From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-99849-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 853A1158008
	for <garchives@archives.gentoo.org>; Thu, 15 Jun 2023 09:50:52 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 6E827E0973;
	Thu, 15 Jun 2023 09:50:22 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id C6942E096F
	for <gentoo-dev@lists.gentoo.org>; Thu, 15 Jun 2023 09:50:21 +0000 (UTC)
Message-ID: <d0a2ef46-14b5-29dc-8c52-9fa6fedb86ed@gentoo.org>
Date: Thu, 15 Jun 2023 11:50:18 +0200
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.11.0
Content-Language: en-US, nl-NL
To: gentoo-dev@lists.gentoo.org
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Organization: Gentoo Linux
Subject: [gentoo-dev] [PATCH 2/2] kernel-build.eclass: add USE="modules-sign"
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Archives-Salt: 816484ed-ecf5-488e-a3d9-b0deb5e5a52c
X-Archives-Hash: 0e65996b8f3d42b72b802ff75c25982d

 From fc8894ff62b45cc7a4148a9f6ba51f1afe7b920a Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Date: Thu, 8 Jun 2023 20:44:58 +0200
Subject: [PATCH] sys-kernel/gentoo-kernel: add USE="modules-sign"

- Enable module signing configure options if requested by the user.
- Respect the linux-mod-r1.eclass variables MODULES_SIGN_HASH and 
MODULES_SIGN_KEY,
- Warn the user if we are letting the kernel build system generate
the signing key. This key will end up binary packages. Plus external 
modules will have to be resigned if gentoo-kernel is re-emerged (i.e. a 
new key was generated).

Bug: https://bugs.gentoo.org/881651
Bug: https://bugs.gentoo.org/814344
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
  ...8.ebuild => gentoo-kernel-6.3.8.ebuild} | 45 ++++++++++++++++++-
  1 file changed, 44 insertions(+), 1 deletion(-)
  rename sys-kernel/gentoo-kernel/{gentoo-kernel-6.3.8.ebuild => 
gentoo-kernel-6.3.8-r1.ebuild} (71%)

diff --git a/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8.ebuild 
b/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8-r1.ebuild
similarity index 71%
rename from sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8.ebuild
rename to sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8-r1.ebuild
index fd81855a6140a..4bc03564efbe0 100644
--- a/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8.ebuild
+++ b/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8-r1.ebuild
@@ -44,7 +44,7 @@ S=${WORKDIR}/${MY_P}

  LICENSE="GPL-2"
  KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~riscv ~x86"
-IUSE="debug hardened"
+IUSE="debug hardened modules-sign"
  REQUIRED_USE="arm? ( savedconfig )
  	hppa? ( savedconfig )
  	riscv? ( savedconfig )"
@@ -136,5 +136,48 @@ src_prepare() {
  		merge_configs+=( "${dist_conf_path}/big-endian.config" )
  	fi

+	if use modules-sign; then
+		: "${MODULES_SIGN_HASH:=sha512}"
+		cat <<-EOF > "${WORKDIR}/modules-sign.config" || die
+			## Enable module signing
+			CONFIG_MODULE_SIG=y
+			CONFIG_MODULE_SIG_ALL=y
+			CONFIG_MODULE_SIG_FORCE=y
+			CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
+		EOF
+		if [[ -n "${MODULES_SIGN_KEY}" ]]; then
+			if [[ -e "${MODULES_SIGN_KEY}" ]]; then
+				echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
+					>> "${WORKDIR}/modules-sign.config"
+			else
+				die "MODULES_SIGN_KEY=${MODULES_SIGN_KEY} not found!"
+			fi
+		fi
+		merge_configs+=( "${WORKDIR}/modules-sign.config" )
+	fi
+
  	kernel-build_merge_configs "${merge_configs[@]}"
  }
+
+pkg_postinst() {
+	kernel-build_pkg_postinst
+	if use modules-sign; then
+		if [[ -z "${MODULES_SIGN_KEY}" ]]; then
+			ewarn ""
+			ewarn "MODULES_SIGN_KEY was not set, this means the kernel build system"
+			ewarn "automatically generated the signing key. This key was installed"
+			ewarn "in ${EROOT}/usr/src/linux-${PV}${KV_LOCALVERSION}/certs"
+			ewarn "and will also be included in any binary packages."
+			ewarn "Please take appropriate action to protect the key!"
+			ewarn ""
+			ewarn "Recompiling this package causes a new key to be generated. As"
+			ewarn "a result any external kernel modules will need to be resigned."
+			ewarn "Use emerge @module-rebuild, or manually sign the modules as"
+			ewarn "described on the wiki [1]"
+			ewarn ""
+			ewarn "Consider using the MODULES_SIGN_KEY variable to use an 
external key."
+			ewarn ""
+			ewarn "[1]: https://wiki.gentoo.org/wiki/Signed_kernel_module_support"
+		fi
+	fi
+}