Hi all,
By signing the kernel image in src_install instead of pkg_postinst the
signed version is
included in any generated binpkg. This is useful for enabling secureboot
on machines that do not have the secureboot private key available.
This change makes it possible to distribute a signed kernel image in
sys-kernel/gentoo-kernel-bin.
Note, UKIs are always generated locally, so if UKIs are used these will
still
have to be signed in pkg_postinst and therefore the private key is still
required on all systems with USE=secureboot and uefi=yes in dracut.conf.
Signed-off-by: Andrew Ammerlaan <andrewammerl...@gentoo.org>
---
eclass/kernel-build.eclass | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index 5b324e036c5f9..035b1e7cd02ac 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -33,6 +33,7 @@ if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
# If we have enabled module signing IUSE
# then we can also enable secureboot IUSE
KERNEL_IUSE_SECUREBOOT=1
+ inherit secureboot
fi
inherit multiprocessing python-any-r1 savedconfig toolchain-funcs
kernel-install
@@ -348,6 +349,10 @@ kernel-build_src_install() {
dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/build"
dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/source"
+ if [[ ${KERNEL_IUSE_SECUREBOOT} ]]; then
+ secureboot_sign_efi_file "${ED}${kernel_dir}/${image_path}"
"${ED}${kernel_dir}/${image_path}"
+ fi
+
# unset to at least be out of the environment file in, e.g. shared
binpkgs
unset KBUILD_SIGN_PIN
