[gentoo-dev] [PATCH] kernel-build.eclass: do not override MODULES_SIGN_KEY with temp key

Thu, 27 Mar 2025 02:30:03 -0700 

The kernel build system expects the module signing key and
certificate in one file. In order to accommodate this we merge the
MODULES_SIGN_KEY and MODULES_SIGN_CERT into a temporary key in $T.

However, in doing so we override the MODULES_SIGN_KEY variable (but
not the MODULES_SIGN_CERT variable). This becomes a problem when
merging binpkgs because then the MODULES_SIGN_KEY variable points to
a temporary signing key that does not exist (whereas the untouched
MODULES_SIGN_CERT does exist). Usually this is not an issue except if
the MODULES_SIGN_KEY is to be used later in the binpkg merging process
such as is the case in, for example, the dkms installkernel hook.

Here we resolve this unfortunate situation by using a local variable
during the config merging process and not touching the original
MODULES_SIGN_KEY. Therefore, the MODULES_SIGN_KEY will now also
point us to an existing key if we are merging a binpkg of the kernel.

Signed-off-by: Nowa Ammerlaan <n...@gentoo.org>
---
 eclass/kernel-build.eclass | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index 65433d9fc9c0..1d8c396b9590 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -741,18 +741,19 @@ kernel-build_merge_configs() {
        fi
 
        if [[ ${KERNEL_IUSE_MODULES_SIGN} ]] && use modules-sign; then
+               local modules_sign_key=${MODULES_SIGN_KEY}
                if [[ -n ${MODULES_SIGN_KEY_CONTENTS} ]]; then
-                       (umask 066 && touch "${T}/kernel_key.pem" || die)
-                       echo "${MODULES_SIGN_KEY_CONTENTS}" > 
"${T}/kernel_key.pem" || die
+                       modules_sign_key="${T}/kernel_key.pem"
+                       (umask 066 && touch "${modules_sign_key}" || die)
+                       echo "${MODULES_SIGN_KEY_CONTENTS}" > 
"${modules_sign_key}" || die
                        unset MODULES_SIGN_KEY_CONTENTS
-                       export MODULES_SIGN_KEY="${T}/kernel_key.pem"
                fi
-               if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -r ${MODULES_SIGN_KEY} 
]]; then
-                       echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
+               if [[ ${modules_sign_key} == pkcs11:* || -r ${modules_sign_key} 
]]; then
+                       echo "CONFIG_MODULE_SIG_KEY=\"${modules_sign_key}\"" \
                                >> "${WORKDIR}/modules-sign-key.config"
                        merge_configs+=( "${WORKDIR}/modules-sign-key.config" )
-               elif [[ -n ${MODULES_SIGN_KEY} ]]; then
-                       die "MODULES_SIGN_KEY=${MODULES_SIGN_KEY} not found or 
not readable!"
+               elif [[ -n ${modules_sign_key} ]]; then
+                       die "MODULES_SIGN_KEY=${modules_sign_key} not found or 
not readable!"
                fi
        fi
 
-- 
2.48.1

Reply via email to