diff options
| author | V3n3RiX <venerix@koprulu.sector> | 2025-01-07 06:41:06 +0000 |
|---|---|---|
| committer | V3n3RiX <venerix@koprulu.sector> | 2025-01-07 06:41:06 +0000 |
| commit | d69399c7befdd98cda62d6a1788ae2aa7f104c5e (patch) | |
| tree | eac7184f4cfe7d67580c1d0a0d9942a91e6cb4ee /eclass/kernel-build.eclass | |
| parent | e4d9d6796d5018e338f0b27a3bc97716195bf0b8 (diff) | |
gentoo auto-resync : 07:01:2025 - 06:41:06
Diffstat (limited to 'eclass/kernel-build.eclass')
| -rw-r--r-- | eclass/kernel-build.eclass | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass index aae55d9e3ac5..65433d9fc9c0 100644 --- a/eclass/kernel-build.eclass +++ b/eclass/kernel-build.eclass @@ -137,6 +137,9 @@ fi kernel-build_pkg_setup() { python-any-r1_pkg_setup if [[ ${KERNEL_IUSE_MODULES_SIGN} && ${MERGE_TYPE} != binary ]]; then + # inherits linux-info to check config values for keys + # ensure KV_FULL will not be set globally, that breaks configure + local KV_FULL secureboot_pkg_setup if use modules-sign && [[ -n ${MODULES_SIGN_KEY} ]]; then @@ -444,6 +447,11 @@ kernel-build_src_install() { # Copy built key/certificate files cp -p build/certs/* "${ED}${kernel_dir}/certs/" || die + # If a key was generated, exclude it from the binpkg + local generated_key=${ED}${kernel_dir}/certs/signing_key.pem + if [[ -r ${generated_key} ]]; then + mv "${generated_key}" "${T}/signing_key.pem" || die + fi # building modules fails with 'vmlinux has no symtab?' if stripped use ppc64 && dostrip -x "${kernel_dir}/${image_path}" @@ -587,14 +595,18 @@ kernel-build_src_install() { done if [[ ${KERNEL_IUSE_MODULES_SIGN} ]] && use secureboot; then + # --pcrpkey is appended as is. If the certificate and key + # are in the same file, we could accidentally leak the key + # into the UKI. Pass the certificate through openssl to ensure + # that it truly contains *only* the certificate. openssl x509 \ -in "${SECUREBOOT_SIGN_CERT}" -inform PEM \ - -out ${T}/pcrpkey.der -outform DER || - die "Failed to convert certificate to DER format" + -out "${T}/pcrpkey.pem" -outform PEM || + die "Failed to extract certificate" ukify_args+=( --secureboot-private-key="${SECUREBOOT_SIGN_KEY}" --secureboot-certificate="${SECUREBOOT_SIGN_CERT}" - --pcrpkey="${T}/pcrpkey.der" + --pcrpkey="${T}/pcrpkey.pem" --measure ) if [[ ${SECUREBOOT_SIGN_KEY} == pkcs11:* ]]; then @@ -647,7 +659,6 @@ kernel-build_pkg_postinst() { ewarn "MODULES_SIGN_KEY was not set, this means the kernel build system" ewarn "automatically generated the signing key. This key was installed" ewarn "in ${EROOT}/usr/src/linux-${KV_FULL}/certs" - ewarn "and will also be included in any binary packages." ewarn "Please take appropriate action to protect the key!" ewarn ewarn "Recompiling this package causes a new key to be generated. As" |