Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/eclass/kernel-build.eclass
diff options
context:
space:
mode:
authorViolet Purcell <vimproved@inventati.org>2023-11-27 12:12:09 -0500
committerAndrew Ammerlaan <andrewammerlaan@gentoo.org>2023-12-11 13:39:35 +0100
commit3e0c89e3b299928215dd505467e49f13f8bbbbd3 (patch)
treeae51300c1ea4013a58948c8342ad4874b76b2a9c /eclass/kernel-build.eclass
parentkernel-install.eclass: fix test phase on systemd systems (diff)
downloadgentoo-3e0c89e3b299928215dd505467e49f13f8bbbbd3.tar.gz
gentoo-3e0c89e3b299928215dd505467e49f13f8bbbbd3.tar.bz2
gentoo-3e0c89e3b299928215dd505467e49f13f8bbbbd3.zip
kernel-build.eclass: work around permissions issue with module signing
Currently, using a custom path for MODULES_SIGN_KEY requires the key to be readable by portage:portage. This is not ideal for security, since the file has to be either owned by portage:portage or readable by all users in this case. Instead, export the contents of MODULES_SIGN_KEY to a variable in pkg_setup, and then create a temporary file with it in src_configure to ensure that the temporary key is readable by the user that the kernel is being built as. The variable is then unset so it does not end up in the final environment file. Co-authored-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org> Signed-off-by: Violet Purcell <vimproved@inventati.org> Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Diffstat (limited to 'eclass/kernel-build.eclass')
-rw-r--r--eclass/kernel-build.eclass18
1 files changed, 12 insertions, 6 deletions
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index f5529c319f9f..6b692dc4f9a0 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -114,6 +114,13 @@ kernel-build_pkg_setup() {
python-any-r1_pkg_setup
if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
secureboot_pkg_setup
+ if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then
+ if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} != ${MODULES_SIGN_KEY} ]]; then
+ MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" || die)"
+ else
+ MODULES_SIGN_KEY_CONTENTS="$(< "${MODULES_SIGN_KEY}")"
+ fi
+ fi
fi
}
@@ -422,12 +429,11 @@ kernel-build_merge_configs() {
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
EOF
- if [[ -e ${MODULES_SIGN_KEY} && -e ${MODULES_SIGN_CERT} &&
- ${MODULES_SIGN_KEY} != ${MODULES_SIGN_CERT} &&
- ${MODULES_SIGN_KEY} != pkcs11:* ]]
- then
- cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" > "${T}/kernel_key.pem" || die
- MODULES_SIGN_KEY="${T}/kernel_key.pem"
+ if [[ -n ${MODULES_SIGN_KEY_CONTENTS} ]]; then
+ (umask 066 && touch "${T}/kernel_key.pem" || die)
+ echo "${MODULES_SIGN_KEY_CONTENTS}" > "${T}/kernel_key.pem" || die
+ unset MODULES_SIGN_KEY_CONTENTS
+ export MODULES_SIGN_KEY="${T}/kernel_key.pem"
fi
if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -r ${MODULES_SIGN_KEY} ]]; then
echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \