From: Florian Schmaus <flow@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] [PATCH 2/2] kernel-build.eclass: add USE="modules-sign"
Date: Thu, 15 Jun 2023 11:59:18 +0200 [thread overview]
Message-ID: <a0be0bc7-b5f9-cd6f-5e9c-66a75a510c6a@gentoo.org> (raw)
In-Reply-To: <d0a2ef46-14b5-29dc-8c52-9fa6fedb86ed@gentoo.org>
On 15.06.23 11:50, Andrew Ammerlaan wrote:
> From fc8894ff62b45cc7a4148a9f6ba51f1afe7b920a Mon Sep 17 00:00:00 2001
> From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
> Date: Thu, 8 Jun 2023 20:44:58 +0200
> Subject: [PATCH] sys-kernel/gentoo-kernel: add USE="modules-sign"
>
> - Enable module signing configure options if requested by the user.
> - Respect the linux-mod-r1.eclass variables MODULES_SIGN_HASH and
> MODULES_SIGN_KEY,
> - Warn the user if we are letting the kernel build system generate
> the signing key. This key will end up binary packages. Plus external
> modules will have to be resigned if gentoo-kernel is re-emerged (i.e. a
> new key was generated).
>
> Bug: https://bugs.gentoo.org/881651
> Bug: https://bugs.gentoo.org/814344
> Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
> ---
> ...8.ebuild => gentoo-kernel-6.3.8.ebuild} | 45 ++++++++++++++++++-
> 1 file changed, 44 insertions(+), 1 deletion(-)
> rename sys-kernel/gentoo-kernel/{gentoo-kernel-6.3.8.ebuild =>
> gentoo-kernel-6.3.8-r1.ebuild} (71%)
>
> diff --git a/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8.ebuild
> b/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8-r1.ebuild
> similarity index 71%
> rename from sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8.ebuild
> rename to sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8-r1.ebuild
> index fd81855a6140a..4bc03564efbe0 100644
> --- a/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8.ebuild
> +++ b/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8-r1.ebuild
> @@ -44,7 +44,7 @@ S=${WORKDIR}/${MY_P}
>
> LICENSE="GPL-2"
> KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~riscv ~x86"
> -IUSE="debug hardened"
> +IUSE="debug hardened modules-sign"
> REQUIRED_USE="arm? ( savedconfig )
> hppa? ( savedconfig )
> riscv? ( savedconfig )"
> @@ -136,5 +136,48 @@ src_prepare() {
> merge_configs+=( "${dist_conf_path}/big-endian.config" )
> fi
>
> + if use modules-sign; then
> + : "${MODULES_SIGN_HASH:=sha512}"
> + cat <<-EOF > "${WORKDIR}/modules-sign.config" || die
> + ## Enable module signing
> + CONFIG_MODULE_SIG=y
> + CONFIG_MODULE_SIG_ALL=y
> + CONFIG_MODULE_SIG_FORCE=y
> + CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
> + EOF
> + if [[ -n "${MODULES_SIGN_KEY}" ]]; then
> + if [[ -e "${MODULES_SIGN_KEY}" ]]; then
> + echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
> + >> "${WORKDIR}/modules-sign.config"
> + else
> + die "MODULES_SIGN_KEY=${MODULES_SIGN_KEY} not found!"
> + fi
> + fi
> + merge_configs+=( "${WORKDIR}/modules-sign.config" )
> + fi
> +
> kernel-build_merge_configs "${merge_configs[@]}"
> }
> +
> +pkg_postinst() {
> + kernel-build_pkg_postinst
> + if use modules-sign; then
> + if [[ -z "${MODULES_SIGN_KEY}" ]]; then
> + ewarn ""
You can drop the empty string argument and simply just write ewarn.
And I am not sure if we really need a leading empty ewarn line, but this
appears to be a common idiom.
> + ewarn "MODULES_SIGN_KEY was not set, this means the kernel
> build system"
> + ewarn "automatically generated the signing key. This key
> was installed"
> + ewarn "in
> ${EROOT}/usr/src/linux-${PV}${KV_LOCALVERSION}/certs"
> + ewarn "and will also be included in any binary packages."
> + ewarn "Please take appropriate action to protect the key!"
> + ewarn ""
> + ewarn "Recompiling this package causes a new key to be
> generated. As"
> + ewarn "a result any external kernel modules will need to be
> resigned."
> + ewarn "Use emerge @module-rebuild, or manually sign the
> modules as"
> + ewarn "described on the wiki [1]"
> + ewarn ""
> + ewarn "Consider using the MODULES_SIGN_KEY variable to use
> an external key."
> + ewarn ""
> + ewarn "[1]:
> https://wiki.gentoo.org/wiki/Signed_kernel_module_support"
> + fi
> + fi
> +}
- Flow
next prev parent reply other threads:[~2023-06-15 9:59 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-15 9:50 [gentoo-dev] [PATCH 2/2] kernel-build.eclass: add USE="modules-sign" Andrew Ammerlaan
2023-06-15 9:59 ` Florian Schmaus [this message]
2023-06-15 10:03 ` Andrew Ammerlaan
2023-06-17 18:13 ` [gentoo-dev] [PATCH 2/2 v3] " Andrew Ammerlaan
2023-06-20 18:16 ` [gentoo-dev] [PATCH 2/2 v4] " Andrew Ammerlaan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a0be0bc7-b5f9-cd6f-5e9c-66a75a510c6a@gentoo.org \
--to=flow@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox