On 15/06/2023 15:46, Mike Gilbert wrote:
On Thu, Jun 15, 2023 at 9:06 AM Andrew Ammerlaan
<andrewammerl...@gentoo.org> wrote:
# @FUNCTION: kernel-build_merge_configs
@@ -270,16 +354,39 @@ kernel-build_merge_configs() {
local user_configs=( "${BROOT}"/etc/kernel/config.d/*.config )
shopt -u nullglob
+ local merge_configs=( "${@}" )
+
+ if [[ -n "${ALLOW_MODULES_SIGN}" ]]; then
+ if use modules-sign; then
+ : "${MODULES_SIGN_HASH:=sha512}"
+ cat <<-EOF > "${WORKDIR}/modules-sign.config" || die
+ ## Enable module signing
+ CONFIG_MODULE_SIG=y
+ CONFIG_MODULE_SIG_ALL=y
+ CONFIG_MODULE_SIG_FORCE=y
+ CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
I'm not sure if it matters, but menuconfig would also set
CONFIG_MODULE_SIG_HASH. eg.
When I tested this earlier CONFIG_MODULE_SIG_HASH was entirely dependent
on the setting of CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}.
I.e. setting CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y automatically
sets CONFIG_MODULE_SIG_HASH=${MODULES_SIGN_HASH} to the same value. Only
setting CONFIG_MODULE_SIG_HASH is ignored and it reverts back to the
default value of CONFIG_MODULE_SIG_SHA512. We could set both, but there
is no functional difference.
Best regards,
Andrew