summaryrefslogtreecommitdiff
path: root/eclass
diff options
context:
space:
mode:
Diffstat (limited to 'eclass')
-rw-r--r--eclass/Manifest.gzbin40181 -> 40184 bytes
-rw-r--r--eclass/kernel-install.eclass59
-rw-r--r--eclass/verify-sig.eclass34
3 files changed, 89 insertions, 4 deletions
diff --git a/eclass/Manifest.gz b/eclass/Manifest.gz
index 832ba6f50bfb..9e48dcc21219 100644
--- a/eclass/Manifest.gz
+++ b/eclass/Manifest.gz
Binary files differ
diff --git a/eclass/kernel-install.eclass b/eclass/kernel-install.eclass
index 1cc2bd0bb737..cf34007844a8 100644
--- a/eclass/kernel-install.eclass
+++ b/eclass/kernel-install.eclass
@@ -204,6 +204,7 @@ if [[ ${KERNEL_IUSE_GENERIC_UKI} ]]; then
"
IDEPEND="
generic-uki? (
+ app-crypt/sbsigntools
>=sys-kernel/installkernel-14[-dracut(-),-ugrd(-),-ukify(-)]
)
!generic-uki? (
@@ -660,13 +661,65 @@ kernel-install_extract_from_uki() {
local extract_type=${1}
local uki=${2}
local out=${3}
+ local out_temp=${T}/${extract_type}-section-dumped
# objcopy overwrites input if there is no output, dump the output in T.
# We unfortunately cannot use /dev/null here
$(tc-getOBJCOPY) "${uki}" "${T}/dump.efi" \
- --dump-section ".${extract_type}=${out}" ||
- die "Failed to extract ${extract_type}"
- chmod 644 "${out}" || die
+ --dump-section ".${extract_type}=${out_temp}" ||
+ die "Failed to extract ${extract_type}"
+
+ # Sanity checks for kernel images
+ if [[ ${extract_type} == linux ]] &&
+ { ! in_iuse secureboot || use secureboot ;}
+ then
+ # Extract the used SECUREBOOT_SIGN_CERT to verify the kernel image
+ local cert=${T}/pcrpkey
+ kernel-install_extract_from_uki pcrpkey "${uki}" "${cert}"
+ if [[ $(head -n1 "${cert}") != "-----BEGIN CERTIFICATE-----" ]]; then
+ # This is a DER format certificate, convert it to PEM
+ openssl x509 \
+ -inform DER -in "${cert}" \
+ -outform PEM -out "${cert}" ||
+ die "Failed to convert pcrpkey to PEM format"
+ fi
+
+ # Check if the signature on the UKI is valid
+ sbverify --cert "${cert}" "${uki}" ||
+ die "ERROR: UKI signature is invalid"
+
+ # Check if the signature on the kernel image is valid
+ local sbverify_err=$(
+ sbverify --cert "${cert}" "${out_temp}" 2>&1 >/dev/null
+ )
+
+ # Check if there was a padding warning
+ if [[ ${sbverify_err} == "warning: data remaining"*": gaps between PE/COFF sections?"* ]]
+ then
+ # https://github.com/systemd/systemd/issues/35851
+ local proper_size=${sbverify_err#"warning: data remaining["}
+ proper_size=${proper_size%" vs"*}
+ # Strip the padding
+ head "${out_temp}" --bytes "${proper_size}" \
+ >"${out_temp}_trimmed" || die
+ # Check if the signature verifies now
+ sbverify_err=$(
+ sbverify --cert "${cert}" "${out_temp}_trimmed" 2>&1 >/dev/null
+ )
+ [[ -z ${sbverify_err} ]] && out_temp=${out_temp}_trimmed
+ fi
+
+ # Something has gone wrong, stop here to prevent installing a kernel
+ # with an invalid signature or a completely broken kernel image.
+ if [[ -n ${sbverify_err} ]]; then
+ eerror "${sbverify_err}"
+ die "ERROR: Kernel image signature is invalid"
+ else
+ einfo "Signature verification OK"
+ fi
+ fi
+
+ install -m 644 "${out_temp}" "${out}" || die
}
# @FUNCTION: kernel-install_install_all
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index 0e6b9b43e557..12b689f0f4b2 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -1,4 +1,4 @@
-# Copyright 2020-2024 Gentoo Authors
+# Copyright 2020-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
# @ECLASS: verify-sig.eclass
@@ -48,6 +48,8 @@ esac
if [[ -z ${_VERIFY_SIG_ECLASS} ]]; then
_VERIFY_SIG_ECLASS=1
+inherit eapi9-pipestatus
+
IUSE="verify-sig"
# @ECLASS_VARIABLE: VERIFY_SIG_METHOD
@@ -423,6 +425,36 @@ verify-sig_verify_signed_checksums() {
esac
}
+# @FUNCTION: verify-sig_uncompress_verify_unpack
+# @USAGE: <compressed-tar> <sig-file> [<key-file>]
+# @DESCRIPTION:
+# Uncompress the <compressed-tar> tarball, verify the uncompressed
+# archive against the signature in <sig-file> and unpack it. This is
+# useful for kernel.org packages that sign the uncompressed tarball
+# instead of the compressed archive. <key-file> can either be passed
+# directly, or it defaults to VERIFY_SIG_OPENPGP_KEY_PATH. The function
+# dies if verification or any of the unpacking steps fail.
+verify-sig_uncompress_verify_unpack() {
+ local file=${1}
+ local unpacker
+
+ # TODO: integrate with unpacker.eclass somehow?
+ case ${file} in
+ *.tar.xz)
+ unpacker=( xz -cd )
+ ;;
+ *)
+ die "${FUNCNAME}: only .tar.xz archives are supported at the moment"
+ ;;
+ esac
+
+ einfo "Unpacking ${file} ..."
+ verify-sig_verify_detached - "${@:2}" < <(
+ "${unpacker[@]}" "${file}" | tee >(tar -xf - || die)
+ pipestatus || die
+ )
+}
+
# @FUNCTION: verify-sig_src_unpack
# @DESCRIPTION:
# Default src_unpack override that verifies signatures for all