From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 7C870158003 for ; Thu, 15 Jun 2023 09:59:27 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 25D45E0977; Thu, 15 Jun 2023 09:59:24 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id DD10BE0961 for ; Thu, 15 Jun 2023 09:59:23 +0000 (UTC) Message-ID: Date: Thu, 15 Jun 2023 11:59:18 +0200 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0 Subject: Re: [gentoo-dev] [PATCH 2/2] kernel-build.eclass: add USE="modules-sign" To: gentoo-dev@lists.gentoo.org References: Content-Language: en-GB From: Florian Schmaus In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Archives-Salt: 218e447b-b7fc-4f27-bf59-339133f2f3d2 X-Archives-Hash: 6a522031c8a0956c32f1e81d7ed8a02f On 15.06.23 11:50, Andrew Ammerlaan wrote: > From fc8894ff62b45cc7a4148a9f6ba51f1afe7b920a Mon Sep 17 00:00:00 2001 > From: Andrew Ammerlaan > Date: Thu, 8 Jun 2023 20:44:58 +0200 > Subject: [PATCH] sys-kernel/gentoo-kernel: add USE="modules-sign" > > - Enable module signing configure options if requested by the user. > - Respect the linux-mod-r1.eclass variables MODULES_SIGN_HASH and > MODULES_SIGN_KEY, > - Warn the user if we are letting the kernel build system generate > the signing key. This key will end up binary packages. Plus external > modules will have to be resigned if gentoo-kernel is re-emerged (i.e. a > new key was generated). > > Bug: https://bugs.gentoo.org/881651 > Bug: https://bugs.gentoo.org/814344 > Signed-off-by: Andrew Ammerlaan > --- >  ...8.ebuild => gentoo-kernel-6.3.8.ebuild} | 45 ++++++++++++++++++- >  1 file changed, 44 insertions(+), 1 deletion(-) >  rename sys-kernel/gentoo-kernel/{gentoo-kernel-6.3.8.ebuild => > gentoo-kernel-6.3.8-r1.ebuild} (71%) > > diff --git a/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8.ebuild > b/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8-r1.ebuild > similarity index 71% > rename from sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8.ebuild > rename to sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8-r1.ebuild > index fd81855a6140a..4bc03564efbe0 100644 > --- a/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8.ebuild > +++ b/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8-r1.ebuild > @@ -44,7 +44,7 @@ S=${WORKDIR}/${MY_P} > >  LICENSE="GPL-2" >  KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~riscv ~x86" > -IUSE="debug hardened" > +IUSE="debug hardened modules-sign" >  REQUIRED_USE="arm? ( savedconfig ) >      hppa? ( savedconfig ) >      riscv? ( savedconfig )" > @@ -136,5 +136,48 @@ src_prepare() { >          merge_configs+=( "${dist_conf_path}/big-endian.config" ) >      fi > > +    if use modules-sign; then > +        : "${MODULES_SIGN_HASH:=sha512}" > +        cat <<-EOF > "${WORKDIR}/modules-sign.config" || die > +            ## Enable module signing > +            CONFIG_MODULE_SIG=y > +            CONFIG_MODULE_SIG_ALL=y > +            CONFIG_MODULE_SIG_FORCE=y > +            CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y > +        EOF > +        if [[ -n "${MODULES_SIGN_KEY}" ]]; then > +            if [[ -e "${MODULES_SIGN_KEY}" ]]; then > +                echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \ > +                    >> "${WORKDIR}/modules-sign.config" > +            else > +                die "MODULES_SIGN_KEY=${MODULES_SIGN_KEY} not found!" > +            fi > +        fi > +        merge_configs+=( "${WORKDIR}/modules-sign.config" ) > +    fi > + >      kernel-build_merge_configs "${merge_configs[@]}" >  } > + > +pkg_postinst() { > +    kernel-build_pkg_postinst > +    if use modules-sign; then > +        if [[ -z "${MODULES_SIGN_KEY}" ]]; then > +            ewarn "" You can drop the empty string argument and simply just write ewarn. And I am not sure if we really need a leading empty ewarn line, but this appears to be a common idiom. > +            ewarn "MODULES_SIGN_KEY was not set, this means the kernel > build system" > +            ewarn "automatically generated the signing key. This key > was installed" > +            ewarn "in > ${EROOT}/usr/src/linux-${PV}${KV_LOCALVERSION}/certs" > +            ewarn "and will also be included in any binary packages." > +            ewarn "Please take appropriate action to protect the key!" > +            ewarn "" > +            ewarn "Recompiling this package causes a new key to be > generated. As" > +            ewarn "a result any external kernel modules will need to be > resigned." > +            ewarn "Use emerge @module-rebuild, or manually sign the > modules as" > +            ewarn "described on the wiki [1]" > +            ewarn "" > +            ewarn "Consider using the MODULES_SIGN_KEY variable to use > an external key." > +            ewarn "" > +            ewarn "[1]: > https://wiki.gentoo.org/wiki/Signed_kernel_module_support" > +        fi > +    fi > +} - Flow