commit: 1e27682401ad7a2edd7e4831cf3e7cf363870959
Author: Michał Górny <mgorny <AT> gentoo <DOT> org>
AuthorDate: Thu Sep 11 18:01:09 2025 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Thu Sep 11 19:47:55 2025 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e276824
kernel-build.eclass: Revert "replace cert with pubkey in..."
This change broke at least arm64 dist-kernel builds:
```
Could not find certificate from
/var/tmp/portage/sys-kernel/gentoo-kernel-6.16.7/temp/pcrpkey
* ERROR: sys-kernel/gentoo-kernel-6.16.7::gentoo failed (postinst phase):
* Failed to convert pcrpkey to PEM format
```
Reverts: 45367fd36d1b1be24cefc3d6266012258b3c3068
Signed-off-by: Michał Górny <mgorny <AT> gentoo.org>
eclass/kernel-build.eclass | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index 2b16d0a226dd..7a5c80cfd6a6 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -609,13 +609,14 @@ kernel-build_src_install() {
done
if [[ ${KERNEL_IUSE_MODULES_SIGN} ]] && use secureboot;
then
- # The PCR public key option should contain
*only* the
- # public key, not the full certificate
containing the
- # public key. Bug #960276
+ # --pcrpkey is appended as is. If the
certificate and key
+ # are in the same file, we could accidentally
leak the key
+ # into the UKI. Pass the certificate through
openssl to ensure
+ # that it truly contains *only* the certificate.
openssl x509 \
-in "${SECUREBOOT_SIGN_CERT}" -inform
PEM \
- -noout -pubkey > "${T}/pcrpkey.pem" ||
- die "Failed to extract public
key"
+ -out "${T}/pcrpkey.pem" -outform PEM ||
+ die "Failed to extract
certificate"
ukify_args+=(
--secureboot-private-key="${SECUREBOOT_SIGN_KEY}"
--secureboot-certificate="${SECUREBOOT_SIGN_CERT}"
@@ -626,19 +627,17 @@ kernel-build_src_install() {
ukify_args+=(
--signing-engine="pkcs11"
--pcr-private-key="${SECUREBOOT_SIGN_KEY}"
-
--pcr-public-key="${T}/pcrpkey.pem"
+
--pcr-public-key="${SECUREBOOT_SIGN_CERT}"
--phases="enter-initrd"
--pcr-private-key="${SECUREBOOT_SIGN_KEY}"
-
--pcr-public-key="${T}/pcrpkey.pem"
+
--pcr-public-key="${SECUREBOOT_SIGN_CERT}"
--phases="enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit
enter-initrd:leave-initrd:sysinit:ready"
)
else
ukify_args+=(
--pcr-private-key="${SECUREBOOT_SIGN_KEY}"
-
--pcr-public-key="${T}/pcrpkey.pem"
--phases="enter-initrd"
--pcr-private-key="${SECUREBOOT_SIGN_KEY}"
-
--pcr-public-key="${T}/pcrpkey.pem"
--phases="enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit
enter-initrd:leave-initrd:sysinit:ready"
)
fi
