commit: 9163b23ef60ec34e3739e06eabe5167e36295ab7
Author: Nowa Ammerlaan <nowa <AT> gentoo <DOT> org>
AuthorDate: Mon Jan 6 17:46:01 2025 +0000
Commit: Nowa Ammerlaan <nowa <AT> gentoo <DOT> org>
CommitDate: Mon Jan 6 20:25:37 2025 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9163b23e
kernel-{build,install}.eclass: exclude any generated keys from binpkgs
The kernel build system supports generating a new module signing key if the
CONFIG_MODULE_SIG_KEY is set to the default value (MODULES_SIGN_KEY is not set)
and no key exists at that default location.
This results in the unfortunate situation where private key material ends up
in generated binary packages. That is almost never what you want since binary
packages are usually readable by regular users. To avoid this we move the key
out of the ED in the install phase, and move it back in the preinst phase after
the binary package has been built.
This also means that when distributing built binary packages to other systems
the signing key will now never be installed onto all those other systems, which
is probably what you want anyway.
Note, there is no change for folks who use externally managed keys, i.e. for
everyone who has MODULES_SIGN_KEY, MODULE_SIGN_CERT set.
Signed-off-by: Nowa Ammerlaan <nowa <AT> gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/40017
Signed-off-by: Nowa Ammerlaan <nowa <AT> gentoo.org>
eclass/kernel-build.eclass | 6 +++++-
eclass/kernel-install.eclass | 9 +++++++++
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index 8f3346bb4874..65433d9fc9c0 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -447,6 +447,11 @@ kernel-build_src_install() {
# Copy built key/certificate files
cp -p build/certs/* "${ED}${kernel_dir}/certs/" || die
+ # If a key was generated, exclude it from the binpkg
+ local generated_key=${ED}${kernel_dir}/certs/signing_key.pem
+ if [[ -r ${generated_key} ]]; then
+ mv "${generated_key}" "${T}/signing_key.pem" || die
+ fi
# building modules fails with 'vmlinux has no symtab?' if stripped
use ppc64 && dostrip -x "${kernel_dir}/${image_path}"
@@ -654,7 +659,6 @@ kernel-build_pkg_postinst() {
ewarn "MODULES_SIGN_KEY was not set, this means the
kernel build system"
ewarn "automatically generated the signing key. This
key was installed"
ewarn "in ${EROOT}/usr/src/linux-${KV_FULL}/certs"
- ewarn "and will also be included in any binary
packages."
ewarn "Please take appropriate action to protect the
key!"
ewarn
ewarn "Recompiling this package causes a new key to be
generated. As"
diff --git a/eclass/kernel-install.eclass b/eclass/kernel-install.eclass
index f70556ad41f5..1cc2bd0bb737 100644
--- a/eclass/kernel-install.eclass
+++ b/eclass/kernel-install.eclass
@@ -607,6 +607,15 @@ kernel-install_pkg_preinst() {
[[ ! -d ${kernel_dir} ]] &&
die "Kernel directory ${kernel_dir} not installed!"
+ # We moved this in order to omit it from the binpkg, move it back
+ if [[ -r "${T}/signing_key.pem" ]]; then
+ # cp instead of mv to set owner to root in one go
+ (
+ umask 066 &&
+ cp "${T}/signing_key.pem"
"${kernel_dir}/certs/signing_key.pem"
+ ) || die
+ fi
+
# perform the version check for release ebuilds only
if [[ ${PV} != *9999 ]]; then
local expected_ver=$(dist-kernel_PV_to_KV "${PV}")
