[gentoo-dev] [PATCH 2/2] kernel-build.eclass: add USE="modules-sign"

public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed

From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: [gentoo-dev] [PATCH 2/2] kernel-build.eclass: add USE="modules-sign"
Date: Thu, 15 Jun 2023 11:50:18 +0200	[thread overview]
Message-ID: <d0a2ef46-14b5-29dc-8c52-9fa6fedb86ed@gentoo.org> (raw)

 From fc8894ff62b45cc7a4148a9f6ba51f1afe7b920a Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Date: Thu, 8 Jun 2023 20:44:58 +0200
Subject: [PATCH] sys-kernel/gentoo-kernel: add USE="modules-sign"

- Enable module signing configure options if requested by the user.
- Respect the linux-mod-r1.eclass variables MODULES_SIGN_HASH and 
MODULES_SIGN_KEY,
- Warn the user if we are letting the kernel build system generate
the signing key. This key will end up binary packages. Plus external 
modules will have to be resigned if gentoo-kernel is re-emerged (i.e. a 
new key was generated).

Bug: https://bugs.gentoo.org/881651
Bug: https://bugs.gentoo.org/814344
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
  ...8.ebuild => gentoo-kernel-6.3.8.ebuild} | 45 ++++++++++++++++++-
  1 file changed, 44 insertions(+), 1 deletion(-)
  rename sys-kernel/gentoo-kernel/{gentoo-kernel-6.3.8.ebuild => 
gentoo-kernel-6.3.8-r1.ebuild} (71%)

diff --git a/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8.ebuild 
b/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8-r1.ebuild
similarity index 71%
rename from sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8.ebuild
rename to sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8-r1.ebuild
index fd81855a6140a..4bc03564efbe0 100644
--- a/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8.ebuild
+++ b/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8-r1.ebuild
@@ -44,7 +44,7 @@ S=${WORKDIR}/${MY_P}

  LICENSE="GPL-2"
  KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~riscv ~x86"
-IUSE="debug hardened"
+IUSE="debug hardened modules-sign"
  REQUIRED_USE="arm? ( savedconfig )
  	hppa? ( savedconfig )
  	riscv? ( savedconfig )"
@@ -136,5 +136,48 @@ src_prepare() {
  		merge_configs+=( "${dist_conf_path}/big-endian.config" )
  	fi

+	if use modules-sign; then
+		: "${MODULES_SIGN_HASH:=sha512}"
+		cat <<-EOF > "${WORKDIR}/modules-sign.config" || die
+			## Enable module signing
+			CONFIG_MODULE_SIG=y
+			CONFIG_MODULE_SIG_ALL=y
+			CONFIG_MODULE_SIG_FORCE=y
+			CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
+		EOF
+		if [[ -n "${MODULES_SIGN_KEY}" ]]; then
+			if [[ -e "${MODULES_SIGN_KEY}" ]]; then
+				echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
+					>> "${WORKDIR}/modules-sign.config"
+			else
+				die "MODULES_SIGN_KEY=${MODULES_SIGN_KEY} not found!"
+			fi
+		fi
+		merge_configs+=( "${WORKDIR}/modules-sign.config" )
+	fi
+
  	kernel-build_merge_configs "${merge_configs[@]}"
  }
+
+pkg_postinst() {
+	kernel-build_pkg_postinst
+	if use modules-sign; then
+		if [[ -z "${MODULES_SIGN_KEY}" ]]; then
+			ewarn ""
+			ewarn "MODULES_SIGN_KEY was not set, this means the kernel build system"
+			ewarn "automatically generated the signing key. This key was installed"
+			ewarn "in ${EROOT}/usr/src/linux-${PV}${KV_LOCALVERSION}/certs"
+			ewarn "and will also be included in any binary packages."
+			ewarn "Please take appropriate action to protect the key!"
+			ewarn ""
+			ewarn "Recompiling this package causes a new key to be generated. As"
+			ewarn "a result any external kernel modules will need to be resigned."
+			ewarn "Use emerge @module-rebuild, or manually sign the modules as"
+			ewarn "described on the wiki [1]"
+			ewarn ""
+			ewarn "Consider using the MODULES_SIGN_KEY variable to use an 
external key."
+			ewarn ""
+			ewarn "[1]: https://wiki.gentoo.org/wiki/Signed_kernel_module_support"
+		fi
+	fi
+}

next             reply	other threads:[~2023-06-15  9:50 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-06-15  9:50 Andrew Ammerlaan [this message]
2023-06-15  9:59 ` [gentoo-dev] [PATCH 2/2] kernel-build.eclass: add USE="modules-sign" Florian Schmaus
2023-06-15 10:03   ` Andrew Ammerlaan
2023-06-17 18:13 ` [gentoo-dev] [PATCH 2/2 v3] " Andrew Ammerlaan
2023-06-20 18:16   ` [gentoo-dev] [PATCH 2/2 v4] " Andrew Ammerlaan

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:fd81855a6140 dfblob:4bc03564efbe )
 OR (
bs:"sys-kernel/gentoo-kernel: add USE="
bs:"modules-sign" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d0a2ef46-14b5-29dc-8c52-9fa6fedb86ed@gentoo.org \
    --to=andrewammerlaan@gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox