commit: b678c191a5e453a42b6dcf2b3406fd41fcd6d5c7
Author: Nowa Ammerlaan <nowa <AT> gentoo <DOT> org>
AuthorDate: Sat Jan 4 12:56:20 2025 +0000
Commit: Nowa Ammerlaan <nowa <AT> gentoo <DOT> org>
CommitDate: Sun Jan 5 13:39:25 2025 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b678c191
kernel-build.eclass: pcrpkey should be PEM not DER
We sill need the call to openssl to ensure that we don't accidentally append
the key itself to the UKI.
Signed-off-by: Nowa Ammerlaan <nowa <AT> gentoo.org>
eclass/kernel-build.eclass | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index aae55d9e3ac5..e3175453fea7 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -587,14 +587,18 @@ kernel-build_src_install() {
done
if [[ ${KERNEL_IUSE_MODULES_SIGN} ]] && use secureboot;
then
+ # --pcrpkey is appended as is. If the
certificate and key
+ # are in the same file, we could accidentally
leak the key
+ # into the UKI. Pass the certificate through
openssl to ensure
+ # that it truly contains *only* the certificate.
openssl x509 \
-in "${SECUREBOOT_SIGN_CERT}" -inform
PEM \
- -out ${T}/pcrpkey.der -outform DER ||
- die "Failed to convert
certificate to DER format"
+ -out "${T}/pcrpkey.pem" -outform PEM ||
+ die "Failed to extract
certificate"
ukify_args+=(
--secureboot-private-key="${SECUREBOOT_SIGN_KEY}"
--secureboot-certificate="${SECUREBOOT_SIGN_CERT}"
- --pcrpkey="${T}/pcrpkey.der"
+ --pcrpkey="${T}/pcrpkey.pem"
--measure
)
if [[ ${SECUREBOOT_SIGN_KEY} == pkcs11:* ]];
then
