem" > + if [[ -n "${MODULES_SIGN_KEY_CONTENTS}" ]]; then No quoting is needed here. > + (umask 066; touch "${T}/kernel_key.pem" || die) '&&' instead of ';', even if umask shouldn't really fail here. > + echo "${MODULES_SIGN_KEY_CONTENTS}" > "${T}/kernel_key.pem" || die > + unset MODULES_SIGN_KEY_CONTENTS > + export MODULES_SIGN_KEY="${T}/kernel_key.pem" > fi > if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -r ${MODULES_SIGN_KEY} ]]; > then > echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \ > -- Best regards, Michał Górny [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 512 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-dev] [PATCH v4] kernel-build.eclass: work around permissions issue with module signing 2023-12-11 11:13 ` Michał Górny @ 2023-12-11 11:28 ` Andrew Ammerlaan 2023-12-11 11:56 ` Michał Górny 0 siblings, 1 reply; 6+ messages in thread From: Andrew Ammerlaan @ 2023-12-11 11:28 UTC (permalink / raw) To: gentoo-dev >> diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass >> index f5529c319f9fc..94b499f82fc1e 100644 >> --- a/eclass/kernel-build.eclass >> +++ b/eclass/kernel-build.eclass >> @@ -114,6 +114,13 @@ kernel-build_pkg_setup() { >> python-any-r1_pkg_setup >> if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then >> secureboot_pkg_setup >> + if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then >> + if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} != >> ${MODULES_SIGN_KEY} ]]; then >> + MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}" >> "${MODULES_SIGN_KEY}" || die)" > > You can use $(<...) builtin instead of calling cat(1). > I don't have a strong preference, but I used cat here for esthetic symmetry reasons with the line above. Anyway, here's v4: From 3890c558ff93b9cdb608a3bbcf4c3039f456b571 Mon Sep 17 00:00:00 2001 From: Violet Purcell <vimproved@inventati.org> Date: Mon, 27 Nov 2023 12:12:09 -0500 Subject: [PATCH] kernel-build.eclass: work around permissions issue with module signing Currently, using a custom path for MODULES_SIGN_KEY requires the key to be readable by portage:portage. This is not ideal for security, since the file has to be either owned by portage:portage or readable by all users in this case. Instead, export the contents of MODULES_SIGN_KEY to a variable in pkg_setup, and then create a temporary file with it in src_configure to ensure that the temporary key is readable by the user that the kernel is being built as. The variable is then unset so it does not end up in the final environment file. Co-authored-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org> Signed-off-by: Violet Purcell <vimproved@inventati.org> --- eclass/kernel-build.eclass | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass index f5529c319f9fc..6b692dc4f9a08 100644 --- a/eclass/kernel-build.eclass +++ b/eclass/kernel-build.eclass @@ -114,6 +114,13 @@ kernel-build_pkg_setup() { python-any-r1_pkg_setup if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then secureboot_pkg_setup + if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then + if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} != ${MODULES_SIGN_KEY} ]]; then + MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" || die)" + else + MODULES_SIGN_KEY_CONTENTS="$(< "${MODULES_SIGN_KEY}")" + fi + fi fi } @@ -422,12 +429,11 @@ kernel-build_merge_configs() { CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y EOF - if [[ -e ${MODULES_SIGN_KEY} && -e ${MODULES_SIGN_CERT} && - ${MODULES_SIGN_KEY} != ${MODULES_SIGN_CERT} && - ${MODULES_SIGN_KEY} != pkcs11:* ]] - then - cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" > "${T}/kernel_key.pem" || die - MODULES_SIGN_KEY="${T}/kernel_key.pem" + if [[ -n ${MODULES_SIGN_KEY_CONTENTS} ]]; then + (umask 066 && touch "${T}/kernel_key.pem" || die) + echo "${MODULES_SIGN_KEY_CONTENTS}" > "${T}/kernel_key.pem" || die + unset MODULES_SIGN_KEY_CONTENTS + export MODULES_SIGN_KEY="${T}/kernel_key.pem" fi if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -r ${MODULES_SIGN_KEY} ]]; then echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \ ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [gentoo-dev] [PATCH v4] kernel-build.eclass: work around permissions issue with module signing 2023-12-11 11:28 ` [gentoo-dev] [PATCH v4] " Andrew Ammerlaan @ 2023-12-11 11:56 ` Michał Górny 0 siblings, 0 replies; 6+ messages in thread From: Michał Górny @ 2023-12-11 11:56 UTC (permalink / raw) To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 3783 bytes --] On Mon, 2023-12-11 at 12:28 +0100, Andrew Ammerlaan wrote: > > > diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass > > > index f5529c319f9fc..94b499f82fc1e 100644 > > > --- a/eclass/kernel-build.eclass > > > +++ b/eclass/kernel-build.eclass > > > @@ -114,6 +114,13 @@ kernel-build_pkg_setup() { > > > python-any-r1_pkg_setup > > > if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then > > > secureboot_pkg_setup > > > + if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then > > > + if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} != > > > ${MODULES_SIGN_KEY} ]]; then > > > + MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}" > > > "${MODULES_SIGN_KEY}" || die)" > > > > You can use $(<...) builtin instead of calling cat(1). > > > > > I don't have a strong preference, but I used cat here for esthetic > symmetry reasons with the line above. Anyway, here's v4: > > From 3890c558ff93b9cdb608a3bbcf4c3039f456b571 Mon Sep 17 00:00:00 2001 > From: Violet Purcell <vimproved@inventati.org> > Date: Mon, 27 Nov 2023 12:12:09 -0500 > Subject: [PATCH] kernel-build.eclass: work around permissions issue with > module signing > > Currently, using a custom path for MODULES_SIGN_KEY requires the key to > be readable by portage:portage. This is not ideal for security, since > the file has to be either owned by portage:portage or readable by all > users in this case. Instead, export the contents of MODULES_SIGN_KEY to > a variable in pkg_setup, and then create a temporary file with it in > src_configure to ensure that the temporary key is readable by the user > that the kernel is being built as. The variable is then unset so it does > not end up in the final environment file. > > Co-authored-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org> > Signed-off-by: Violet Purcell <vimproved@inventati.org> > --- > eclass/kernel-build.eclass | 18 ++++++++++++------ > 1 file changed, 12 insertions(+), 6 deletions(-) > > diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass > index f5529c319f9fc..6b692dc4f9a08 100644 > --- a/eclass/kernel-build.eclass > +++ b/eclass/kernel-build.eclass > @@ -114,6 +114,13 @@ kernel-build_pkg_setup() { > python-any-r1_pkg_setup > if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then > secureboot_pkg_setup > + if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then > + if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} != > ${MODULES_SIGN_KEY} ]]; then > + MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}" > "${MODULES_SIGN_KEY}" || die)" > + else > + MODULES_SIGN_KEY_CONTENTS="$(< "${MODULES_SIGN_KEY}")" > + fi > + fi > fi > } > > @@ -422,12 +429,11 @@ kernel-build_merge_configs() { > CONFIG_MODULE_SIG_FORCE=y > CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y > EOF > - if [[ -e ${MODULES_SIGN_KEY} && -e ${MODULES_SIGN_CERT} && > - ${MODULES_SIGN_KEY} != ${MODULES_SIGN_CERT} && > - ${MODULES_SIGN_KEY} != pkcs11:* ]] > - then > - cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" > > "${T}/kernel_key.pem" || die > - MODULES_SIGN_KEY="${T}/kernel_key.pem" > + if [[ -n ${MODULES_SIGN_KEY_CONTENTS} ]]; then > + (umask 066 && touch "${T}/kernel_key.pem" || die) > + echo "${MODULES_SIGN_KEY_CONTENTS}" > "${T}/kernel_key.pem" || die > + unset MODULES_SIGN_KEY_CONTENTS > + export MODULES_SIGN_KEY="${T}/kernel_key.pem" > fi > if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -r ${MODULES_SIGN_KEY} ]]; > then > echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \ LGTM but I didn't test it. -- Best regards, Michał Górny [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 512 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-12-11 11:56 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2023-11-27 17:12 [gentoo-dev] [PATCH] kernel-build.eclass: work around permissions issue with module signing Violet Purcell 2023-11-27 17:50 ` Michał Górny 2023-12-11 8:00 ` [gentoo-dev] [PATCH v3] " Andrew Ammerlaan 2023-12-11 11:13 ` Michał Górny 2023-12-11 11:28 ` [gentoo-dev] [PATCH v4] " Andrew Ammerlaan 2023-12-11 11:56 ` Michał Górny
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox