From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 42EB0158008 for ; Thu, 15 Jun 2023 09:50:34 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 00FC4E08FF; Thu, 15 Jun 2023 09:50:14 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id B554CE089E for ; Thu, 15 Jun 2023 09:50:13 +0000 (UTC) Message-ID: Date: Thu, 15 Jun 2023 11:50:10 +0200 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0 Content-Language: en-US, nl-NL To: gentoo-dev@lists.gentoo.org From: Andrew Ammerlaan Organization: Gentoo Linux Subject: [gentoo-dev] [PATCH 1/2] kernel-build.eclass: add IUSE="strip", install generated keys Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 12a7485f-aa74-46d1-ad7e-9d7b863aeb5e X-Archives-Hash: 0bb510630907e6b584fbb8ac7b2618d4 From 480e54c27d09ceeb1dab662fcb395c33f807402a Mon Sep 17 00:00:00 2001 From: Andrew Ammerlaan Date: Fri, 9 Jun 2023 10:36:18 +0200 Subject: [PATCH] kernel-build.eclass: add IUSE="strip", install generated keys - Let the kernel build system handle stripping of the modules. This is necessary for successfully signing and stripping compressed modules. Inspired by linux-mod-r1.eclass. - If the build system has generated keys or certificates, install them. This is required to successfully sign external kernel modules. Closes: https://bugs.gentoo.org/814344 Closes: https://bugs.gentoo.org/881651 Signed-off-by: Andrew Ammerlaan --- eclass/kernel-build.eclass | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass index da215a055a467..05a2b9459f5ff 100644 --- a/eclass/kernel-build.eclass +++ b/eclass/kernel-build.eclass @@ -1,4 +1,4 @@ -# Copyright 2020-2022 Gentoo Authors +# Copyright 2020-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: kernel-build.eclass @@ -41,6 +41,8 @@ BDEPEND=" app-alternatives/yacc " +IUSE="+strip" + # @FUNCTION: kernel-build_src_configure # @DESCRIPTION: # Prepare the toolchain for building the kernel, get the default .config @@ -83,7 +85,7 @@ kernel-build_src_configure() { LD="${LD}" AR="$(tc-getAR)" NM="$(tc-getNM)" - STRIP=":" + STRIP="$(tc-getSTRIP)" OBJCOPY="$(tc-getOBJCOPY)" OBJDUMP="$(tc-getOBJDUMP)" @@ -176,8 +178,18 @@ kernel-build_src_install() { targets+=( dtbs_install ) fi + # Use the kernel build system to strip, this ensures the modules + # are stripped *before* they are signed or compressed. + local strip_args + if use strip; then + strip_args="--strip-unneeded" + fi + # Modules were already stripped by the kernel build system + dostrip -x /lib/modules + emake O="${WORKDIR}"/build "${MAKEARGS[@]}" \ - INSTALL_MOD_PATH="${ED}" INSTALL_PATH="${ED}/boot" "${targets[@]}" + INSTALL_MOD_PATH="${ED}" INSTALL_MOD_STRIP="${strip_args}" \ + INSTALL_PATH="${ED}/boot" "${targets[@]}" # note: we're using mv rather than doins to save space and time # install main and arch-specific headers first, and scripts @@ -217,6 +229,14 @@ kernel-build_src_install() { local image_path=$(dist-kernel_get_image_path) cp -p "build/${image_path}" "${ED}${kernel_dir}/${image_path}" || die + # If a key was generated, copy it so external modules can be signed + if [[ -f build/certs/signing_key.pem ]]; then + cp -p "build/certs/signing_key.pem" "${ED}${kernel_dir}/certs" || die + fi + if [[ -f build/certs/signing_key.x509 ]]; then + cp -p "build/certs/signing_key.x509" "${ED}${kernel_dir}/certs" || die + fi + # building modules fails with 'vmlinux has no symtab?' if stripped use ppc64 && dostrip -x "${kernel_dir}/${image_path}"