commit: 3e0c89e3b299928215dd505467e49f13f8bbbbd3
Author: Violet Purcell <vimproved <AT> inventati <DOT> org>
AuthorDate: Mon Nov 27 17:12:09 2023 +0000
Commit: Andrew Ammerlaan <andrewammerlaan <AT> gentoo <DOT> org>
CommitDate: Mon Dec 11 12:39:35 2023 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3e0c89e3
kernel-build.eclass: work around permissions issue with module signing
Currently, using a custom path for MODULES_SIGN_KEY requires the key to
be readable by portage:portage. This is not ideal for security, since
the file has to be either owned by portage:portage or readable by all
users in this case. Instead, export the contents of MODULES_SIGN_KEY to
a variable in pkg_setup, and then create a temporary file with it in
src_configure to ensure that the temporary key is readable by the user
that the kernel is being built as. The variable is then unset so it does
not end up in the final environment file.
Co-authored-by: Andrew Ammerlaan <andrewammerlaan <AT> gentoo.org>
Signed-off-by: Violet Purcell <vimproved <AT> inventati.org>
Signed-off-by: Andrew Ammerlaan <andrewammerlaan <AT> gentoo.org>
eclass/kernel-build.eclass | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index f5529c319f9f..6b692dc4f9a0 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -114,6 +114,13 @@ kernel-build_pkg_setup() {
python-any-r1_pkg_setup
if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
secureboot_pkg_setup
+ if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:*
]]; then
+ if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT}
!= ${MODULES_SIGN_KEY} ]]; then
+ MODULES_SIGN_KEY_CONTENTS="$(cat
"${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" || die)"
+ else
+ MODULES_SIGN_KEY_CONTENTS="$(<
"${MODULES_SIGN_KEY}")"
+ fi
+ fi
fi
}
@@ -422,12 +429,11 @@ kernel-build_merge_configs() {
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
EOF
- if [[ -e ${MODULES_SIGN_KEY} && -e ${MODULES_SIGN_CERT}
&&
- ${MODULES_SIGN_KEY} != ${MODULES_SIGN_CERT} &&
- ${MODULES_SIGN_KEY} != pkcs11:* ]]
- then
- cat "${MODULES_SIGN_CERT}"
"${MODULES_SIGN_KEY}" > "${T}/kernel_key.pem" || die
- MODULES_SIGN_KEY="${T}/kernel_key.pem"
+ if [[ -n ${MODULES_SIGN_KEY_CONTENTS} ]]; then
+ (umask 066 && touch "${T}/kernel_key.pem" ||
die)
+ echo "${MODULES_SIGN_KEY_CONTENTS}" >
"${T}/kernel_key.pem" || die
+ unset MODULES_SIGN_KEY_CONTENTS
+ export MODULES_SIGN_KEY="${T}/kernel_key.pem"
fi
if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -r
${MODULES_SIGN_KEY} ]]; then
echo
"CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
