[gentoo-dev] [PATCH 2/2] kernel-build.eclass: add USE="modules-sign"

[gentoo-dev] [PATCH 2/2] kernel-build.eclass: add USE="modules-sign"

[Andrew Ammerlaan]

 From fc8894ff62b45cc7a4148a9f6ba51f1afe7b920a Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Date: Thu, 8 Jun 2023 20:44:58 +0200
Subject: [PATCH] sys-kernel/gentoo-kernel: add USE="modules-sign"

- Enable module signing configure options if requested by the user.
- Respect the linux-mod-r1.eclass variables MODULES_SIGN_HASH and 
MODULES_SIGN_KEY,
- Warn the user if we are letting the kernel build system generate
the signing key. This key will end up binary packages. Plus external 
modules will have to be resigned if gentoo-kernel is re-emerged (i.e. a 
new key was generated).

Bug: https://bugs.gentoo.org/881651
Bug: https://bugs.gentoo.org/814344
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
  ...8.ebuild => gentoo-kernel-6.3.8.ebuild} | 45 ++++++++++++++++++-
  1 file changed, 44 insertions(+), 1 deletion(-)
  rename sys-kernel/gentoo-kernel/{gentoo-kernel-6.3.8.ebuild => 
gentoo-kernel-6.3.8-r1.ebuild} (71%)

diff --git a/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8.ebuild 
b/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8-r1.ebuild
similarity index 71%
rename from sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8.ebuild
rename to sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8-r1.ebuild
index fd81855a6140a..4bc03564efbe0 100644
--- a/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8.ebuild
+++ b/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8-r1.ebuild
@@ -44,7 +44,7 @@ S=${WORKDIR}/${MY_P}

  LICENSE="GPL-2"
  KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~riscv ~x86"
-IUSE="debug hardened"
+IUSE="debug hardened modules-sign"
  REQUIRED_USE="arm? ( savedconfig )
  	hppa? ( savedconfig )
  	riscv? ( savedconfig )"
@@ -136,5 +136,48 @@ src_prepare() {
  		merge_configs+=( "${dist_conf_path}/big-endian.config" )
  	fi

+	if use modules-sign; then
+		: "${MODULES_SIGN_HASH:=sha512}"
+		cat <<-EOF > "${WORKDIR}/modules-sign.config" || die
+			## Enable module signing
+			CONFIG_MODULE_SIG=y
+			CONFIG_MODULE_SIG_ALL=y
+			CONFIG_MODULE_SIG_FORCE=y
+			CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
+		EOF
+		if [[ -n "${MODULES_SIGN_KEY}" ]]; then
+			if [[ -e "${MODULES_SIGN_KEY}" ]]; then
+				echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
+					>> "${WORKDIR}/modules-sign.config"
+			else
+				die "MODULES_SIGN_KEY=${MODULES_SIGN_KEY} not found!"
+			fi
+		fi
+		merge_configs+=( "${WORKDIR}/modules-sign.config" )
+	fi
+
  	kernel-build_merge_configs "${merge_configs[@]}"
  }
+
+pkg_postinst() {
+	kernel-build_pkg_postinst
+	if use modules-sign; then
+		if [[ -z "${MODULES_SIGN_KEY}" ]]; then
+			ewarn ""
+			ewarn "MODULES_SIGN_KEY was not set, this means the kernel build system"
+			ewarn "automatically generated the signing key. This key was installed"
+			ewarn "in ${EROOT}/usr/src/linux-${PV}${KV_LOCALVERSION}/certs"
+			ewarn "and will also be included in any binary packages."
+			ewarn "Please take appropriate action to protect the key!"
+			ewarn ""
+			ewarn "Recompiling this package causes a new key to be generated. As"
+			ewarn "a result any external kernel modules will need to be resigned."
+			ewarn "Use emerge @module-rebuild, or manually sign the modules as"
+			ewarn "described on the wiki [1]"
+			ewarn ""
+			ewarn "Consider using the MODULES_SIGN_KEY variable to use an 
external key."
+			ewarn ""
+			ewarn "[1]: https://wiki.gentoo.org/wiki/Signed_kernel_module_support"
+		fi
+	fi
+}

Re: [gentoo-dev] [PATCH 2/2] kernel-build.eclass: add USE="modules-sign"

[Florian Schmaus]

On 15.06.23 11:50, Andrew Ammerlaan wrote:
>  From fc8894ff62b45cc7a4148a9f6ba51f1afe7b920a Mon Sep 17 00:00:00 2001
> From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
> Date: Thu, 8 Jun 2023 20:44:58 +0200
> Subject: [PATCH] sys-kernel/gentoo-kernel: add USE="modules-sign"
> 
> - Enable module signing configure options if requested by the user.
> - Respect the linux-mod-r1.eclass variables MODULES_SIGN_HASH and 
> MODULES_SIGN_KEY,
> - Warn the user if we are letting the kernel build system generate
> the signing key. This key will end up binary packages. Plus external 
> modules will have to be resigned if gentoo-kernel is re-emerged (i.e. a 
> new key was generated).
> 
> Bug: https://bugs.gentoo.org/881651
> Bug: https://bugs.gentoo.org/814344
> Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
> ---
>   ...8.ebuild => gentoo-kernel-6.3.8.ebuild} | 45 ++++++++++++++++++-
>   1 file changed, 44 insertions(+), 1 deletion(-)
>   rename sys-kernel/gentoo-kernel/{gentoo-kernel-6.3.8.ebuild => 
> gentoo-kernel-6.3.8-r1.ebuild} (71%)
> 
> diff --git a/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8.ebuild 
> b/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8-r1.ebuild
> similarity index 71%
> rename from sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8.ebuild
> rename to sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8-r1.ebuild
> index fd81855a6140a..4bc03564efbe0 100644
> --- a/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8.ebuild
> +++ b/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8-r1.ebuild
> @@ -44,7 +44,7 @@ S=${WORKDIR}/${MY_P}
> 
>   LICENSE="GPL-2"
>   KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~riscv ~x86"
> -IUSE="debug hardened"
> +IUSE="debug hardened modules-sign"
>   REQUIRED_USE="arm? ( savedconfig )
>       hppa? ( savedconfig )
>       riscv? ( savedconfig )"
> @@ -136,5 +136,48 @@ src_prepare() {
>           merge_configs+=( "${dist_conf_path}/big-endian.config" )
>       fi
> 
> +    if use modules-sign; then
> +        : "${MODULES_SIGN_HASH:=sha512}"
> +        cat <<-EOF > "${WORKDIR}/modules-sign.config" || die
> +            ## Enable module signing
> +            CONFIG_MODULE_SIG=y
> +            CONFIG_MODULE_SIG_ALL=y
> +            CONFIG_MODULE_SIG_FORCE=y
> +            CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
> +        EOF
> +        if [[ -n "${MODULES_SIGN_KEY}" ]]; then
> +            if [[ -e "${MODULES_SIGN_KEY}" ]]; then
> +                echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
> +                    >> "${WORKDIR}/modules-sign.config"
> +            else
> +                die "MODULES_SIGN_KEY=${MODULES_SIGN_KEY} not found!"
> +            fi
> +        fi
> +        merge_configs+=( "${WORKDIR}/modules-sign.config" )
> +    fi
> +
>       kernel-build_merge_configs "${merge_configs[@]}"
>   }
> +
> +pkg_postinst() {
> +    kernel-build_pkg_postinst
> +    if use modules-sign; then
> +        if [[ -z "${MODULES_SIGN_KEY}" ]]; then
> +            ewarn ""

You can drop the empty string argument and simply just write ewarn.

And I am not sure if we really need a leading empty ewarn line, but this 
appears to be a common idiom.

> +            ewarn "MODULES_SIGN_KEY was not set, this means the kernel 
> build system"
> +            ewarn "automatically generated the signing key. This key 
> was installed"
> +            ewarn "in 
> ${EROOT}/usr/src/linux-${PV}${KV_LOCALVERSION}/certs"
> +            ewarn "and will also be included in any binary packages."
> +            ewarn "Please take appropriate action to protect the key!"
> +            ewarn ""
> +            ewarn "Recompiling this package causes a new key to be 
> generated. As"
> +            ewarn "a result any external kernel modules will need to be 
> resigned."
> +            ewarn "Use emerge @module-rebuild, or manually sign the 
> modules as"
> +            ewarn "described on the wiki [1]"
> +            ewarn ""
> +            ewarn "Consider using the MODULES_SIGN_KEY variable to use 
> an external key."
> +            ewarn ""
> +            ewarn "[1]: 
> https://wiki.gentoo.org/wiki/Signed_kernel_module_support"
> +        fi
> +    fi
> +}

- Flow

Re: [gentoo-dev] [PATCH 2/2] kernel-build.eclass: add USE="modules-sign"

[Andrew Ammerlaan]

On 15/06/2023 11:59, Florian Schmaus wrote:
> On 15.06.23 11:50, Andrew Ammerlaan wrote:
>> +pkg_postinst() {
>> +    kernel-build_pkg_postinst
>> +    if use modules-sign; then
>> +        if [[ -z "${MODULES_SIGN_KEY}" ]]; then
>> +            ewarn ""
> 
> You can drop the empty string argument and simply just write ewarn.

Thanks,

> And I am not sure if we really need a leading empty ewarn line, but this 
> appears to be a common idiom.

IMO It looks a bit better because kernel-build_pkg_postinst will also 
print some elog messages. The empty line makes it clearer that this is a 
separate message.

Best regards,
Andrew

Re: [gentoo-dev] [PATCH 2/2 v3] kernel-build.eclass: add USE="modules-sign"

[Andrew Ammerlaan]

Split the patch in two pieces and changed the name of the pre-inherit 
variable to KERNEL_IUSE_MODULES_SIGN. Plus some quotation fixes.

 From e019e78448376b04c91397c7efc60ee72c24bf93 Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Date: Thu, 15 Jun 2023 21:10:02 +0200
Subject: [PATCH] kernel-build.eclass: add IUSE="modules-sign"

- Enable module signing configure options if requested by the user.

- Define the user variables MODULES_SIGN_HASH and MODULES_SIGN_KEY.
For controlling the used hashing algorithm and allowing the use of
external keys. These variables are the same as in linux-mod-r1.eclass

- Warn the user if we are letting the kernel build system generate the 
signing
key. This key will end up binary packages. Plus external modules will 
have to
be resigned if gentoo-kernel is re-emerged (i.e. a new key was generated).

Bug: https://bugs.gentoo.org/814344
Bug: https://bugs.gentoo.org/881651
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
  eclass/kernel-build.eclass | 90 +++++++++++++++++++++++++++++++++++++-
  1 file changed, 89 insertions(+), 1 deletion(-)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index abfb01720817a..d28a74ef05758 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -43,6 +43,48 @@ BDEPEND="

  IUSE="+strip"

+# @ECLASS_VARIABLE: KERNEL_IUSE_MODULES_SIGN
+# @PRE_INHERIT
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# If set to a non-null value, adds IUSE=modules-sign and required
+# logic to manipulate the kernel config while respecting the
+# MODULES_SIGN_HASH and MODULES_SIGN_KEY user variables.
+
+# @ECLASS_VARIABLE: MODULES_SIGN_HASH
+# @USER_VARIABLE
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# Used with USE=modules-sign.  Can be set to hash algorithm to use
+# during signature generation (CONFIG_MODULE_SIG_SHA256).
+#
+# Valid values: sha512,sha384,sha256,sha224,sha1
+#
+# Default if unset: sha512
+
+# @ECLASS_VARIABLE: MODULES_SIGN_KEY
+# @USER_VARIABLE
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# Used with USE=modules-sign.  Can be set to the path of the private
+# key in PEM format to use, or a PKCS#11 URI (CONFIG_MODULE_SIG_KEY).
+#
+# If path is relative (e.g. "certs/name.pem"), it is assumed to be
+# relative to the kernel build directory being used.
+#
+# If the key requires a passphrase or PIN, the used kernel sign-file
+# utility recognizes the KBUILD_SIGN_PIN environment variable.  Be
+# warned that the package manager may store this value in binary
+# packages, database files, temporary files, and possibly logs.  This
+# eclass unsets the variable after use to mitigate the issue (notably
+# for shared binary packages), but use this with care.
+#
+# Default if unset: certs/signing_key.pem
+
+if [[ -n ${KERNEL_IUSE_MODULES_SIGN} ]]; then
+	IUSE+=" modules-sign"
+fi
+
  # @FUNCTION: kernel-build_src_configure
  # @DESCRIPTION:
  # Prepare the toolchain for building the kernel, get the default .config
@@ -259,6 +301,9 @@ kernel-build_src_install() {
  	dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/build"
  	dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/source"

+	# unset to at least be out of the environment file in, e.g. shared binpkgs
+	unset KBUILD_SIGN_PIN
+
  	save_config build/.config
  }

@@ -268,6 +313,26 @@ kernel-build_src_install() {
  kernel-build_pkg_postinst() {
  	kernel-install_pkg_postinst
  	savedconfig_pkg_postinst
+
+	if [[ -n ${KERNEL_IUSE_MODULES_SIGN} ]]; then
+		if use modules-sign && [[ -z "${MODULES_SIGN_KEY}" ]]; then
+			ewarn
+			ewarn "MODULES_SIGN_KEY was not set, this means the kernel build system"
+			ewarn "automatically generated the signing key. This key was installed"
+			ewarn "in ${EROOT}/usr/src/linux-${PV}${KV_LOCALVERSION}/certs"
+			ewarn "and will also be included in any binary packages."
+			ewarn "Please take appropriate action to protect the key!"
+			ewarn
+			ewarn "Recompiling this package causes a new key to be generated. As"
+			ewarn "a result any external kernel modules will need to be resigned."
+			ewarn "Use emerge @module-rebuild, or manually sign the modules as"
+			ewarn "described on the wiki [1]"
+			ewarn
+			ewarn "Consider using the MODULES_SIGN_KEY variable to use an 
external key."
+			ewarn
+			ewarn "[1]: https://wiki.gentoo.org/wiki/Signed_kernel_module_support"
+		fi
+	fi
  }

  # @FUNCTION: kernel-build_merge_configs
@@ -290,16 +355,39 @@ kernel-build_merge_configs() {
  	local user_configs=( "${BROOT}"/etc/kernel/config.d/*.config )
  	shopt -u nullglob

+	local merge_configs=( "${@}" )
+
+	if [[ -n ${KERNEL_IUSE_MODULES_SIGN} ]]; then
+		if use modules-sign; then
+			: "${MODULES_SIGN_HASH:=sha512}"
+			cat <<-EOF > "${WORKDIR}/modules-sign.config" || die
+				## Enable module signing
+				CONFIG_MODULE_SIG=y
+				CONFIG_MODULE_SIG_ALL=y
+				CONFIG_MODULE_SIG_FORCE=y
+				CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
+			EOF
+			if [[ -e "${MODULES_SIGN_KEY}" ]]; then
+				echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
+					>> "${WORKDIR}/modules-sign.config"
+			elif [[ -n "${MODULES_SIGN_KEY}" ]]; then
+				die "MODULES_SIGN_KEY=${MODULES_SIGN_KEY} not found!"
+			fi
+			merge_configs+=( "${WORKDIR}/modules-sign.config" )
+		fi
+	fi
+
  	if [[ ${#user_configs[@]} -gt 0 ]]; then
  		elog "User config files are being applied:"
  		local x
  		for x in "${user_configs[@]}"; do
  			elog "- ${x}"
  		done
+		merge_configs+=( "${user_configs[@]}" )
  	fi

  	./scripts/kconfig/merge_config.sh -m -r \
-		.config "${@}" "${user_configs[@]}" || die
+		.config "${merge_configs[@]}"  || die
  }

  fi

Re: [gentoo-dev] [PATCH 2/2 v4] kernel-build.eclass: add USE="modules-sign"

[Andrew Ammerlaan]

Version 4 (and that's the last one, I promise), makes this work with 
pkcs11 uri's as well. Tested with my Nitrokey, it is (unsurprisingly) 
incredibly slow but it works.



 From 70415544a4aea458039f1abbbf9c7e112de846f3 Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Date: Thu, 15 Jun 2023 21:10:02 +0200
Subject: [PATCH] kernel-build.eclass: add IUSE="modules-sign"

- Enable module signing configure options if requested by the user.

- Define the user variables MODULES_SIGN_HASH and MODULES_SIGN_KEY.
For controlling the used hashing algorithm and allowing the use of
external keys. These variables are the same as in linux-mod-r1.eclass

- Warn the user if we are letting the kernel build system generate the 
signing
key. This key will end up binary packages. Plus external modules will 
have to
be resigned if gentoo-kernel is re-emerged (i.e. a new key was generated).

Bug: https://bugs.gentoo.org/814344
Bug: https://bugs.gentoo.org/881651
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
  eclass/kernel-build.eclass | 90 +++++++++++++++++++++++++++++++++++++-
  1 file changed, 89 insertions(+), 1 deletion(-)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index abfb01720817a..7d4e2133a04d2 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -43,6 +43,48 @@ BDEPEND="

  IUSE="+strip"

+# @ECLASS_VARIABLE: KERNEL_IUSE_MODULES_SIGN
+# @PRE_INHERIT
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# If set to a non-null value, adds IUSE=modules-sign and required
+# logic to manipulate the kernel config while respecting the
+# MODULES_SIGN_HASH and MODULES_SIGN_KEY user variables.
+
+# @ECLASS_VARIABLE: MODULES_SIGN_HASH
+# @USER_VARIABLE
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# Used with USE=modules-sign.  Can be set to hash algorithm to use
+# during signature generation (CONFIG_MODULE_SIG_SHA256).
+#
+# Valid values: sha512,sha384,sha256,sha224,sha1
+#
+# Default if unset: sha512
+
+# @ECLASS_VARIABLE: MODULES_SIGN_KEY
+# @USER_VARIABLE
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# Used with USE=modules-sign.  Can be set to the path of the private
+# key in PEM format to use, or a PKCS#11 URI (CONFIG_MODULE_SIG_KEY).
+#
+# If path is relative (e.g. "certs/name.pem"), it is assumed to be
+# relative to the kernel build directory being used.
+#
+# If the key requires a passphrase or PIN, the used kernel sign-file
+# utility recognizes the KBUILD_SIGN_PIN environment variable.  Be
+# warned that the package manager may store this value in binary
+# packages, database files, temporary files, and possibly logs.  This
+# eclass unsets the variable after use to mitigate the issue (notably
+# for shared binary packages), but use this with care.
+#
+# Default if unset: certs/signing_key.pem
+
+if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
+	IUSE+=" modules-sign"
+fi
+
  # @FUNCTION: kernel-build_src_configure
  # @DESCRIPTION:
  # Prepare the toolchain for building the kernel, get the default .config
@@ -259,6 +301,9 @@ kernel-build_src_install() {
  	dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/build"
  	dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/source"

+	# unset to at least be out of the environment file in, e.g. shared binpkgs
+	unset KBUILD_SIGN_PIN
+
  	save_config build/.config
  }

@@ -268,6 +313,26 @@ kernel-build_src_install() {
  kernel-build_pkg_postinst() {
  	kernel-install_pkg_postinst
  	savedconfig_pkg_postinst
+
+	if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
+		if use modules-sign && [[ -z ${MODULES_SIGN_KEY} ]]; then
+			ewarn
+			ewarn "MODULES_SIGN_KEY was not set, this means the kernel build system"
+			ewarn "automatically generated the signing key. This key was installed"
+			ewarn "in ${EROOT}/usr/src/linux-${PV}${KV_LOCALVERSION}/certs"
+			ewarn "and will also be included in any binary packages."
+			ewarn "Please take appropriate action to protect the key!"
+			ewarn
+			ewarn "Recompiling this package causes a new key to be generated. As"
+			ewarn "a result any external kernel modules will need to be resigned."
+			ewarn "Use emerge @module-rebuild, or manually sign the modules as"
+			ewarn "described on the wiki [1]"
+			ewarn
+			ewarn "Consider using the MODULES_SIGN_KEY variable to use an 
external key."
+			ewarn
+			ewarn "[1]: https://wiki.gentoo.org/wiki/Signed_kernel_module_support"
+		fi
+	fi
  }

  # @FUNCTION: kernel-build_merge_configs
@@ -290,16 +355,39 @@ kernel-build_merge_configs() {
  	local user_configs=( "${BROOT}"/etc/kernel/config.d/*.config )
  	shopt -u nullglob

+	local merge_configs=( "${@}" )
+
+	if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
+		if use modules-sign; then
+			: "${MODULES_SIGN_HASH:=sha512}"
+			cat <<-EOF > "${WORKDIR}/modules-sign.config" || die
+				## Enable module signing
+				CONFIG_MODULE_SIG=y
+				CONFIG_MODULE_SIG_ALL=y
+				CONFIG_MODULE_SIG_FORCE=y
+				CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
+			EOF
+			if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -e ${MODULES_SIGN_KEY} ]]; then
+				echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
+					>> "${WORKDIR}/modules-sign.config"
+			elif [[ -n ${MODULES_SIGN_KEY} ]]; then
+				die "MODULES_SIGN_KEY=${MODULES_SIGN_KEY} not found!"
+			fi
+			merge_configs+=( "${WORKDIR}/modules-sign.config" )
+		fi
+	fi
+
  	if [[ ${#user_configs[@]} -gt 0 ]]; then
  		elog "User config files are being applied:"
  		local x
  		for x in "${user_configs[@]}"; do
  			elog "- ${x}"
  		done
+		merge_configs+=( "${user_configs[@]}" )
  	fi

  	./scripts/kconfig/merge_config.sh -m -r \
-		.config "${@}" "${user_configs[@]}" || die
+		.config "${merge_configs[@]}"  || die
  }

  fi