[gentoo-dev] [PATCH 1/2] kernel-build.eclass: fix kernel image signing on arm64 and, riscv

public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed

From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: [gentoo-dev] [PATCH 1/2] kernel-build.eclass: fix kernel image signing on arm64 and, riscv
Date: Sat, 2 Sep 2023 12:26:58 +0200	[thread overview]
Message-ID: <c35f99e3-6fec-4628-a5b4-05924f5c68fa@gentoo.org> (raw)

 From ae095ca61e87f647923d437fe0e8cbe1d18bd0eb Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Date: Wed, 30 Aug 2023 18:38:43 +0200
Subject: [PATCH] kernel-build.eclass: fix kernel image signing on arm64 and
  riscv

Arm64/riscv have no compressed kernel support. With CONFIG_EFI_ZBOOT enabled
the build system will build a bootable image with its own compressor that we
can then sign. With CONFIG_EFI_ZBOOT disabled we end up with a compressed
kernel image that must be uncompressed before signing and requires the
bootloader to uncompress it before it can boot.

Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
  eclass/kernel-build.eclass | 14 ++++++++++++++
  1 file changed, 14 insertions(+)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index ca105ee1f1330..0c40e8033fe29 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -436,6 +436,20 @@ kernel-build_merge_configs() {
  		fi
  	fi

+	if [[ ${KERNEL_IUSE_SECUREBOOT} ]]; then
+		if use secureboot; then
+			# This only effects arm64 and riscv where the bootable image may
+			# contain its own decompressor (zboot). If enabled we get a
+			# sign-able efi file.
+			cat <<-EOF > "${WORKDIR}/secureboot.config" || die
+				## Enable zboot for signing
+				CONFIG_EFI_ZBOOT=y
+			EOF
+
+			merge_configs+=( "${WORKDIR}/secureboot.config" )
+		fi
+	fi
+
  	if [[ ${#user_configs[@]} -gt 0 ]]; then
  		elog "User config files are being applied:"
  		local x

next             reply	other threads:[~2023-09-02 10:27 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-09-02 10:26 Andrew Ammerlaan [this message]
2023-09-02 10:27 ` [gentoo-dev] [PATCH 2/2] dist-kernel-utils.eclass: support CONFIG_EFI_ZBOOT with, USE=secureboot Andrew Ammerlaan

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:ca105ee1f133 dfblob:0c40e8033fe2 )
 OR (
bs:"kernel-build.eclass: fix kernel image signing on arm64 and" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c35f99e3-6fec-4628-a5b4-05924f5c68fa@gentoo.org \
    --to=andrewammerlaan@gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox