[gentoo-dev] [PATCH 0/5]: Introduce secureboot.eclass

[Andrew Ammerlaan <andrewammerlaan@gentoo.org>]

Hi all,

Now that we have support for unified kernel images and signed kernel 
modules in gentoo-kernel and via linux-mod-r1.eclass the logical next 
step is to also make it possible to sign the kernel images, bootloaders, 
and other efi executables. This makes it possible to enable Secure Boot, 
i.e. the verification of these files by the system firmware prior to 
booting.

For this purpose I'd like to introduce secureboot.eclass with matching 
global use flag. The eclass is simple, we use the user defined variables
SECUREBOOT_SIGN_KEY and SECUREBOOT_SIGN_CERT and call sbsign from 
app-crypt/sbsigntools to sign the efi executables (or other files).

Sure you can call sbsign manually but then you will have to do it 
manually on every update of every file involved in the boot chain. This 
is prone to break by accident sooner or later.

By signing the efi executables during emerge we ensure that the files on 
the file system are always signed. Any tooling that then installs or 
updates these files to the EFI system partition will then always use the 
pre-signed files. Therefore the chance of the boot process breaking with 
Secure Boot enabled reduces significantly.

The following emails will contain the new eclass and small patches to 
the eclasses involved in building the gentoo-kernel. Further patches to 
individual packages can be found in the accompanying PR [1]. Basically 
all that is required to make this work in an ebuild is to: inherit the 
eclass, define pkg_setup to call secureboot_pkg_setup, and call 
secureboot_auto_sign in src_install.

Best regards,
Andrew


[1] https://github.com/gentoo/gentoo/pull/31843