On 15/06/2023 15:46, Mike Gilbert wrote:
On Thu, Jun 15, 2023 at 9:06 AM Andrew Ammerlaan <andrewammerl...@gentoo.org> wrote:# @FUNCTION: kernel-build_merge_configs @@ -270,16 +354,39 @@ kernel-build_merge_configs() { local user_configs=( "${BROOT}"/etc/kernel/config.d/*.config ) shopt -u nullglob+ local merge_configs=( "${@}" ) + + if [[ -n "${ALLOW_MODULES_SIGN}" ]]; then + if use modules-sign; then + : "${MODULES_SIGN_HASH:=sha512}" + cat <<-EOF > "${WORKDIR}/modules-sign.config" || die + ## Enable module signing + CONFIG_MODULE_SIG=y + CONFIG_MODULE_SIG_ALL=y + CONFIG_MODULE_SIG_FORCE=y + CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=yI'm not sure if it matters, but menuconfig would also set CONFIG_MODULE_SIG_HASH. eg.
When I tested this earlier CONFIG_MODULE_SIG_HASH was entirely dependent on the setting of CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}. I.e. setting CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y automatically sets CONFIG_MODULE_SIG_HASH=${MODULES_SIGN_HASH} to the same value. Only setting CONFIG_MODULE_SIG_HASH is ignored and it reverts back to the default value of CONFIG_MODULE_SIG_SHA512. We could set both, but there is no functional difference.
Best regards, Andrew
