[gentoo-commits] repo/gentoo:master commit in: eclass/

Nowa Ammerlaan Thu, 11 Sep 2025 13:30:11 -0700

commit:     529a658231c36aee19c29ea888ab01bf3686961a
Author:     Nowa Ammerlaan <nowa <AT> gentoo <DOT> org>
AuthorDate: Thu Sep 11 20:11:57 2025 +0000
Commit:     Nowa Ammerlaan <nowa <AT> gentoo <DOT> org>
CommitDate: Thu Sep 11 20:18:46 2025 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=529a6582


kernel-install.eclass: verify against SECUREBOOT_SIGN_CERT

The .pcrpkey section of the UKI should not contain a full certificate.
And therefore it is not correct to use it in sbverify. Instead use
the set SECUREBOOT_SIGN_CERT which will contain the certificate that
was used for signing in kernel-build.eclass. For gentoo-kernel-bin
we set this variable to the certificate that was used during build
and is included in the gpkg.

Signed-off-by: Nowa Ammerlaan <nowa <AT> gentoo.org>

 eclass/kernel-install.eclass | 19 ++++---------------
 1 file changed, 4 insertions(+), 15 deletions(-)

diff --git a/eclass/kernel-install.eclass b/eclass/kernel-install.eclass
index e753592c46fc..35254b357005 100644
--- a/eclass/kernel-install.eclass
+++ b/eclass/kernel-install.eclass
@@ -674,27 +674,16 @@ kernel-install_extract_from_uki() {
                        die "Failed to extract ${extract_type}"
 
        # Sanity checks for kernel images
-       if [[ ${extract_type} == linux ]] &&
+       if [[ -n ${SECUREBOOT_SIGN_CERT} && ${extract_type} == linux ]] &&
                { ! in_iuse secureboot || use secureboot ;}
        then
-               # Extract the used SECUREBOOT_SIGN_CERT to verify the kernel 
image
-               local cert=${T}/pcrpkey
-               kernel-install_extract_from_uki pcrpkey "${uki}" "${cert}"
-               if [[ $(head -n1 "${cert}") != "-----BEGIN CERTIFICATE-----" 
]]; then
-                       # This is a DER format certificate, convert it to PEM
-                       openssl x509 \
-                               -inform DER -in "${cert}" \
-                               -outform PEM -out "${cert}" ||
-                                       die "Failed to convert pcrpkey to PEM 
format"
-               fi
-
                # Check if the signature on the UKI is valid
-               sbverify --cert "${cert}" "${uki}" ||
+               sbverify --cert "${SECUREBOOT_SIGN_CERT}" "${uki}" ||
                        die "ERROR: UKI signature is invalid"
 
                # Check if the signature on the kernel image is valid
                local sbverify_err=$(
-                       sbverify --cert "${cert}" "${out_temp}" 2>&1 >/dev/null
+                       sbverify --cert "${SECUREBOOT_SIGN_CERT}" "${out_temp}" 
2>&1 >/dev/null
                )
 
                # Check if there was a padding warning
@@ -708,7 +697,7 @@ kernel-install_extract_from_uki() {
                                >"${out_temp}_trimmed" || die
                        # Check if the signature verifies now
                        sbverify_err=$(
-                               sbverify --cert "${cert}" "${out_temp}_trimmed" 
2>&1 >/dev/null
+                               sbverify --cert "${SECUREBOOT_SIGN_CERT}" 
"${out_temp}_trimmed" 2>&1 >/dev/null
                        )
                        [[ -z ${sbverify_err} ]] && out_temp=${out_temp}_trimmed
                fi

[gentoo-commits] repo/gentoo:master commit in: eclass/

Reply via email to