Forum: >>> Magnum BBS <<<

[gentoo-dev] [PATCH 2/2] kernel-build.eclass: add USE="modules-sign"

From Andrew Ammerlaan@21:1/5 to All on Thu Jun 15 12:00:02 2023

From fc8894ff62b45cc7a4148a9f6ba51f1afe7b920a Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Date: Thu, 8 Jun 2023 20:44:58 +0200
Subject: [PATCH] sys-kernel/gentoo-kernel: add USE="modules-sign"

- Enable module signing configure options if requested by the user.
- Respect the linux-mod-r1.eclass variables MODULES_SIGN_HASH and MODULES_SIGN_KEY,
- Warn the user if we are letting the kernel build system generate
the signing key. This key will end up binary packages. Plus external
modules will have to be resigned if gentoo-kernel is re-emerged (i.e. a
new key was generated).

Bug: https://bugs.gentoo.org/881651
Bug: https://bugs.gentoo.org/814344
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
...8.ebuild => gentoo-kernel-6.3.8.ebuild} | 45 ++++++++++++++++++-
1 file changed, 44 insertions(+), 1 deletion(-)
rename sys-kernel/gentoo-kernel/{gentoo-kernel-6.3.8.ebuild => gentoo-kernel-6.3.8-r1.ebuild} (71%)

diff --git a/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8.ebuild b/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8-r1.ebuild
similarity index 71%
rename from sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8.ebuild
rename to sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8-r1.ebuild
index fd81855a6140a..4bc03564efbe0 100644
--- a/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8.ebuild
+++ b/sys-kernel/gentoo-kernel/gentoo-kernel-6.3.8-r1.ebuild
@@ -44,7 +44,7 @@ S=${WORKDIR}/${MY_P}

LICENSE="GPL-2"
KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~riscv ~x86"
-IUSE="debug hardened"
+IUSE="debug hardened modules-sign"
REQUIRED_USE="arm? ( savedconfig )
hppa? ( savedconfig )
riscv? ( savedconfig )"
@@ -136,5 +136,48 @@ src_prepare() {
merge_configs+=( "${dist_conf_p

From Andrew Ammerlaan@21:1/5 to All on Sat Jun 17 20:20:01 2023

Split the patch in two pieces and changed the name of the pre-inherit
variable to KERNEL_IUSE_MODULES_SIGN. Plus some quotation fixes.

From e019e78448376b04c91397c7efc60ee72c24bf93 Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Date: Thu, 15 Jun 2023 21:10:02 +0200
Subject: [PATCH] kernel-build.eclass: add IUSE="modules-sign"

- Enable module signing configure options if requested by the user.

- Define the user variables MODULES_SIGN_HASH and MODULES_SIGN_KEY.
For controlling the used hashing algorithm and allowing the use of
external keys. These variables are the same as in linux-mod-r1.eclass

- Warn the user if we are letting the kernel build system generate the
signing
key. This key will end up binary packages. Plus external modules will
have to
be resigned if gentoo-kernel is re-emerged (i.e. a new key was generated).

Bug: https://bugs.gentoo.org/814344
Bug: https://bugs.gentoo.org/881651
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
eclass/kernel-build.eclass | 90 +++++++++++++++++++++++++++++++++++++-
1 file changed, 89 insertions(+), 1 deletion(-)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index abfb01720817a..d28a74ef05758 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -43,6 +43,48 @@ BDEPEND="

IUSE="+strip"

+# @ECLASS_VARIABLE: KERNEL_IUSE_MODULES_SIGN
+# @PRE_INHERIT
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# If set to a non-null value, adds IUSE=modules-sign and required
+# logic to manipulate the kernel config while respecting the
+# MODULES_SIGN_HASH and MODULES_SIGN_KEY user variables.
+
+# @ECLASS_VARIABLE: MODULES_SIGN_HASH
+# @USER_VARIABLE
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# Used with USE=modules-sign. Can be set to hash algorithm to use
+# during signature generation (CONFIG_MODULE_SIG_SHA256).
+#
+# Valid values: sha512,sha384,sha256,sha224,sha1
+#
+# Default if unset: sha512
+
+# @ECLASS_VARIABLE: MODULES_SIGN_KEY
+# @USER_VA

From Andrew Ammerlaan@21:1/5 to All on Tue Jun 20 20:20:01 2023

Version 4 (and that's the last one, I promise), makes this work with
pkcs11 uri's as well. Tested with my Nitrokey, it is (unsurprisingly) incredibly slow but it works.

From 70415544a4aea458039f1abbbf9c7e112de846f3 Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Date: Thu, 15 Jun 2023 21:10:02 +0200
Subject: [PATCH] kernel-build.eclass: add IUSE="modules-sign"

- Enable module signing configure options if requested by the user.

- Define the user variables MODULES_SIGN_HASH and MODULES_SIGN_KEY.
For controlling the used hashing algorithm and allowing the use of
external keys. These variables are the same as in linux-mod-r1.eclass

- Warn the user if we are letting the kernel build system generate the
signing
key. This key will end up binary packages. Plus external modules will
have to
be resigned if gentoo-kernel is re-emerged (i.e. a new key was generated).

Bug: https://bugs.gentoo.org/814344
Bug: https://bugs.gentoo.org/881651
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
eclass/kernel-build.eclass | 90 +++++++++++++++++++++++++++++++++++++-
1 file changed, 89 insertions(+), 1 deletion(-)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index abfb01720817a..7d4e2133a04d2 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -43,6 +43,48 @@ BDEPEND="

IUSE="+strip"

+# @ECLASS_VARIABLE: KERNEL_IUSE_MODULES_SIGN
+# @PRE_INHERIT
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# If set to a non-null value, adds IUSE=modules-sign and required
+# logic to manipulate the kernel config while respecting the
+# MODULES_SIGN_HASH and MODULES_SIGN_KEY user variables.
+
+# @ECLASS_VARIABLE: MODULES_SIGN_HASH
+# @USER_VARIABLE
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# Used with USE=modules-sign. Can be set to hash algorithm to use
+# during signature generation (CONFIG_MODULE_SIG_SHA256).
+#
+# Valid values: sha512,sha384,sha256,sha224,sha1
+#
+# Default if unset: sha512
+
+# @ECLASS_VARIABLE: MODULES_SIGN_KEY
+# @USER_VA

Who's Online
Recent Visitors
- Gwylbert
  Mon May 12 05:32:08 2025
  from Sydney, Nsw via Telnet
- Centurion
  Mon May 12 05:18:30 2025
  from Berea, Ohio via Telnet
- Foriest Jan Smith
  Mon May 12 03:34:28 2025
  from Natchitoches, La via SSH
- Plume
  Mon May 12 02:17:08 2025
  from Uk via SSH
- Centurion
  Mon May 12 00:44:41 2025
  from Berea, Ohio via Telnet
- Bob Smith
  Mon May 12 00:15:43 2025
  from Here via Raw
- Brianm
  Sun May 11 22:42:59 2025
  from Glasgow via Raw
- Foriest Jan Smith
  Sun May 11 01:11:46 2025
  from Natchitoches, La via SSH

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	475
Nodes:	16 (2 / 14)
Uptime:	17:13:32
Calls:	9,487
Calls today:	6
Files:	13,617
Messages:	6,121,089

[gentoo-dev] [PATCH 2/2] kernel-build.eclass: add USE="modules-sign"

Who's Online

Recent Visitors

System Info