Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/eclass
diff options
context:
space:
mode:
Diffstat (limited to 'eclass')
-rw-r--r--eclass/kernel-build.eclass90
1 files changed, 89 insertions, 1 deletions
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index c6f3ebeca962..963e020b3746 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -43,6 +43,48 @@ BDEPEND="
IUSE="+strip"
+# @ECLASS_VARIABLE: KERNEL_IUSE_MODULES_SIGN
+# @PRE_INHERIT
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# If set to a non-null value, adds IUSE=modules-sign and required
+# logic to manipulate the kernel config while respecting the
+# MODULES_SIGN_HASH and MODULES_SIGN_KEY user variables.
+
+# @ECLASS_VARIABLE: MODULES_SIGN_HASH
+# @USER_VARIABLE
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# Used with USE=modules-sign. Can be set to hash algorithm to use
+# during signature generation (CONFIG_MODULE_SIG_SHA256).
+#
+# Valid values: sha512,sha384,sha256,sha224,sha1
+#
+# Default if unset: sha512
+
+# @ECLASS_VARIABLE: MODULES_SIGN_KEY
+# @USER_VARIABLE
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# Used with USE=modules-sign. Can be set to the path of the private
+# key in PEM format to use, or a PKCS#11 URI (CONFIG_MODULE_SIG_KEY).
+#
+# If path is relative (e.g. "certs/name.pem"), it is assumed to be
+# relative to the kernel build directory being used.
+#
+# If the key requires a passphrase or PIN, the used kernel sign-file
+# utility recognizes the KBUILD_SIGN_PIN environment variable. Be
+# warned that the package manager may store this value in binary
+# packages, database files, temporary files, and possibly logs. This
+# eclass unsets the variable after use to mitigate the issue (notably
+# for shared binary packages), but use this with care.
+#
+# Default if unset: certs/signing_key.pem
+
+if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
+ IUSE+=" modules-sign"
+fi
+
# @FUNCTION: kernel-build_src_configure
# @DESCRIPTION:
# Prepare the toolchain for building the kernel, get the default .config
@@ -259,6 +301,9 @@ kernel-build_src_install() {
dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/build"
dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/source"
+ # unset to at least be out of the environment file in, e.g. shared binpkgs
+ unset KBUILD_SIGN_PIN
+
save_config build/.config
}
@@ -268,6 +313,26 @@ kernel-build_src_install() {
kernel-build_pkg_postinst() {
kernel-install_pkg_postinst
savedconfig_pkg_postinst
+
+ if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
+ if use modules-sign && [[ -z ${MODULES_SIGN_KEY} ]]; then
+ ewarn
+ ewarn "MODULES_SIGN_KEY was not set, this means the kernel build system"
+ ewarn "automatically generated the signing key. This key was installed"
+ ewarn "in ${EROOT}/usr/src/linux-${PV}${KV_LOCALVERSION}/certs"
+ ewarn "and will also be included in any binary packages."
+ ewarn "Please take appropriate action to protect the key!"
+ ewarn
+ ewarn "Recompiling this package causes a new key to be generated. As"
+ ewarn "a result any external kernel modules will need to be resigned."
+ ewarn "Use emerge @module-rebuild, or manually sign the modules as"
+ ewarn "described on the wiki [1]"
+ ewarn
+ ewarn "Consider using the MODULES_SIGN_KEY variable to use an external key."
+ ewarn
+ ewarn "[1]: https://wiki.gentoo.org/wiki/Signed_kernel_module_support"
+ fi
+ fi
}
# @FUNCTION: kernel-build_merge_configs
@@ -290,16 +355,39 @@ kernel-build_merge_configs() {
local user_configs=( "${BROOT}"/etc/kernel/config.d/*.config )
shopt -u nullglob
+ local merge_configs=( "${@}" )
+
+ if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
+ if use modules-sign; then
+ : "${MODULES_SIGN_HASH:=sha512}"
+ cat <<-EOF > "${WORKDIR}/modules-sign.config" || die
+ ## Enable module signing
+ CONFIG_MODULE_SIG=y
+ CONFIG_MODULE_SIG_ALL=y
+ CONFIG_MODULE_SIG_FORCE=y
+ CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
+ EOF
+ if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -e ${MODULES_SIGN_KEY} ]]; then
+ echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
+ >> "${WORKDIR}/modules-sign.config"
+ elif [[ -n ${MODULES_SIGN_KEY} ]]; then
+ die "MODULES_SIGN_KEY=${MODULES_SIGN_KEY} not found!"
+ fi
+ merge_configs+=( "${WORKDIR}/modules-sign.config" )
+ fi
+ fi
+
if [[ ${#user_configs[@]} -gt 0 ]]; then
elog "User config files are being applied:"
local x
for x in "${user_configs[@]}"; do
elog "- ${x}"
done
+ merge_configs+=( "${user_configs[@]}" )
fi
./scripts/kconfig/merge_config.sh -m -r \
- .config "${@}" "${user_configs[@]}" || die
+ .config "${merge_configs[@]}" || die
}
fi