commit: fb7a681e9cc8bc15b8fc11ceac5d41210c91b30a
Author: Nowa Ammerlaan <nowa <AT> gentoo <DOT> org>
AuthorDate: Thu Sep 25 16:40:46 2025 +0000
Commit: Nowa Ammerlaan <nowa <AT> gentoo <DOT> org>
CommitDate: Thu Sep 25 16:53:01 2025 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fb7a681e
kernel-install.eclass: ensure a secureboot cert is always set
When the kernel is re-installed via pkg_config the certificate may
be gone. Detect if this is the case and if so try to extract the
certificate from the kernel install directory and use that for
verification later on in the (re-)install process.
Signed-off-by: Nowa Ammerlaan <nowa <AT> gentoo.org>
eclass/kernel-install.eclass | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/eclass/kernel-install.eclass b/eclass/kernel-install.eclass
index 35254b357005..7fd714111daf 100644
--- a/eclass/kernel-install.eclass
+++ b/eclass/kernel-install.eclass
@@ -728,11 +728,20 @@ kernel-install_install_all() {
local dir_ver=${1}
local kernel_dir=${EROOT}/usr/src/linux-${dir_ver}
local relfile=${kernel_dir}/include/config/kernel.release
+ local kernel_cert=${kernel_dir}/certs/signing_key.x509
local image_path=$(dist-kernel_get_image_path)
local image_dir=${image_path%/*}
local module_ver
module_ver=$(<"${relfile}") || die
+ if [[ ! -r ${SECUREBOOT_SIGN_CERT} && -r ${kernel_cert} ]]; then
+ openssl x509 \
+ -inform DER -in "${kernel_cert}" \
+ -outform PEM -out "${T}/cert.pem" ||
+ die "Failed to convert kernel certificate to
PEM format"
+ export SECUREBOOT_SIGN_CERT=${T}/cert.pem
+ fi
+
if [[ ${KERNEL_IUSE_GENERIC_UKI} ]]; then
if use generic-uki; then
# Populate placeholders
