commit: 45367fd36d1b1be24cefc3d6266012258b3c3068 Author: Nowa Ammerlaan <nowa <AT> gentoo <DOT> org> AuthorDate: Thu Sep 11 16:44:21 2025 +0000 Commit: Nowa Ammerlaan <nowa <AT> gentoo <DOT> org> CommitDate: Thu Sep 11 16:44:21 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=45367fd3
kernel-build.eclass: replace cert with pubkey in generic-uki .pcrpkey This is the final piece in the Measured Boot puzzle, we have been putting the full certificate in the pcrpkey section. But though the certificate does contain the public key, the tools downstream get confused by the incorrect format. We now resolve the problem by extracting the public key from the certificate and using that instead. See-also: https://github.com/systemd/systemd/issues/38833 Closes: https://bugs.gentoo.org/960276 Signed-off-by: Nowa Ammerlaan <nowa <AT> gentoo.org> eclass/kernel-build.eclass | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass index 7a5c80cfd6a6..2b16d0a226dd 100644 --- a/eclass/kernel-build.eclass +++ b/eclass/kernel-build.eclass @@ -609,14 +609,13 @@ kernel-build_src_install() { done if [[ ${KERNEL_IUSE_MODULES_SIGN} ]] && use secureboot; then - # --pcrpkey is appended as is. If the certificate and key - # are in the same file, we could accidentally leak the key - # into the UKI. Pass the certificate through openssl to ensure - # that it truly contains *only* the certificate. + # The PCR public key option should contain *only* the + # public key, not the full certificate containing the + # public key. Bug #960276 openssl x509 \ -in "${SECUREBOOT_SIGN_CERT}" -inform PEM \ - -out "${T}/pcrpkey.pem" -outform PEM || - die "Failed to extract certificate" + -noout -pubkey > "${T}/pcrpkey.pem" || + die "Failed to extract public key" ukify_args+=( --secureboot-private-key="${SECUREBOOT_SIGN_KEY}" --secureboot-certificate="${SECUREBOOT_SIGN_CERT}" @@ -627,17 +626,19 @@ kernel-build_src_install() { ukify_args+=( --signing-engine="pkcs11" --pcr-private-key="${SECUREBOOT_SIGN_KEY}" - --pcr-public-key="${SECUREBOOT_SIGN_CERT}" + --pcr-public-key="${T}/pcrpkey.pem" --phases="enter-initrd" --pcr-private-key="${SECUREBOOT_SIGN_KEY}" - --pcr-public-key="${SECUREBOOT_SIGN_CERT}" + --pcr-public-key="${T}/pcrpkey.pem" --phases="enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit enter-initrd:leave-initrd:sysinit:ready" ) else ukify_args+=( --pcr-private-key="${SECUREBOOT_SIGN_KEY}" + --pcr-public-key="${T}/pcrpkey.pem" --phases="enter-initrd" --pcr-private-key="${SECUREBOOT_SIGN_KEY}" + --pcr-public-key="${T}/pcrpkey.pem" --phases="enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit enter-initrd:leave-initrd:sysinit:ready" ) fi
