On 15/06/2023 15:46, Mike Gilbert wrote:
On Thu, Jun 15, 2023 at 9:06 AM Andrew Ammerlaan
<andrewammerl...@gentoo.org> wrote:
   # @FUNCTION: kernel-build_merge_configs
@@ -270,16 +354,39 @@ kernel-build_merge_configs() {
         local user_configs=( "${BROOT}"/etc/kernel/config.d/*.config )
         shopt -u nullglob

+       local merge_configs=( "${@}" )
+
+       if [[ -n "${ALLOW_MODULES_SIGN}" ]]; then
+               if use modules-sign; then
+                       : "${MODULES_SIGN_HASH:=sha512}"
+                       cat <<-EOF > "${WORKDIR}/modules-sign.config" || die
+                               ## Enable module signing
+                               CONFIG_MODULE_SIG=y
+                               CONFIG_MODULE_SIG_ALL=y
+                               CONFIG_MODULE_SIG_FORCE=y
+                               CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y

I'm not sure if it matters, but menuconfig would also set
CONFIG_MODULE_SIG_HASH. eg.

When I tested this earlier CONFIG_MODULE_SIG_HASH was entirely dependent on the setting of CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}. I.e. setting CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y automatically sets CONFIG_MODULE_SIG_HASH=${MODULES_SIGN_HASH} to the same value. Only setting CONFIG_MODULE_SIG_HASH is ignored and it reverts back to the default value of CONFIG_MODULE_SIG_SHA512. We could set both, but there is no functional difference.

Best regards,
Andrew


Reply via email to