[gentoo-dev] [PATCH 1/2] kernel-build.eclass: add IUSE="strip", install generated keys

[Andrew Ammerlaan <andrewammerlaan@gentoo.org>]

 From 480e54c27d09ceeb1dab662fcb395c33f807402a Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Date: Fri, 9 Jun 2023 10:36:18 +0200
Subject: [PATCH] kernel-build.eclass: add IUSE="strip", install 
generated keys

- Let the kernel build system handle stripping of the modules.
This is necessary for successfully signing and stripping
compressed modules. Inspired by linux-mod-r1.eclass.

- If the build system has generated keys or certificates,
install them. This is required to successfully sign
external kernel modules.

Closes: https://bugs.gentoo.org/814344
Closes: https://bugs.gentoo.org/881651
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
  eclass/kernel-build.eclass | 26 +++++++++++++++++++++++---
  1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index da215a055a467..05a2b9459f5ff 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -1,4 +1,4 @@
-# Copyright 2020-2022 Gentoo Authors
+# Copyright 2020-2023 Gentoo Authors
  # Distributed under the terms of the GNU General Public License v2

  # @ECLASS: kernel-build.eclass
@@ -41,6 +41,8 @@ BDEPEND="
  	app-alternatives/yacc
  "

+IUSE="+strip"
+
  # @FUNCTION: kernel-build_src_configure
  # @DESCRIPTION:
  # Prepare the toolchain for building the kernel, get the default .config
@@ -83,7 +85,7 @@ kernel-build_src_configure() {
  		LD="${LD}"
  		AR="$(tc-getAR)"
  		NM="$(tc-getNM)"
-		STRIP=":"
+		STRIP="$(tc-getSTRIP)"
  		OBJCOPY="$(tc-getOBJCOPY)"
  		OBJDUMP="$(tc-getOBJDUMP)"

@@ -176,8 +178,18 @@ kernel-build_src_install() {
  		targets+=( dtbs_install )
  	fi

+	# Use the kernel build system to strip, this ensures the modules
+	# are stripped *before* they are signed or compressed.
+	local strip_args
+	if use strip; then
+		strip_args="--strip-unneeded"
+	fi
+	# Modules were already stripped by the kernel build system
+	dostrip -x /lib/modules
+
  	emake O="${WORKDIR}"/build "${MAKEARGS[@]}" \
-		INSTALL_MOD_PATH="${ED}" INSTALL_PATH="${ED}/boot" "${targets[@]}"
+		INSTALL_MOD_PATH="${ED}" INSTALL_MOD_STRIP="${strip_args}" \
+		INSTALL_PATH="${ED}/boot" "${targets[@]}"

  	# note: we're using mv rather than doins to save space and time
  	# install main and arch-specific headers first, and scripts
@@ -217,6 +229,14 @@ kernel-build_src_install() {
  	local image_path=$(dist-kernel_get_image_path)
  	cp -p "build/${image_path}" "${ED}${kernel_dir}/${image_path}" || die

+	# If a key was generated, copy it so external modules can be signed
+	if [[ -f build/certs/signing_key.pem ]]; then
+		cp -p "build/certs/signing_key.pem" "${ED}${kernel_dir}/certs" || die
+	fi
+	if [[ -f build/certs/signing_key.x509 ]]; then
+		cp -p "build/certs/signing_key.x509" "${ED}${kernel_dir}/certs" || die
+	fi
+
  	# building modules fails with 'vmlinux has no symtab?' if stripped
  	use ppc64 && dostrip -x "${kernel_dir}/${image_path}"