On Thu, 2023-08-17 at 10:40 +0200, Andrew Ammerlaan wrote:
> Hi all,
>
> This is a small patch from [1] that allows signing kernel modules using
> a separate key and certificate PEM file. See the commit message below
> for a more in-depth explanation.
>
> Best regards,
> Andrew
>
> [1] https://github.com/gentoo/gentoo/pull/32275
>
>
> From 61b7db57f343ab172bcc449320c4e96cafb9cd06 Mon Sep 17 00:00:00 2001
> From: Violet Purcell <vimpro...@inventati.org>
> Date: Sat, 12 Aug 2023 16:59:14 -0400
> Subject: [PATCH] kernel-build.eclass: Fix separate private and public module
> signing keys
>
> The kernel expects CONFIG_MODULE_SIG_KEY to be either a pkcs11 URI
> containing refences to both a private and public key, or a path to a PEM
> file containing both the private and public keys. However, currently the
> kernel build will fail if MODULES_SIGNING_KEY is set to a PEM file
> containing only the private key. This commit adds a step in
> kernel-build_merge_configs that concatenates MODULES_SIGNING_KEY and
> MODULES_SIGNING_CERT into ${T}/kernel_key.pem if both files exist and
> are not the same path. It then sets MODULES_SIGNING_KEY to
> ${T}/kernel_key.pem. This should fix building with separate private and
> public module signing keys.
>
> Signed-off-by: Violet Purcell <vimpro...@inventati.org>
> ---
> eclass/kernel-build.eclass | 17 ++++++++++++++++-
> 1 file changed, 16 insertions(+), 1 deletion(-)
>
> diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
> index 276a08a104e0e..1a33ce2e875f2 100644
> --- a/eclass/kernel-build.eclass
> +++ b/eclass/kernel-build.eclass
> @@ -57,7 +57,8 @@ IUSE="+strip"
> # @DESCRIPTION:
> # If set to a non-null value, adds IUSE=modules-sign and required
> # logic to manipulate the kernel config while respecting the
> -# MODULES_SIGN_HASH and MODULES_SIGN_KEY user variables.
> +# MODULES_SIGN_HASH, MODULES_SIGN_CERT, and MODULES_SIGN_KEY user
> +# variables.
>
> # @ECLASS_VARIABLE: MODULES_SIGN_HASH
> # @USER_VARIABLE
> @@ -89,6 +90,14 @@ IUSE="+strip"
> #
> # Default if unset: certs/signing_key.pem
>
> +# @ECLASS_VARIABLE: MODULES_SIGN_CERT
> +# @USER_VARIABLE
> +# @DEFAULT_UNSET
> +# @DESCRIPTION:
> +# Used with USE=modules-sign. Can be set to the path of the public
> +# key in PEM format to use. Must be specified if MODULES_SIGN_KEY
> +# is set to a path of a file that only contains the private key.
> +
> if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
> IUSE+=" modules-sign"
> REQUIRED_USE="secureboot? ( modules-sign )"
> @@ -394,6 +403,12 @@ kernel-build_merge_configs() {
> CONFIG_MODULE_SIG_FORCE=y
> CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
> EOF
> + if [[ -e ${MODULES_SIGN_KEY} ]] && [[ -e
> ${MODULES_SIGN_CERT} ]] \
> + && [[ ${MODULES_SIGN_KEY} !=
> ${MODULES_SIGN_CERT} ]] \
> + && [[ ${MODULES_SIGN_KEY} != pkcs11:* ]]; then
Please don't split [[ ... ]], and then use && for line wrapping instead
of backslashes.
> + cat "${MODULES_SIGN_CERT}"
> "${MODULES_SIGN_KEY}" >
> "${T}/kernel_key.pem" || die
> + MODULES_SIGN_KEY="${T}/kernel_key.pem"
> + fi
> if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -e
> ${MODULES_SIGN_KEY} ]];
> then
> echo
> "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
> >> "${WORKDIR}/modules-sign.config"
>
--
Best regards,
Michał Górny
