commit: e2b8c79419c258224a91807e30d57b075703f115
Author: Andrew Ammerlaan <andrewammerlaan <AT> gentoo <DOT> org>
AuthorDate: Wed Aug 30 16:38:43 2023 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Sat Sep 2 17:34:34 2023 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e2b8c794
kernel-build.eclass: fix kernel image signing on arm64 and riscv
Arm64/riscv have no compressed kernel support. With CONFIG_EFI_ZBOOT enabled
the build system will build a bootable image with its own compressor that we
can then sign. With CONFIG_EFI_ZBOOT disabled we end up with a compressed
kernel image that must be uncompressed before signing and requires the
bootloader to uncompress it before it can boot.
Signed-off-by: Andrew Ammerlaan <andrewammerlaan <AT> gentoo.org>
Signed-off-by: Michał Górny <mgorny <AT> gentoo.org>
eclass/kernel-build.eclass | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index ca105ee1f133..0c40e8033fe2 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -436,6 +436,20 @@ kernel-build_merge_configs() {
fi
fi
+ if [[ ${KERNEL_IUSE_SECUREBOOT} ]]; then
+ if use secureboot; then
+ # This only effects arm64 and riscv where the bootable
image may
+ # contain its own decompressor (zboot). If enabled we
get a
+ # sign-able efi file.
+ cat <<-EOF > "${WORKDIR}/secureboot.config" || die
+ ## Enable zboot for signing
+ CONFIG_EFI_ZBOOT=y
+ EOF
+
+ merge_configs+=( "${WORKDIR}/secureboot.config" )
+ fi
+ fi
+
if [[ ${#user_configs[@]} -gt 0 ]]; then
elog "User config files are being applied:"
local x
