gentoo auto-resync : 11:01:2025 - 06:41:28

author: V3n3RiX <venerix@koprulu.sector> 2025-01-11 06:41:28 +0000
committer: V3n3RiX <venerix@koprulu.sector> 2025-01-11 06:41:28 +0000
commit: f1634517e73f2faf342a366354c3e0f2edb45952 (patch)
tree: ae3c632ec3576f8d57b3acd5e1aba5643f0f6d9b /eclass
parent: f9d8ddaae80afb8fa0924cd3f769f9b37dd373e1 (diff)
3 files changed, 89 insertions, 4 deletions
diff --git a/eclass/Manifest.gz b/eclass/Manifest.gz
index 832ba6f50bfb..9e48dcc21219 100644
--- a/eclass/Manifest.gz
+++ b/eclass/Manifest.gz
diff --git a/eclass/kernel-install.eclass b/eclass/kernel-install.eclass
index 1cc2bd0bb737..cf34007844a8 100644
--- a/eclass/kernel-install.eclass
+++ b/eclass/kernel-install.eclass
@@ -204,6 +204,7 @@ if [[ ${KERNEL_IUSE_GENERIC_UKI} ]]; then
 	"
 	IDEPEND="
 		generic-uki? (
+			app-crypt/sbsigntools
 			>=sys-kernel/installkernel-14[-dracut(-),-ugrd(-),-ukify(-)]
 		)
 		!generic-uki? (
@@ -660,13 +661,65 @@ kernel-install_extract_from_uki() {
 	local extract_type=${1}
 	local uki=${2}
 	local out=${3}
+	local out_temp=${T}/${extract_type}-section-dumped
 
 	# objcopy overwrites input if there is no output, dump the output in T.
 	# We unfortunately cannot use /dev/null here
 	$(tc-getOBJCOPY) "${uki}" "${T}/dump.efi" \
-		--dump-section ".${extract_type}=${out}" ||
-		die "Failed to extract ${extract_type}"
-	chmod 644 "${out}" || die
+		--dump-section ".${extract_type}=${out_temp}" ||
+			die "Failed to extract ${extract_type}"
+
+	# Sanity checks for kernel images
+	if [[ ${extract_type} == linux ]] &&
+		{ ! in_iuse secureboot || use secureboot ;}
+	then
+		# Extract the used SECUREBOOT_SIGN_CERT to verify the kernel image
+		local cert=${T}/pcrpkey
+		kernel-install_extract_from_uki pcrpkey "${uki}" "${cert}"
+		if [[ $(head -n1 "${cert}") != "-----BEGIN CERTIFICATE-----" ]]; then
+			# This is a DER format certificate, convert it to PEM
+			openssl x509 \
+				-inform DER -in "${cert}" \
+				-outform PEM -out "${cert}" ||
+					die "Failed to convert pcrpkey to PEM format"
+		fi
+
+		# Check if the signature on the UKI is valid
+		sbverify --cert "${cert}" "${uki}" ||
+			die "ERROR: UKI signature is invalid"
+
+		# Check if the signature on the kernel image is valid
+		local sbverify_err=$(
+			sbverify --cert "${cert}" "${out_temp}" 2>&1 >/dev/null
+		)
+
+		# Check if there was a padding warning
+		if [[ ${sbverify_err} == "warning: data remaining"*": gaps between PE/COFF sections?"* ]]
+		then
+			# https://github.com/systemd/systemd/issues/35851
+			local proper_size=${sbverify_err#"warning: data remaining["}
+			proper_size=${proper_size%" vs"*}
+			# Strip the padding
+			head "${out_temp}" --bytes "${proper_size}" \
+				>"${out_temp}_trimmed" || die
+			# Check if the signature verifies now
+			sbverify_err=$(
+				sbverify --cert "${cert}" "${out_temp}_trimmed" 2>&1 >/dev/null
+			)
+			[[ -z ${sbverify_err} ]] && out_temp=${out_temp}_trimmed
+		fi
+
+		# Something has gone wrong, stop here to prevent installing a kernel
+		# with an invalid signature or a completely broken kernel image.
+		if [[ -n ${sbverify_err} ]]; then
+			eerror "${sbverify_err}"
+			die "ERROR: Kernel image signature is invalid"
+		else
+			einfo "Signature verification OK"
+		fi
+	fi
+
+	install -m 644 "${out_temp}" "${out}" || die
 }
 
 # @FUNCTION: kernel-install_install_all
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index 0e6b9b43e557..12b689f0f4b2 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -1,4 +1,4 @@
-# Copyright 2020-2024 Gentoo Authors
+# Copyright 2020-2025 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 # @ECLASS: verify-sig.eclass
@@ -48,6 +48,8 @@ esac
 if [[ -z ${_VERIFY_SIG_ECLASS} ]]; then
 _VERIFY_SIG_ECLASS=1
 
+inherit eapi9-pipestatus
+
 IUSE="verify-sig"
 
 # @ECLASS_VARIABLE: VERIFY_SIG_METHOD
@@ -423,6 +425,36 @@ verify-sig_verify_signed_checksums() {
 	esac
 }
 
+# @FUNCTION: verify-sig_uncompress_verify_unpack
+# @USAGE: <compressed-tar> <sig-file> [<key-file>]
+# @DESCRIPTION:
+# Uncompress the <compressed-tar> tarball, verify the uncompressed
+# archive against the signature in <sig-file> and unpack it.  This is
+# useful for kernel.org packages that sign the uncompressed tarball
+# instead of the compressed archive.  <key-file> can either be passed
+# directly, or it defaults to VERIFY_SIG_OPENPGP_KEY_PATH.  The function
+# dies if verification or any of the unpacking steps fail.
+verify-sig_uncompress_verify_unpack() {
+	local file=${1}
+	local unpacker
+
+	# TODO: integrate with unpacker.eclass somehow?
+	case ${file} in
+		*.tar.xz)
+			unpacker=( xz -cd )
+			;;
+		*)
+			die "${FUNCNAME}: only .tar.xz archives are supported at the moment"
+			;;
+	esac
+
+	einfo "Unpacking ${file} ..."
+	verify-sig_verify_detached - "${@:2}" < <(
+		"${unpacker[@]}" "${file}" | tee >(tar -xf - || die)
+		pipestatus || die
+	)
+}
+
 # @FUNCTION: verify-sig_src_unpack
 # @DESCRIPTION:
 # Default src_unpack override that verifies signatures for all
author	V3n3RiX <venerix@koprulu.sector>	2025-01-11 06:41:28 +0000
committer	V3n3RiX <venerix@koprulu.sector>	2025-01-11 06:41:28 +0000
commit	f1634517e73f2faf342a366354c3e0f2edb45952 (patch)
tree	ae3c632ec3576f8d57b3acd5e1aba5643f0f6d9b /eclass
parent	f9d8ddaae80afb8fa0924cd3f769f9b37dd373e1 (diff)