From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 276B915800A for ; Fri, 14 Jul 2023 08:44:39 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 05BA7E087D; Fri, 14 Jul 2023 08:44:36 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id BDB90E085B for ; Fri, 14 Jul 2023 08:44:35 +0000 (UTC) Message-ID: <8ffe80ee-5d2d-e5ff-946a-e6216f99a1a5@gentoo.org> Date: Fri, 14 Jul 2023 10:44:31 +0200 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Content-Language: en-US, nl-NL To: gentoo-dev@lists.gentoo.org From: Andrew Ammerlaan Organization: Gentoo Linux Subject: [gentoo-dev] [PATCH 0/5]: Introduce secureboot.eclass Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 4151eb9e-ce5f-4b10-9da2-cde9826596ee X-Archives-Hash: 74b3dabf821fde1c30c0f31fe8e12050 Hi all, Now that we have support for unified kernel images and signed kernel modules in gentoo-kernel and via linux-mod-r1.eclass the logical next step is to also make it possible to sign the kernel images, bootloaders, and other efi executables. This makes it possible to enable Secure Boot, i.e. the verification of these files by the system firmware prior to booting. For this purpose I'd like to introduce secureboot.eclass with matching global use flag. The eclass is simple, we use the user defined variables SECUREBOOT_SIGN_KEY and SECUREBOOT_SIGN_CERT and call sbsign from app-crypt/sbsigntools to sign the efi executables (or other files). Sure you can call sbsign manually but then you will have to do it manually on every update of every file involved in the boot chain. This is prone to break by accident sooner or later. By signing the efi executables during emerge we ensure that the files on the file system are always signed. Any tooling that then installs or updates these files to the EFI system partition will then always use the pre-signed files. Therefore the chance of the boot process breaking with Secure Boot enabled reduces significantly. The following emails will contain the new eclass and small patches to the eclasses involved in building the gentoo-kernel. Further patches to individual packages can be found in the accompanying PR [1]. Basically all that is required to make this work in an ebuild is to: inherit the eclass, define pkg_setup to call secureboot_pkg_setup, and call secureboot_auto_sign in src_install. Best regards, Andrew [1] https://github.com/gentoo/gentoo/pull/31843