gentoo auto-resync : 21:06:2023 - 01:17:50

1 files changed, 112 insertions, 4 deletions

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index 020557497ddc..963e020b3746 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -1,4 +1,4 @@
-# Copyright 2020-2022 Gentoo Authors
+# Copyright 2020-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 # @ECLASS: kernel-build.eclass
@@ -41,6 +41,50 @@ BDEPEND="
 	app-alternatives/yacc
 "
 
+IUSE="+strip"
+
+# @ECLASS_VARIABLE: KERNEL_IUSE_MODULES_SIGN
+# @PRE_INHERIT
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# If set to a non-null value, adds IUSE=modules-sign and required
+# logic to manipulate the kernel config while respecting the
+# MODULES_SIGN_HASH and MODULES_SIGN_KEY user variables.
+
+# @ECLASS_VARIABLE: MODULES_SIGN_HASH
+# @USER_VARIABLE
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# Used with USE=modules-sign.  Can be set to hash algorithm to use
+# during signature generation (CONFIG_MODULE_SIG_SHA256).
+#
+# Valid values: sha512,sha384,sha256,sha224,sha1
+#
+# Default if unset: sha512
+
+# @ECLASS_VARIABLE: MODULES_SIGN_KEY
+# @USER_VARIABLE
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# Used with USE=modules-sign.  Can be set to the path of the private
+# key in PEM format to use, or a PKCS#11 URI (CONFIG_MODULE_SIG_KEY).
+#
+# If path is relative (e.g. "certs/name.pem"), it is assumed to be
+# relative to the kernel build directory being used.
+#
+# If the key requires a passphrase or PIN, the used kernel sign-file
+# utility recognizes the KBUILD_SIGN_PIN environment variable.  Be
+# warned that the package manager may store this value in binary
+# packages, database files, temporary files, and possibly logs.  This
+# eclass unsets the variable after use to mitigate the issue (notably
+# for shared binary packages), but use this with care.
+#
+# Default if unset: certs/signing_key.pem
+
+if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
+	IUSE+=" modules-sign"
+fi
+
 # @FUNCTION: kernel-build_src_configure
 # @DESCRIPTION:
 # Prepare the toolchain for building the kernel, get the default .config
@@ -83,7 +127,7 @@ kernel-build_src_configure() {
 		LD="${LD}"
 		AR="$(tc-getAR)"
 		NM="$(tc-getNM)"
-		STRIP=":"
+		STRIP="$(tc-getSTRIP)"
 		OBJCOPY="$(tc-getOBJCOPY)"
 		OBJDUMP="$(tc-getOBJDUMP)"
 
@@ -176,8 +220,18 @@ kernel-build_src_install() {
 		targets+=( dtbs_install )
 	fi
 
+	# Use the kernel build system to strip, this ensures the modules
+	# are stripped *before* they are signed or compressed.
+	local strip_args
+	if use strip; then
+		strip_args="--strip-unneeded"
+	fi
+	# Modules were already stripped by the kernel build system
+	dostrip -x /lib/modules
+
 	emake O="${WORKDIR}"/build "${MAKEARGS[@]}" \
-		INSTALL_MOD_PATH="${ED}" INSTALL_PATH="${ED}/boot" "${targets[@]}"
+		INSTALL_MOD_PATH="${ED}" INSTALL_MOD_STRIP="${strip_args}" \
+		INSTALL_PATH="${ED}/boot" "${targets[@]}"
 
 	# note: we're using mv rather than doins to save space and time
 	# install main and arch-specific headers first, and scripts
@@ -217,6 +271,14 @@ kernel-build_src_install() {
 	local image_path=$(dist-kernel_get_image_path)
 	cp -p "build/${image_path}" "${ED}${kernel_dir}/${image_path}" || die
 
+	# If a key was generated, copy it so external modules can be signed
+	local suffix
+	for suffix in pem x509; do
+		if [[ -f "build/certs/signing_key.${suffix}" ]]; then
+			cp -p "build/certs/signing_key.${suffix}" "${ED}${kernel_dir}/certs" || die
+		fi
+	done
+
 	# building modules fails with 'vmlinux has no symtab?' if stripped
 	use ppc64 && dostrip -x "${kernel_dir}/${image_path}"
 
@@ -239,6 +301,9 @@ kernel-build_src_install() {
 	dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/build"
 	dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/source"
 
+	# unset to at least be out of the environment file in, e.g. shared binpkgs
+	unset KBUILD_SIGN_PIN
+
 	save_config build/.config
 }
 
@@ -248,6 +313,26 @@ kernel-build_src_install() {
 kernel-build_pkg_postinst() {
 	kernel-install_pkg_postinst
 	savedconfig_pkg_postinst
+
+	if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
+		if use modules-sign && [[ -z ${MODULES_SIGN_KEY} ]]; then
+			ewarn
+			ewarn "MODULES_SIGN_KEY was not set, this means the kernel build system"
+			ewarn "automatically generated the signing key. This key was installed"
+			ewarn "in ${EROOT}/usr/src/linux-${PV}${KV_LOCALVERSION}/certs"
+			ewarn "and will also be included in any binary packages."
+			ewarn "Please take appropriate action to protect the key!"
+			ewarn
+			ewarn "Recompiling this package causes a new key to be generated. As"
+			ewarn "a result any external kernel modules will need to be resigned."
+			ewarn "Use emerge @module-rebuild, or manually sign the modules as"
+			ewarn "described on the wiki [1]"
+			ewarn
+			ewarn "Consider using the MODULES_SIGN_KEY variable to use an external key."
+			ewarn
+			ewarn "[1]: https://wiki.gentoo.org/wiki/Signed_kernel_module_support"
+		fi
+	fi
 }
 
 # @FUNCTION: kernel-build_merge_configs
@@ -270,16 +355,39 @@ kernel-build_merge_configs() {
 	local user_configs=( "${BROOT}"/etc/kernel/config.d/*.config )
 	shopt -u nullglob
 
+	local merge_configs=( "${@}" )
+
+	if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
+		if use modules-sign; then
+			: "${MODULES_SIGN_HASH:=sha512}"
+			cat <<-EOF > "${WORKDIR}/modules-sign.config" || die
+				## Enable module signing
+				CONFIG_MODULE_SIG=y
+				CONFIG_MODULE_SIG_ALL=y
+				CONFIG_MODULE_SIG_FORCE=y
+				CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
+			EOF
+			if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -e ${MODULES_SIGN_KEY} ]]; then
+				echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
+					>> "${WORKDIR}/modules-sign.config"
+			elif [[ -n ${MODULES_SIGN_KEY} ]]; then
+				die "MODULES_SIGN_KEY=${MODULES_SIGN_KEY} not found!"
+			fi
+			merge_configs+=( "${WORKDIR}/modules-sign.config" )
+		fi
+	fi
+
 	if [[ ${#user_configs[@]} -gt 0 ]]; then
 		elog "User config files are being applied:"
 		local x
 		for x in "${user_configs[@]}"; do
 			elog "- ${x}"
 		done
+		merge_configs+=( "${user_configs[@]}" )
 	fi
 
 	./scripts/kconfig/merge_config.sh -m -r \
-		.config "${@}" "${user_configs[@]}" || die
+		.config "${merge_configs[@]}"  || die
 }
 
 fi