From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: [gentoo-dev] [PATCH 0/5]: Introduce secureboot.eclass
Date: Fri, 14 Jul 2023 10:44:31 +0200 [thread overview]
Message-ID: <8ffe80ee-5d2d-e5ff-946a-e6216f99a1a5@gentoo.org> (raw)
Hi all,
Now that we have support for unified kernel images and signed kernel
modules in gentoo-kernel and via linux-mod-r1.eclass the logical next
step is to also make it possible to sign the kernel images, bootloaders,
and other efi executables. This makes it possible to enable Secure Boot,
i.e. the verification of these files by the system firmware prior to
booting.
For this purpose I'd like to introduce secureboot.eclass with matching
global use flag. The eclass is simple, we use the user defined variables
SECUREBOOT_SIGN_KEY and SECUREBOOT_SIGN_CERT and call sbsign from
app-crypt/sbsigntools to sign the efi executables (or other files).
Sure you can call sbsign manually but then you will have to do it
manually on every update of every file involved in the boot chain. This
is prone to break by accident sooner or later.
By signing the efi executables during emerge we ensure that the files on
the file system are always signed. Any tooling that then installs or
updates these files to the EFI system partition will then always use the
pre-signed files. Therefore the chance of the boot process breaking with
Secure Boot enabled reduces significantly.
The following emails will contain the new eclass and small patches to
the eclasses involved in building the gentoo-kernel. Further patches to
individual packages can be found in the accompanying PR [1]. Basically
all that is required to make this work in an ebuild is to: inherit the
eclass, define pkg_setup to call secureboot_pkg_setup, and call
secureboot_auto_sign in src_install.
Best regards,
Andrew
[1] https://github.com/gentoo/gentoo/pull/31843
reply other threads:[~2023-07-14 8:44 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8ffe80ee-5d2d-e5ff-946a-e6216f99a1a5@gentoo.org \
--to=andrewammerlaan@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox