diff options
| author |   Violet Purcell <vimproved@inventati.org> | 2023-08-12 16:59:14 -0400 |
|---|---|---|
| committer |   Andrew Ammerlaan <andrewammerlaan@gentoo.org> | 2023-08-21 10:38:26 +0200 |
| commit | 72bea0951c0c1fb0019855a0219126690415409a (patch) | |
| tree | a2e71c5741dd69c86cd8fef27ad90196b4c9c2ad /eclass/kernel-build.eclass | |
| parent | profiles: Update GPL-COMPATIBLE and MISC-FREE license groups (diff) | |
| download | gentoo-72bea0951c0c1fb0019855a0219126690415409a.tar.gz gentoo-72bea0951c0c1fb0019855a0219126690415409a.tar.bz2 gentoo-72bea0951c0c1fb0019855a0219126690415409a.zip | |
kernel-build.eclass: Fix separate private and public module signing keys
The kernel expects CONFIG_MODULE_SIG_KEY to be either a pkcs11 URI
containing refences to both a private and public key, or a path to a PEM
file containing both the private and public keys. However, currently the
kernel build will fail if MODULES_SIGNING_KEY is set to a PEM file
containing only the private key. This commit adds a step in
kernel-build_merge_configs that concatenates MODULES_SIGNING_KEY and
MODULES_SIGNING_CERT into ${T}/kernel_key.pem if both files exist and
are not the same path. It then sets MODULES_SIGNING_KEY to
${T}/kernel_key.pem. This should fix building with separate private and
public module signing keys.
Signed-off-by: Violet Purcell <vimproved@inventati.org>
Closes: https://github.com/gentoo/gentoo/pull/32275
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Diffstat (limited to 'eclass/kernel-build.eclass')
| -rw-r--r-- | eclass/kernel-build.eclass | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass index 49462df7d518..8cf7222dc8ab 100644 --- a/eclass/kernel-build.eclass +++ b/eclass/kernel-build.eclass @@ -57,7 +57,8 @@ IUSE="+strip" # @DESCRIPTION: # If set to a non-null value, adds IUSE=modules-sign and required # logic to manipulate the kernel config while respecting the -# MODULES_SIGN_HASH and MODULES_SIGN_KEY user variables. +# MODULES_SIGN_HASH, MODULES_SIGN_CERT, and MODULES_SIGN_KEY user +# variables. # @ECLASS_VARIABLE: MODULES_SIGN_HASH # @USER_VARIABLE @@ -89,6 +90,14 @@ IUSE="+strip" # # Default if unset: certs/signing_key.pem +# @ECLASS_VARIABLE: MODULES_SIGN_CERT +# @USER_VARIABLE +# @DEFAULT_UNSET +# @DESCRIPTION: +# Used with USE=modules-sign. Can be set to the path of the public +# key in PEM format to use. Must be specified if MODULES_SIGN_KEY +# is set to a path of a file that only contains the private key. + if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then IUSE+=" modules-sign" REQUIRED_USE="secureboot? ( modules-sign )" @@ -402,6 +411,13 @@ kernel-build_merge_configs() { CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y EOF + if [[ -e ${MODULES_SIGN_KEY} && -e ${MODULES_SIGN_CERT} && + ${MODULES_SIGN_KEY} != ${MODULES_SIGN_CERT} && + ${MODULES_SIGN_KEY} != pkcs11:* ]] + then + cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" > "${T}/kernel_key.pem" || die + MODULES_SIGN_KEY="${T}/kernel_key.pem" + fi if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -e ${MODULES_SIGN_KEY} ]]; then echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \ >> "${WORKDIR}/modules-sign.config" |