'Re: [gentoo-dev] [PATCH 1/3 v2] kernel-build.eclass: sign the kernel image earlier in, src_install'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-dev
Subject:    Re: [gentoo-dev] [PATCH 1/3 v2] kernel-build.eclass: sign the kernel image earlier in, src_install
From:       Andrew Ammerlaan <andrewammerlaan () gentoo ! org>
Date:       2023-08-27 19:33:17
Message-ID: caee4466-4c35-4291-8ef0-3071a79e4d42 () gentoo ! org
[Download RAW message or body]

 From 11c08f41e858561bd71fc5f19b612a7fd365b14a Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Date: Sat, 26 Aug 2023 21:26:46 +0200
Subject: [PATCH] kernel-build.eclass: sign the kernel image earlier in
  src_install

By signing it in src_install instead of pkg_postinst the signed version is
included in any generated binpkg. This is useful for enabling secureboot
on machines that do not have the secureboot private key available.

This change makes it possible to distribute a signed kernel image in
sys-kernel/gentoo-kernel-bin.

Note, UKIs are always generated locally, so if UKIs are used these will 
still
have to be signed in pkg_postinst and therefore the private key is still
required on all systems with USE=secureboot and uefi=yes in dracut.conf.

Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
  eclass/kernel-build.eclass | 5 +++++
  1 file changed, 5 insertions(+)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index 5b324e036c5f9..ca105ee1f1330 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -33,6 +33,7 @@ if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
  	# If we have enabled module signing IUSE
  	# then we can also enable secureboot IUSE
  	KERNEL_IUSE_SECUREBOOT=1
+	inherit secureboot
  fi

  inherit multiprocessing python-any-r1 savedconfig toolchain-funcs 
kernel-install
@@ -348,6 +349,10 @@ kernel-build_src_install() {
  	dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/build"
  	dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/source"

+	if [[ ${KERNEL_IUSE_SECUREBOOT} ]]; then
+		secureboot_sign_efi_file "${ED}${kernel_dir}/${image_path}"
+	fi
+
  	# unset to at least be out of the environment file in, e.g. shared 
binpkgs
  	unset KBUILD_SIGN_PIN



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic