diff options
Diffstat (limited to 'eclass')
| -rw-r--r-- | eclass/Manifest.gz | bin | 38160 -> 38150 bytes | |||
| -rw-r--r-- | eclass/dist-kernel-utils.eclass | 22 | ||||
| -rw-r--r-- | eclass/gnustep-base.eclass | 5 | ||||
| -rw-r--r-- | eclass/golang-vcs.eclass | 2 | ||||
| -rw-r--r-- | eclass/kernel-build.eclass | 116 |
5 files changed, 131 insertions, 14 deletions
diff --git a/eclass/Manifest.gz b/eclass/Manifest.gz Binary files differindex 99a853152406..560279141440 100644 --- a/eclass/Manifest.gz +++ b/eclass/Manifest.gz diff --git a/eclass/dist-kernel-utils.eclass b/eclass/dist-kernel-utils.eclass index 439bdc87695d..cfb6f40ac6fa 100644 --- a/eclass/dist-kernel-utils.eclass +++ b/eclass/dist-kernel-utils.eclass @@ -1,4 +1,4 @@ -# Copyright 2020-2022 Gentoo Authors +# Copyright 2020-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: dist-kernel-utils.eclass @@ -104,12 +104,22 @@ dist-kernel_install_kernel() { if [[ ${magic} == MZ ]]; then einfo "Combined UEFI kernel+initramfs executable found" # install the combined executable in place of kernel - image=${initrd}.uefi + image=${initrd}.efi mv "${initrd}" "${image}" || die - # put an empty file in place of initrd. installing a duplicate - # file would waste disk space, and removing it entirely provokes - # kernel-install to regenerate it via dracut. - > "${initrd}" + # We moved the generated initrd, prevent dracut from running again + # https://github.com/dracutdevs/dracut/pull/2405 + shopt -s nullglob + local plugins=() + for file in "${EROOT}"/usr/lib/kernel/install.d/*.install; do + if ! has "${file##*/}" 50-dracut.install 51-dracut-rescue.install; then + plugins+=( "${file}" ) + fi + done + for file in "${EROOT}"/etc/kernel/install.d/*.install; do + plugins+=( "${file}" ) + done + shopt -u nullglob + export KERNEL_INSTALL_PLUGINS="${KERNEL_INSTALL_PLUGINS} ${plugins[@]}" fi ebegin "Installing the kernel via installkernel" diff --git a/eclass/gnustep-base.eclass b/eclass/gnustep-base.eclass index 49bcc09caa93..b5b350106471 100644 --- a/eclass/gnustep-base.eclass +++ b/eclass/gnustep-base.eclass @@ -11,8 +11,8 @@ # packages case ${EAPI} in - 6|7) inherit eutils ;; - 8) ;; + 6) inherit eutils ;; + 7|8) ;; *) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;; esac @@ -128,7 +128,6 @@ egnustep_env() { -i "${WORKDIR}"/GNUstep.conf || die "GNUstep.conf sed failed" fi - if [[ ! -d ${EPREFIX}/usr/share/GNUstep/Makefiles ]]; then # Set rpath in ldflags when available case ${CHOST} in diff --git a/eclass/golang-vcs.eclass b/eclass/golang-vcs.eclass index 6f60b6dd3ae0..7558db4776cb 100644 --- a/eclass/golang-vcs.eclass +++ b/eclass/golang-vcs.eclass @@ -20,7 +20,7 @@ esac if [[ -z ${_GOLANG_VCS_ECLASS} ]]; then _GOLANG_VCS_ECLASS=1 -inherit estack eutils golang-base +inherit estack golang-base PROPERTIES+=" live" diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass index 020557497ddc..963e020b3746 100644 --- a/eclass/kernel-build.eclass +++ b/eclass/kernel-build.eclass @@ -1,4 +1,4 @@ -# Copyright 2020-2022 Gentoo Authors +# Copyright 2020-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: kernel-build.eclass @@ -41,6 +41,50 @@ BDEPEND=" app-alternatives/yacc " +IUSE="+strip" + +# @ECLASS_VARIABLE: KERNEL_IUSE_MODULES_SIGN +# @PRE_INHERIT +# @DEFAULT_UNSET +# @DESCRIPTION: +# If set to a non-null value, adds IUSE=modules-sign and required +# logic to manipulate the kernel config while respecting the +# MODULES_SIGN_HASH and MODULES_SIGN_KEY user variables. + +# @ECLASS_VARIABLE: MODULES_SIGN_HASH +# @USER_VARIABLE +# @DEFAULT_UNSET +# @DESCRIPTION: +# Used with USE=modules-sign. Can be set to hash algorithm to use +# during signature generation (CONFIG_MODULE_SIG_SHA256). +# +# Valid values: sha512,sha384,sha256,sha224,sha1 +# +# Default if unset: sha512 + +# @ECLASS_VARIABLE: MODULES_SIGN_KEY +# @USER_VARIABLE +# @DEFAULT_UNSET +# @DESCRIPTION: +# Used with USE=modules-sign. Can be set to the path of the private +# key in PEM format to use, or a PKCS#11 URI (CONFIG_MODULE_SIG_KEY). +# +# If path is relative (e.g. "certs/name.pem"), it is assumed to be +# relative to the kernel build directory being used. +# +# If the key requires a passphrase or PIN, the used kernel sign-file +# utility recognizes the KBUILD_SIGN_PIN environment variable. Be +# warned that the package manager may store this value in binary +# packages, database files, temporary files, and possibly logs. This +# eclass unsets the variable after use to mitigate the issue (notably +# for shared binary packages), but use this with care. +# +# Default if unset: certs/signing_key.pem + +if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then + IUSE+=" modules-sign" +fi + # @FUNCTION: kernel-build_src_configure # @DESCRIPTION: # Prepare the toolchain for building the kernel, get the default .config @@ -83,7 +127,7 @@ kernel-build_src_configure() { LD="${LD}" AR="$(tc-getAR)" NM="$(tc-getNM)" - STRIP=":" + STRIP="$(tc-getSTRIP)" OBJCOPY="$(tc-getOBJCOPY)" OBJDUMP="$(tc-getOBJDUMP)" @@ -176,8 +220,18 @@ kernel-build_src_install() { targets+=( dtbs_install ) fi + # Use the kernel build system to strip, this ensures the modules + # are stripped *before* they are signed or compressed. + local strip_args + if use strip; then + strip_args="--strip-unneeded" + fi + # Modules were already stripped by the kernel build system + dostrip -x /lib/modules + emake O="${WORKDIR}"/build "${MAKEARGS[@]}" \ - INSTALL_MOD_PATH="${ED}" INSTALL_PATH="${ED}/boot" "${targets[@]}" + INSTALL_MOD_PATH="${ED}" INSTALL_MOD_STRIP="${strip_args}" \ + INSTALL_PATH="${ED}/boot" "${targets[@]}" # note: we're using mv rather than doins to save space and time # install main and arch-specific headers first, and scripts @@ -217,6 +271,14 @@ kernel-build_src_install() { local image_path=$(dist-kernel_get_image_path) cp -p "build/${image_path}" "${ED}${kernel_dir}/${image_path}" || die + # If a key was generated, copy it so external modules can be signed + local suffix + for suffix in pem x509; do + if [[ -f "build/certs/signing_key.${suffix}" ]]; then + cp -p "build/certs/signing_key.${suffix}" "${ED}${kernel_dir}/certs" || die + fi + done + # building modules fails with 'vmlinux has no symtab?' if stripped use ppc64 && dostrip -x "${kernel_dir}/${image_path}" @@ -239,6 +301,9 @@ kernel-build_src_install() { dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/build" dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/source" + # unset to at least be out of the environment file in, e.g. shared binpkgs + unset KBUILD_SIGN_PIN + save_config build/.config } @@ -248,6 +313,26 @@ kernel-build_src_install() { kernel-build_pkg_postinst() { kernel-install_pkg_postinst savedconfig_pkg_postinst + + if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then + if use modules-sign && [[ -z ${MODULES_SIGN_KEY} ]]; then + ewarn + ewarn "MODULES_SIGN_KEY was not set, this means the kernel build system" + ewarn "automatically generated the signing key. This key was installed" + ewarn "in ${EROOT}/usr/src/linux-${PV}${KV_LOCALVERSION}/certs" + ewarn "and will also be included in any binary packages." + ewarn "Please take appropriate action to protect the key!" + ewarn + ewarn "Recompiling this package causes a new key to be generated. As" + ewarn "a result any external kernel modules will need to be resigned." + ewarn "Use emerge @module-rebuild, or manually sign the modules as" + ewarn "described on the wiki [1]" + ewarn + ewarn "Consider using the MODULES_SIGN_KEY variable to use an external key." + ewarn + ewarn "[1]: https://wiki.gentoo.org/wiki/Signed_kernel_module_support" + fi + fi } # @FUNCTION: kernel-build_merge_configs @@ -270,16 +355,39 @@ kernel-build_merge_configs() { local user_configs=( "${BROOT}"/etc/kernel/config.d/*.config ) shopt -u nullglob + local merge_configs=( "${@}" ) + + if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then + if use modules-sign; then + : "${MODULES_SIGN_HASH:=sha512}" + cat <<-EOF > "${WORKDIR}/modules-sign.config" || die + ## Enable module signing + CONFIG_MODULE_SIG=y + CONFIG_MODULE_SIG_ALL=y + CONFIG_MODULE_SIG_FORCE=y + CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y + EOF + if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -e ${MODULES_SIGN_KEY} ]]; then + echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \ + >> "${WORKDIR}/modules-sign.config" + elif [[ -n ${MODULES_SIGN_KEY} ]]; then + die "MODULES_SIGN_KEY=${MODULES_SIGN_KEY} not found!" + fi + merge_configs+=( "${WORKDIR}/modules-sign.config" ) + fi + fi + if [[ ${#user_configs[@]} -gt 0 ]]; then elog "User config files are being applied:" local x for x in "${user_configs[@]}"; do elog "- ${x}" done + merge_configs+=( "${user_configs[@]}" ) fi ./scripts/kconfig/merge_config.sh -m -r \ - .config "${@}" "${user_configs[@]}" || die + .config "${merge_configs[@]}" || die } fi |