On 15.06.23 11:50, Andrew Ammerlaan wrote:
From fc8894ff62b45cc7a4148a9f6ba51f1afe7b920a Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Date: Thu, 8 Jun 2023 20:44:58 +0200
Subject: [PATCH] sys-kernel/gentoo-kernel: add USE="modules-sign"
- Enable module signing configure options if requested by the user.
- Respect the linux-mod-r1.eclass variables MODULES_SIGN_HASH and MODULES_SIGN_KEY,
- Warn the user if we are letting the kernel build system generate
the signing key. This key will end up binary packages. Plus external
modules will have to be resigned if gentoo-kernel is re-emerged (i.e. a
new key was generated).
Bug: https://bugs.gentoo.org/881651
Bug: https://bugs.gentoo.org/814344
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
...8.ebuild => gentoo-kernel-6.3.8.ebuild} | 45 ++++++++++++++++++-
1 file changed, 44 insertions(+), 1 deletion(-)
rename sys-kernel/gentoo-kernel/{gentoo-kernel-6.3.8.ebuild => gentoo-kernel-6.3.8-r1.ebuild} (71%)
diff --git a/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8.ebuild b/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8-r1.ebuild
similarity index 71%
rename from sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8.ebuild
rename to sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8-r1.ebuild
index fd81855a6140a..4bc03564efbe0 100644
--- a/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8.ebuild
+++ b/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8-r1.ebuild
@@ -44,7 +44,7 @@ S=${WORKDIR}/${MY_P}
LICENSE="GPL-2"
KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~riscv ~x86"
-IUSE="debug hardened"
+IUSE="debug hardened modules-sign"
REQUIRED_USE="arm? ( savedconfig )
hppa? ( savedconfig )
riscv? ( savedconfig )"
@@ -136,5 +136,48 @@ src_prepare() {
merge_configs+=( "${dist_conf_path}/big-endian.config" )
fi
+ if use modules-sign; then
+ : "${MODULES_SIGN_HASH:=sha512}"
+ cat <<-EOF > "${WORKDIR}/modules-sign.config" || die + ## Enable module signing
+ CONFIG_MODULE_SIG=y
+ CONFIG_MODULE_SIG_ALL=y
+ CONFIG_MODULE_SIG_FORCE=y
+ CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y + EOF
+ if [[ -n "${MODULES_SIGN_KEY}" ]]; then + if [[ -e "${MODULES_SIGN_KEY}" ]]; then + echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
+ >> "${WORKDIR}/modules-sign.config" + else
+ die "MODULES_SIGN_KEY=${MODULES_SIGN_KEY} not found!"
+ fi
+ fi
+ merge_configs+=( "${WORKDIR}/modules-sign.config" )
+ fi
+
kernel-build_merge_configs "${merge_configs[@]}"
}
+
+pkg_postinst() {
+ kernel-build_pkg_postinst
+ if use modules-sign; then
+ if [[ -z "${MODULES_SIGN_KEY}" ]]; then + ewarn ""
You can drop the empty string argument and simply just write ewarn.
And I am not sure if we really need a leading empty ewarn line, but this appears to be a common idiom.
+ ewarn "MODULES_SIGN_KEY was not set, this means the kernel
build system"
+ ewarn "automatically generated the signing key. This key
was installed"
+ ewarn "in ${EROOT}/usr/src/linux-${PV}${KV_LOCALVERSION}/certs"
+ ewarn "and will also be included in any binary packages."
+ ewarn "Please take appropriate action to protect the key!"
+ ewarn ""
+ ewarn "Recompiling this package causes a new key to be
generated. As"
+ ewarn "a result any external kernel modules will need to be
resigned."
+ ewarn "Use emerge @module-rebuild, or manually sign the
modules as"
+ ewarn "described on the wiki [1]" + ewarn ""
+ ewarn "Consider using the MODULES_SIGN_KEY variable to use
an external key."
+ ewarn ""
+ ewarn "[1]: https://wiki.gentoo.org/wiki/Signed_kernel_module_support"
+ fi
+ fi
+}
- Flow
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)