diff options
Diffstat (limited to 'eclass')
-rw-r--r-- | eclass/Manifest.gz | bin | 40181 -> 40184 bytes | |||
-rw-r--r-- | eclass/kernel-install.eclass | 59 | ||||
-rw-r--r-- | eclass/verify-sig.eclass | 34 |
3 files changed, 89 insertions, 4 deletions
diff --git a/eclass/Manifest.gz b/eclass/Manifest.gz Binary files differindex 832ba6f50bfb..9e48dcc21219 100644 --- a/eclass/Manifest.gz +++ b/eclass/Manifest.gz diff --git a/eclass/kernel-install.eclass b/eclass/kernel-install.eclass index 1cc2bd0bb737..cf34007844a8 100644 --- a/eclass/kernel-install.eclass +++ b/eclass/kernel-install.eclass @@ -204,6 +204,7 @@ if [[ ${KERNEL_IUSE_GENERIC_UKI} ]]; then " IDEPEND=" generic-uki? ( + app-crypt/sbsigntools >=sys-kernel/installkernel-14[-dracut(-),-ugrd(-),-ukify(-)] ) !generic-uki? ( @@ -660,13 +661,65 @@ kernel-install_extract_from_uki() { local extract_type=${1} local uki=${2} local out=${3} + local out_temp=${T}/${extract_type}-section-dumped # objcopy overwrites input if there is no output, dump the output in T. # We unfortunately cannot use /dev/null here $(tc-getOBJCOPY) "${uki}" "${T}/dump.efi" \ - --dump-section ".${extract_type}=${out}" || - die "Failed to extract ${extract_type}" - chmod 644 "${out}" || die + --dump-section ".${extract_type}=${out_temp}" || + die "Failed to extract ${extract_type}" + + # Sanity checks for kernel images + if [[ ${extract_type} == linux ]] && + { ! in_iuse secureboot || use secureboot ;} + then + # Extract the used SECUREBOOT_SIGN_CERT to verify the kernel image + local cert=${T}/pcrpkey + kernel-install_extract_from_uki pcrpkey "${uki}" "${cert}" + if [[ $(head -n1 "${cert}") != "-----BEGIN CERTIFICATE-----" ]]; then + # This is a DER format certificate, convert it to PEM + openssl x509 \ + -inform DER -in "${cert}" \ + -outform PEM -out "${cert}" || + die "Failed to convert pcrpkey to PEM format" + fi + + # Check if the signature on the UKI is valid + sbverify --cert "${cert}" "${uki}" || + die "ERROR: UKI signature is invalid" + + # Check if the signature on the kernel image is valid + local sbverify_err=$( + sbverify --cert "${cert}" "${out_temp}" 2>&1 >/dev/null + ) + + # Check if there was a padding warning + if [[ ${sbverify_err} == "warning: data remaining"*": gaps between PE/COFF sections?"* ]] + then + # https://github.com/systemd/systemd/issues/35851 + local proper_size=${sbverify_err#"warning: data remaining["} + proper_size=${proper_size%" vs"*} + # Strip the padding + head "${out_temp}" --bytes "${proper_size}" \ + >"${out_temp}_trimmed" || die + # Check if the signature verifies now + sbverify_err=$( + sbverify --cert "${cert}" "${out_temp}_trimmed" 2>&1 >/dev/null + ) + [[ -z ${sbverify_err} ]] && out_temp=${out_temp}_trimmed + fi + + # Something has gone wrong, stop here to prevent installing a kernel + # with an invalid signature or a completely broken kernel image. + if [[ -n ${sbverify_err} ]]; then + eerror "${sbverify_err}" + die "ERROR: Kernel image signature is invalid" + else + einfo "Signature verification OK" + fi + fi + + install -m 644 "${out_temp}" "${out}" || die } # @FUNCTION: kernel-install_install_all diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass index 0e6b9b43e557..12b689f0f4b2 100644 --- a/eclass/verify-sig.eclass +++ b/eclass/verify-sig.eclass @@ -1,4 +1,4 @@ -# Copyright 2020-2024 Gentoo Authors +# Copyright 2020-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: verify-sig.eclass @@ -48,6 +48,8 @@ esac if [[ -z ${_VERIFY_SIG_ECLASS} ]]; then _VERIFY_SIG_ECLASS=1 +inherit eapi9-pipestatus + IUSE="verify-sig" # @ECLASS_VARIABLE: VERIFY_SIG_METHOD @@ -423,6 +425,36 @@ verify-sig_verify_signed_checksums() { esac } +# @FUNCTION: verify-sig_uncompress_verify_unpack +# @USAGE: <compressed-tar> <sig-file> [<key-file>] +# @DESCRIPTION: +# Uncompress the <compressed-tar> tarball, verify the uncompressed +# archive against the signature in <sig-file> and unpack it. This is +# useful for kernel.org packages that sign the uncompressed tarball +# instead of the compressed archive. <key-file> can either be passed +# directly, or it defaults to VERIFY_SIG_OPENPGP_KEY_PATH. The function +# dies if verification or any of the unpacking steps fail. +verify-sig_uncompress_verify_unpack() { + local file=${1} + local unpacker + + # TODO: integrate with unpacker.eclass somehow? + case ${file} in + *.tar.xz) + unpacker=( xz -cd ) + ;; + *) + die "${FUNCNAME}: only .tar.xz archives are supported at the moment" + ;; + esac + + einfo "Unpacking ${file} ..." + verify-sig_verify_detached - "${@:2}" < <( + "${unpacker[@]}" "${file}" | tee >(tar -xf - || die) + pipestatus || die + ) +} + # @FUNCTION: verify-sig_src_unpack # @DESCRIPTION: # Default src_unpack override that verifies signatures for all |