From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id CF6DC158009 for ; Tue, 20 Jun 2023 18:57:56 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E5EC2E094F; Tue, 20 Jun 2023 18:57:55 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id CBC30E094E for ; Tue, 20 Jun 2023 18:57:55 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 0C4DE340FEC for ; Tue, 20 Jun 2023 18:57:55 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 6C480A8B for ; Tue, 20 Jun 2023 18:57:53 +0000 (UTC) From: "Andrew Ammerlaan" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Andrew Ammerlaan" Message-ID: <1687287454.bcd3103426971497f634ddf12d535b3010e9138b.andrewammerlaan@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: eclass/ X-VCS-Repository: repo/gentoo X-VCS-Files: eclass/kernel-build.eclass X-VCS-Directories: eclass/ X-VCS-Committer: andrewammerlaan X-VCS-Committer-Name: Andrew Ammerlaan X-VCS-Revision: bcd3103426971497f634ddf12d535b3010e9138b X-VCS-Branch: master Date: Tue, 20 Jun 2023 18:57:53 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 0f076317-6062-4a69-8dab-f001ea63dede X-Archives-Hash: 9d9ef2a1988275d66f217ccbed876e5d commit: bcd3103426971497f634ddf12d535b3010e9138b Author: Andrew Ammerlaan gentoo org> AuthorDate: Thu Jun 15 19:10:02 2023 +0000 Commit: Andrew Ammerlaan gentoo org> CommitDate: Tue Jun 20 18:57:34 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bcd31034 kernel-build.eclass: add IUSE="modules-sign" - Enable module signing configure options if requested by the user. - Define the user variables MODULES_SIGN_HASH and MODULES_SIGN_KEY. For controlling the used hashing algorithm and allowing the use of external keys. These variables are the same as in linux-mod-r1.eclass - Warn the user if we are letting the kernel build system generate the signing key. This key will end up binary packages. Plus external modules will have to be resigned if gentoo-kernel is re-emerged (i.e. a new key was generated). Bug: https://bugs.gentoo.org/814344 Bug: https://bugs.gentoo.org/881651 Signed-off-by: Andrew Ammerlaan gentoo.org> eclass/kernel-build.eclass | 90 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 89 insertions(+), 1 deletion(-) diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass index c6f3ebeca962..963e020b3746 100644 --- a/eclass/kernel-build.eclass +++ b/eclass/kernel-build.eclass @@ -43,6 +43,48 @@ BDEPEND=" IUSE="+strip" +# @ECLASS_VARIABLE: KERNEL_IUSE_MODULES_SIGN +# @PRE_INHERIT +# @DEFAULT_UNSET +# @DESCRIPTION: +# If set to a non-null value, adds IUSE=modules-sign and required +# logic to manipulate the kernel config while respecting the +# MODULES_SIGN_HASH and MODULES_SIGN_KEY user variables. + +# @ECLASS_VARIABLE: MODULES_SIGN_HASH +# @USER_VARIABLE +# @DEFAULT_UNSET +# @DESCRIPTION: +# Used with USE=modules-sign. Can be set to hash algorithm to use +# during signature generation (CONFIG_MODULE_SIG_SHA256). +# +# Valid values: sha512,sha384,sha256,sha224,sha1 +# +# Default if unset: sha512 + +# @ECLASS_VARIABLE: MODULES_SIGN_KEY +# @USER_VARIABLE +# @DEFAULT_UNSET +# @DESCRIPTION: +# Used with USE=modules-sign. Can be set to the path of the private +# key in PEM format to use, or a PKCS#11 URI (CONFIG_MODULE_SIG_KEY). +# +# If path is relative (e.g. "certs/name.pem"), it is assumed to be +# relative to the kernel build directory being used. +# +# If the key requires a passphrase or PIN, the used kernel sign-file +# utility recognizes the KBUILD_SIGN_PIN environment variable. Be +# warned that the package manager may store this value in binary +# packages, database files, temporary files, and possibly logs. This +# eclass unsets the variable after use to mitigate the issue (notably +# for shared binary packages), but use this with care. +# +# Default if unset: certs/signing_key.pem + +if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then + IUSE+=" modules-sign" +fi + # @FUNCTION: kernel-build_src_configure # @DESCRIPTION: # Prepare the toolchain for building the kernel, get the default .config @@ -259,6 +301,9 @@ kernel-build_src_install() { dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/build" dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/source" + # unset to at least be out of the environment file in, e.g. shared binpkgs + unset KBUILD_SIGN_PIN + save_config build/.config } @@ -268,6 +313,26 @@ kernel-build_src_install() { kernel-build_pkg_postinst() { kernel-install_pkg_postinst savedconfig_pkg_postinst + + if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then + if use modules-sign && [[ -z ${MODULES_SIGN_KEY} ]]; then + ewarn + ewarn "MODULES_SIGN_KEY was not set, this means the kernel build system" + ewarn "automatically generated the signing key. This key was installed" + ewarn "in ${EROOT}/usr/src/linux-${PV}${KV_LOCALVERSION}/certs" + ewarn "and will also be included in any binary packages." + ewarn "Please take appropriate action to protect the key!" + ewarn + ewarn "Recompiling this package causes a new key to be generated. As" + ewarn "a result any external kernel modules will need to be resigned." + ewarn "Use emerge @module-rebuild, or manually sign the modules as" + ewarn "described on the wiki [1]" + ewarn + ewarn "Consider using the MODULES_SIGN_KEY variable to use an external key." + ewarn + ewarn "[1]: https://wiki.gentoo.org/wiki/Signed_kernel_module_support" + fi + fi } # @FUNCTION: kernel-build_merge_configs @@ -290,16 +355,39 @@ kernel-build_merge_configs() { local user_configs=( "${BROOT}"/etc/kernel/config.d/*.config ) shopt -u nullglob + local merge_configs=( "${@}" ) + + if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then + if use modules-sign; then + : "${MODULES_SIGN_HASH:=sha512}" + cat <<-EOF > "${WORKDIR}/modules-sign.config" || die + ## Enable module signing + CONFIG_MODULE_SIG=y + CONFIG_MODULE_SIG_ALL=y + CONFIG_MODULE_SIG_FORCE=y + CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y + EOF + if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -e ${MODULES_SIGN_KEY} ]]; then + echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \ + >> "${WORKDIR}/modules-sign.config" + elif [[ -n ${MODULES_SIGN_KEY} ]]; then + die "MODULES_SIGN_KEY=${MODULES_SIGN_KEY} not found!" + fi + merge_configs+=( "${WORKDIR}/modules-sign.config" ) + fi + fi + if [[ ${#user_configs[@]} -gt 0 ]]; then elog "User config files are being applied:" local x for x in "${user_configs[@]}"; do elog "- ${x}" done + merge_configs+=( "${user_configs[@]}" ) fi ./scripts/kconfig/merge_config.sh -m -r \ - .config "${@}" "${user_configs[@]}" || die + .config "${merge_configs[@]}" || die } fi