* [gentoo-dev] [PATCH] kernel-install.eclass: enforce signed modules in test with, USE=modules-sign
@ 2023-08-26 18:10 Andrew Ammerlaan
0 siblings, 0 replies; only message in thread
From: Andrew Ammerlaan @ 2023-08-26 18:10 UTC (permalink / raw
To: gentoo-dev
This only has effect when building the gpkg for gentoo-kernel-bin which
overrides CONFIG_MODULE_SIG_FORCE. To ensure that the module signing
was successful we instruct the kernel to reject modules with an invalid
signature.
This has no effect on other kernel packages which already have
CONFIG_MODULE_SIG_FORCE=y.
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
eclass/kernel-install.eclass | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/eclass/kernel-install.eclass b/eclass/kernel-install.eclass
index 62fbb1dab0493..84d306c19f1ab 100644
--- a/eclass/kernel-install.eclass
+++ b/eclass/kernel-install.eclass
@@ -301,6 +301,10 @@ kernel-install_test() {
;;
esac
+ if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
+ use modules-sign && qemu_extra_append+=" module.sig_enforce=1 "
+ fi
+
cat > run.sh <<-EOF || die
#!/bin/sh
exec qemu-system-${qemu_arch} \
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2023-08-26 18:10 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-08-26 18:10 [gentoo-dev] [PATCH] kernel-install.eclass: enforce signed modules in test with, USE=modules-sign Andrew Ammerlaan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox