[gentoo-dev] [PATCH 1/2] kernel-build.eclass: fix kernel image signing on arm64 and, riscv

[gentoo-dev] [PATCH 1/2] kernel-build.eclass: fix kernel image signing on arm64 and, riscv

[Andrew Ammerlaan]

 From ae095ca61e87f647923d437fe0e8cbe1d18bd0eb Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Date: Wed, 30 Aug 2023 18:38:43 +0200
Subject: [PATCH] kernel-build.eclass: fix kernel image signing on arm64 and
  riscv

Arm64/riscv have no compressed kernel support. With CONFIG_EFI_ZBOOT enabled
the build system will build a bootable image with its own compressor that we
can then sign. With CONFIG_EFI_ZBOOT disabled we end up with a compressed
kernel image that must be uncompressed before signing and requires the
bootloader to uncompress it before it can boot.

Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
  eclass/kernel-build.eclass | 14 ++++++++++++++
  1 file changed, 14 insertions(+)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index ca105ee1f1330..0c40e8033fe29 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -436,6 +436,20 @@ kernel-build_merge_configs() {
  		fi
  	fi

+	if [[ ${KERNEL_IUSE_SECUREBOOT} ]]; then
+		if use secureboot; then
+			# This only effects arm64 and riscv where the bootable image may
+			# contain its own decompressor (zboot). If enabled we get a
+			# sign-able efi file.
+			cat <<-EOF > "${WORKDIR}/secureboot.config" || die
+				## Enable zboot for signing
+				CONFIG_EFI_ZBOOT=y
+			EOF
+
+			merge_configs+=( "${WORKDIR}/secureboot.config" )
+		fi
+	fi
+
  	if [[ ${#user_configs[@]} -gt 0 ]]; then
  		elog "User config files are being applied:"
  		local x

Re: [gentoo-dev] [PATCH 2/2] dist-kernel-utils.eclass: support CONFIG_EFI_ZBOOT with, USE=secureboot

[Andrew Ammerlaan]

 From 59743aeaef2a1c163ba2150208995055964091d4 Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Date: Thu, 31 Aug 2023 11:03:03 +0200
Subject: [PATCH] dist-kernel-utils.eclass: support CONFIG_EFI_ZBOOT with
  USE=secureboot

This config options changes the name of the final image

Closes: https://bugs.gentoo.org/897684
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
  eclass/dist-kernel-utils.eclass | 11 ++++++-----
  1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/eclass/dist-kernel-utils.eclass 
b/eclass/dist-kernel-utils.eclass
index b2e9df6746e35..1a55424a97efd 100644
--- a/eclass/dist-kernel-utils.eclass
+++ b/eclass/dist-kernel-utils.eclass
@@ -71,8 +71,12 @@ dist-kernel_get_image_path() {
  		amd64|x86)
  			echo arch/x86/boot/bzImage
  			;;
-		arm64)
-			echo arch/arm64/boot/Image.gz
+		arm64|riscv)
+			if [[ ${KERNEL_IUSE_SECUREBOOT} ]] && use secureboot; then
+				echo arch/${ARCH}/boot/vmlinuz.efi
+			else
+				echo arch/${ARCH}/boot/Image.gz
+			fi
  			;;
  		arm)
  			echo arch/arm/boot/zImage
@@ -83,9 +87,6 @@ dist-kernel_get_image_path() {
  			# substitutions in the code
  			echo ./vmlinux
  			;;
-		riscv)
-			echo arch/riscv/boot/Image.gz
-			;;
  		*)
  			die "${FUNCNAME}: unsupported ARCH=${ARCH}"
  			;;