diff options
| author | V3n3RiX <venerix@koprulu.sector> | 2025-01-07 06:41:06 +0000 |
|---|---|---|
| committer | V3n3RiX <venerix@koprulu.sector> | 2025-01-07 06:41:06 +0000 |
| commit | d69399c7befdd98cda62d6a1788ae2aa7f104c5e (patch) | |
| tree | eac7184f4cfe7d67580c1d0a0d9942a91e6cb4ee /eclass | |
| parent | e4d9d6796d5018e338f0b27a3bc97716195bf0b8 (diff) | |
gentoo auto-resync : 07:01:2025 - 06:41:06
Diffstat (limited to 'eclass')
| -rw-r--r-- | eclass/Manifest.gz | bin | 40177 -> 40180 bytes | |||
| -rw-r--r-- | eclass/kernel-build.eclass | 19 | ||||
| -rw-r--r-- | eclass/kernel-install.eclass | 15 | ||||
| -rw-r--r-- | eclass/linux-mod-r1.eclass | 2 | ||||
| -rw-r--r-- | eclass/secureboot.eclass | 149 |
5 files changed, 147 insertions, 38 deletions
diff --git a/eclass/Manifest.gz b/eclass/Manifest.gz Binary files differindex dfe37f2761e5..a0771df7b5fe 100644 --- a/eclass/Manifest.gz +++ b/eclass/Manifest.gz diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass index aae55d9e3ac5..65433d9fc9c0 100644 --- a/eclass/kernel-build.eclass +++ b/eclass/kernel-build.eclass @@ -137,6 +137,9 @@ fi kernel-build_pkg_setup() { python-any-r1_pkg_setup if [[ ${KERNEL_IUSE_MODULES_SIGN} && ${MERGE_TYPE} != binary ]]; then + # inherits linux-info to check config values for keys + # ensure KV_FULL will not be set globally, that breaks configure + local KV_FULL secureboot_pkg_setup if use modules-sign && [[ -n ${MODULES_SIGN_KEY} ]]; then @@ -444,6 +447,11 @@ kernel-build_src_install() { # Copy built key/certificate files cp -p build/certs/* "${ED}${kernel_dir}/certs/" || die + # If a key was generated, exclude it from the binpkg + local generated_key=${ED}${kernel_dir}/certs/signing_key.pem + if [[ -r ${generated_key} ]]; then + mv "${generated_key}" "${T}/signing_key.pem" || die + fi # building modules fails with 'vmlinux has no symtab?' if stripped use ppc64 && dostrip -x "${kernel_dir}/${image_path}" @@ -587,14 +595,18 @@ kernel-build_src_install() { done if [[ ${KERNEL_IUSE_MODULES_SIGN} ]] && use secureboot; then + # --pcrpkey is appended as is. If the certificate and key + # are in the same file, we could accidentally leak the key + # into the UKI. Pass the certificate through openssl to ensure + # that it truly contains *only* the certificate. openssl x509 \ -in "${SECUREBOOT_SIGN_CERT}" -inform PEM \ - -out ${T}/pcrpkey.der -outform DER || - die "Failed to convert certificate to DER format" + -out "${T}/pcrpkey.pem" -outform PEM || + die "Failed to extract certificate" ukify_args+=( --secureboot-private-key="${SECUREBOOT_SIGN_KEY}" --secureboot-certificate="${SECUREBOOT_SIGN_CERT}" - --pcrpkey="${T}/pcrpkey.der" + --pcrpkey="${T}/pcrpkey.pem" --measure ) if [[ ${SECUREBOOT_SIGN_KEY} == pkcs11:* ]]; then @@ -647,7 +659,6 @@ kernel-build_pkg_postinst() { ewarn "MODULES_SIGN_KEY was not set, this means the kernel build system" ewarn "automatically generated the signing key. This key was installed" ewarn "in ${EROOT}/usr/src/linux-${KV_FULL}/certs" - ewarn "and will also be included in any binary packages." ewarn "Please take appropriate action to protect the key!" ewarn ewarn "Recompiling this package causes a new key to be generated. As" diff --git a/eclass/kernel-install.eclass b/eclass/kernel-install.eclass index 6ca39e551110..1cc2bd0bb737 100644 --- a/eclass/kernel-install.eclass +++ b/eclass/kernel-install.eclass @@ -607,6 +607,15 @@ kernel-install_pkg_preinst() { [[ ! -d ${kernel_dir} ]] && die "Kernel directory ${kernel_dir} not installed!" + # We moved this in order to omit it from the binpkg, move it back + if [[ -r "${T}/signing_key.pem" ]]; then + # cp instead of mv to set owner to root in one go + ( + umask 066 && + cp "${T}/signing_key.pem" "${kernel_dir}/certs/signing_key.pem" + ) || die + fi + # perform the version check for release ebuilds only if [[ ${PV} != *9999 ]]; then local expected_ver=$(dist-kernel_PV_to_KV "${PV}") @@ -738,9 +747,9 @@ kernel-install_pkg_postinst() { kernel-install_pkg_postrm() { debug-print-function ${FUNCNAME} "$@" - if [[ ! ${KERNEL_IUSE_GENERIC_UKI} ]]; then - local kernel_dir=${EROOT}/usr/src/linux-${KV_FULL} - local image_path=$(dist-kernel_get_image_path) + local kernel_dir=${EROOT}/usr/src/linux-${KV_FULL} + local image_path=$(dist-kernel_get_image_path) + if [[ ! ${KERNEL_IUSE_GENERIC_UKI} && -d ${kernel_dir} ]]; then ebegin "Removing initramfs" rm -f "${kernel_dir}/${image_path%/*}"/{initrd,uki.efi} && find "${kernel_dir}" -depth -type d -empty -delete diff --git a/eclass/linux-mod-r1.eclass b/eclass/linux-mod-r1.eclass index f6a5d4f187d8..16c280219ef8 100644 --- a/eclass/linux-mod-r1.eclass +++ b/eclass/linux-mod-r1.eclass @@ -333,7 +333,7 @@ linux-mod-r1_pkg_setup() { _MODULES_GLOBAL[ran:pkg_setup]=1 _modules_check_function ${#} 0 0 || return 0 - if [[ -z ${ROOT} && ${MODULES_INITRAMFS_IUSE} ]] && + if [[ ${MODULES_INITRAMFS_IUSE} ]] && use dist-kernel && use ${MODULES_INITRAMFS_IUSE#+} then # Check, but don't die because we can fix the problem and then diff --git a/eclass/secureboot.eclass b/eclass/secureboot.eclass index a854061719a9..7361465ee2d3 100644 --- a/eclass/secureboot.eclass +++ b/eclass/secureboot.eclass @@ -1,4 +1,4 @@ -# Copyright 1999-2024 Gentoo Authors +# Copyright 1999-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: secureboot.eclass @@ -57,6 +57,13 @@ BDEPEND=" # @DESCRIPTION: # Used with USE=secureboot. Should be set to the path of the private # key in PEM format to use, or a PKCS#11 URI. +# If unspecified the following locations are tried in order: +# - /etc/portage/secureboot.pem +# - /var/lib/sbctl/keys/db/db.{key,pem} (from app-crypt/sbctl) +# - the MODULES_SIGN_KEY (and MODULES_SIGN_CERT if set) +# - the contents of CONFIG_MODULE_SIG_KEY in the current kernel +# If none of these exist, a new key will be generated at +# /etc/portage/secureboot.pem. # @ECLASS_VARIABLE: SECUREBOOT_SIGN_CERT # @USER_VARIABLE @@ -64,36 +71,13 @@ BDEPEND=" # @DESCRIPTION: # Used with USE=secureboot. Should be set to the path of the public # key certificate in PEM format to use. +# If unspecified the SECUREBOOT_SIGN_KEY is assumed to also contain the +# certificate belonging to it. if [[ -z ${_SECUREBOOT_ECLASS} ]]; then _SECUREBOOT_ECLASS=1 -# @FUNCTION: _secureboot_die_if_unset -# @INTERNAL -# @DESCRIPTION: -# If USE=secureboot is enabled die if the required user variables are unset -# and die if the keys can't be found. -_secureboot_die_if_unset() { - debug-print-function ${FUNCNAME} "$@" - use secureboot || return - - if [[ -z ${SECUREBOOT_SIGN_KEY} || -z ${SECUREBOOT_SIGN_CERT} ]]; then - die "USE=secureboot enabled but SECUREBOOT_SIGN_KEY and/or SECUREBOOT_SIGN_CERT not set." - fi - - # Sanity check: fail early if key/cert in DER format or does not exist - local openssl_args=( - -inform PEM -in "${SECUREBOOT_SIGN_CERT}" - -noout -nocert - ) - if [[ ${SECUREBOOT_SIGN_KEY} == pkcs11:* ]]; then - openssl_args+=( -engine pkcs11 -keyform ENGINE -key "${SECUREBOOT_SIGN_KEY}" ) - else - openssl_args+=( -keyform PEM -key "${SECUREBOOT_SIGN_KEY}" ) - fi - openssl x509 "${openssl_args[@]}" || - die "Secure Boot signing certificate or key not found or not PEM format." -} +inherit linux-info # @FUNCTION: secureboot_pkg_setup # @DESCRIPTION: @@ -105,7 +89,114 @@ secureboot_pkg_setup() { # If we are merging a binary then the files in this binary # are already signed, no need to check the variables. if [[ ${MERGE_TYPE} != binary ]]; then - _secureboot_die_if_unset + if [[ -z ${SECUREBOOT_SIGN_KEY} ]]; then + # No key specified, try some usual suspects + linux-info_pkg_setup + local module_sig_key= + if linux_config_exists MODULE_SIG_KEY; then + : "$(linux_chkconfig_string MODULE_SIG_KEY)" + module_sig_key=${_//\"} + # Convert to absolute path if required + if [[ ${module_sig_key} != pkcs11:* && + ${module_sig_key} != /* ]] + then + module_sig_key=${KV_OUT_DIR}/${module_sig_key} + fi + fi + + # Check both the SYSROOT and ROOT, like linux-info.eclass + ewarn "No Secure Boot signing key specified." + if [[ -r ${SYSROOT}/etc/portage/secureboot.pem ]]; then + ewarn "Using ${SYSROOT}/etc/portage/secureboot.pem as signing key" + export SECUREBOOT_SIGN_KEY=${SYSROOT}/etc/portage/secureboot.pem + export SECUREBOOT_SIGN_CERT=${SYSROOT}/etc/portage/secureboot.pem + elif [[ -r ${ROOT}/etc/portage/secureboot.pem ]]; then + ewarn "Using ${ROOT}/etc/portage/secureboot.pem as signing key" + export SECUREBOOT_SIGN_KEY=${ROOT}/etc/portage/secureboot.pem + export SECUREBOOT_SIGN_CERT=${ROOT}/etc/portage/secureboot.pem + elif [[ -r ${SYSROOT}/var/lib/sbctl/keys/db/db.key && + -r ${SYSROOT}/var/lib/sbctl/keys/db/db.pem ]] + then + ewarn "Using keys maintained by app-crypt/sbctl" + export SECUREBOOT_SIGN_KEY=${SYSROOT}/var/lib/sbctl/keys/db/db.key + export SECUREBOOT_SIGN_CERT=${SYSROOT}/var/lib/sbctl/keys/db/db.pem + elif [[ -r ${ROOT}/var/lib/sbctl/keys/db/db.key && + -r ${ROOT}/var/lib/sbctl/keys/db/db.pem ]] + then + ewarn "Using keys maintained by app-crypt/sbctl" + export SECUREBOOT_SIGN_KEY=${ROOT}/var/lib/sbctl/keys/db/db.key + export SECUREBOOT_SIGN_CERT=${ROOT}/var/lib/sbctl/keys/db/db.pem + elif [[ -r ${MODULES_SIGN_KEY} ]]; then + ewarn "Using the kernel module signing key" + export SECUREBOOT_SIGN_KEY=${MODULES_SIGN_KEY} + if [[ -r ${MODULES_SIGN_CERT} ]]; then + export SECUREBOOT_SIGN_CERT=${MODULES_SIGN_CERT} + else + export SECUREBOOT_SIGN_CERT=${MODULES_SIGN_KEY} + fi + elif [[ -r ${KV_OUT_DIR}/certs/signing_key.x509 ]] && + [[ -r ${module_sig_key} || ${module_sig_key} == pkcs11:* ]] + then + ewarn "Using keys maintained by the kernel" + openssl x509 \ + -in "${KV_OUT_DIR}/certs/signing_key.x509" -inform DER \ + -out "${T}/secureboot.pem" -outform PEM || + die "Failed to convert kernel certificate to PEM format" + export SECUREBOOT_SIGN_KEY=${module_sig_key} + export SECUREBOOT_SIGN_CERT=${T}/secureboot.pem + else + ewarn "No candidate keys found, generating a new key" + local openssl_gen_args=( + req -new -batch -nodes -utf8 -sha256 -days 36500 -x509 + -outform PEM -out "${SYSROOT}/etc/portage/secureboot.pem" + -keyform PEM -keyout "${SYSROOT}/etc/portage/secureboot.pem" + ) + if [[ -r ${KV_OUT_DIR}/certs/x509.genkey ]]; then + openssl_gen_args+=( + -config "${KV_OUT_DIR}/certs/x509.genkey" + ) + elif [[ -r ${KV_OUT_DIR}/certs/default_x509.genkey ]]; then + openssl_gen_args+=( + -config "${KV_OUT_DIR}/certs/default_x509.genkey" + ) + else + openssl_gen_args+=( + -subj '/CN=Build time autogenerated kernel key' + ) + fi + ( + umask 066 + openssl "${openssl_gen_args[@]}" || + die "Failed to generate new signing key" + # Generate DER format key as well for easy inclusion in + # either the UEFI dB or MOK list. + openssl x509 \ + -in "${SYSROOT}/etc/portage/secureboot.pem" -inform PEM \ + -out "${ROOT}/etc/portage/secureboot.x509" -outform DER || + die "Failed to convert signing certificate to DER format" + ) + export SECUREBOOT_SIGN_KEY=${SYSROOT}/etc/portage/secureboot.pem + export SECUREBOOT_SIGN_CERT=${SYSROOT}/etc/portage/secureboot.pem + fi + elif [[ -z ${SECUREBOOT_SIGN_CERT} ]]; then + ewarn "A SECUREBOOT_SIGN_KEY was specified but no SECUREBOOT_SIGN_CERT" + ewarn "was set. Assuming the certificate is in the same file as the key." + export SECUREBOOT_SIGN_CERT=${SECUREBOOT_SIGN_KEY} + fi + + # Sanity check: fail early if key/cert in DER format or does not exist + local openssl_args=( + -inform PEM -in "${SECUREBOOT_SIGN_CERT}" + -noout -nocert + ) + if [[ ${SECUREBOOT_SIGN_KEY} == pkcs11:* ]]; then + openssl_args+=( -engine pkcs11 -keyform ENGINE -key "${SECUREBOOT_SIGN_KEY}" ) + else + openssl_args+=( -keyform PEM -key "${SECUREBOOT_SIGN_KEY}" ) + fi + + openssl x509 "${openssl_args[@]}" || + die "Secure Boot signing certificate or key not found or not PEM format." fi } @@ -123,8 +214,6 @@ secureboot_sign_efi_file() { local input_file=${1} local output_file=${2:-${1}} - _secureboot_die_if_unset - ebegin "Signing ${input_file}" local return=1 if sbverify "${input_file}" --cert "${SECUREBOOT_SIGN_CERT}" &> /dev/null; then |