diff options
| author | V3n3RiX <venerix@koprulu.sector> | 2024-08-07 12:37:21 +0100 |
|---|---|---|
| committer | V3n3RiX <venerix@koprulu.sector> | 2024-08-07 12:37:21 +0100 |
| commit | b8c7370a682e4e29cda623222d17a790c01c3642 (patch) | |
| tree | f6caa14689bd00a5760eadaa381ff41e50ef3c1b /eclass/kernel-build.eclass | |
| parent | 8a4997a7e2d1e36c089d4d76935b5a902d98d3d0 (diff) | |
gentoo auto-resync : 07:08:2024 - 12:37:20
Diffstat (limited to 'eclass/kernel-build.eclass')
| -rw-r--r-- | eclass/kernel-build.eclass | 60 |
1 files changed, 45 insertions, 15 deletions
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass index cf060fa83766..c4f3db0028a9 100644 --- a/eclass/kernel-build.eclass +++ b/eclass/kernel-build.eclass @@ -131,13 +131,35 @@ fi # Call python-any-r1 and secureboot pkg_setup kernel-build_pkg_setup() { python-any-r1_pkg_setup - if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then + if [[ ${KERNEL_IUSE_MODULES_SIGN} && ${MERGE_TYPE} != binary ]]; then secureboot_pkg_setup - if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then - if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} != ${MODULES_SIGN_KEY} ]]; then - MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" || die)" + + if use modules-sign && [[ -n ${MODULES_SIGN_KEY} ]]; then + # Sanity check: fail early if key/cert in DER format or does not exist + local openssl_args=( + -noout -nocert + ) + if [[ -n ${MODULES_SIGN_CERT} ]]; then + openssl_args+=( -inform PEM -in "${MODULES_SIGN_CERT}" ) + else + # If no cert specified, we assume the pem key also contains the cert + openssl_args+=( -inform PEM -in "${MODULES_SIGN_KEY}" ) + fi + if [[ ${MODULES_SIGN_KEY} == pkcs11:* ]]; then + openssl_args+=( -engine pkcs11 -keyform ENGINE -key "${MODULES_SIGN_KEY}" ) else - MODULES_SIGN_KEY_CONTENTS="$(< "${MODULES_SIGN_KEY}")" + openssl_args+=( -keyform PEM -key "${MODULES_SIGN_KEY}" ) + fi + + openssl x509 "${openssl_args[@]}" || + die "Kernel module signing certificate or key not found or not PEM format." + + if [[ ${MODULES_SIGN_KEY} != pkcs11:* ]]; then + if [[ -n ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} != ${MODULES_SIGN_KEY} ]]; then + MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" || die)" + else + MODULES_SIGN_KEY_CONTENTS="$(< "${MODULES_SIGN_KEY}")" + fi fi fi fi @@ -165,6 +187,10 @@ kernel-build_src_configure() { fi # force ld.bfd if we can find it easily + local HOSTLD="$(tc-getBUILD_LD)" + if type -P "${HOSTLD}.bfd" &>/dev/null; then + HOSTLD+=.bfd + fi local LD="$(tc-getLD)" if type -P "${LD}.bfd" &>/dev/null; then LD+=.bfd @@ -176,6 +202,8 @@ kernel-build_src_configure() { HOSTCC="$(tc-getBUILD_CC)" HOSTCXX="$(tc-getBUILD_CXX)" + HOSTLD="${HOSTLD}" + HOSTAR="$(tc-getBUILD_AR)" HOSTCFLAGS="${BUILD_CFLAGS}" HOSTLDFLAGS="${BUILD_LDFLAGS}" @@ -188,6 +216,7 @@ kernel-build_src_configure() { STRIP="$(tc-getSTRIP)" OBJCOPY="$(tc-getOBJCOPY)" OBJDUMP="$(tc-getOBJDUMP)" + READELF="$(tc-getREADELF)" # we need to pass it to override colliding Gentoo envvar ARCH=$(tc-arch-kernel) @@ -231,25 +260,21 @@ kernel-build_src_configure() { mkdir -p "${WORKDIR}"/modprep || die mv .config "${WORKDIR}"/modprep/ || die emake O="${WORKDIR}"/modprep "${MAKEARGS[@]}" olddefconfig - emake O="${WORKDIR}"/modprep "${MAKEARGS[@]}" modules_prepare - cp -pR "${WORKDIR}"/modprep "${WORKDIR}"/build || die - # Now that we have a release file, set KV_FULL - local relfile=${WORKDIR}/build/include/config/kernel.release + local k_release=$(emake -s O="${WORKDIR}"/modprep "${MAKEARGS[@]}" kernelrelease) if [[ -z ${KV_FULL} ]]; then - KV_FULL=$(<"${relfile}") || die + KV_FULL=${k_release} fi # Make sure we are about to build the correct kernel if [[ ${PV} != *9999 ]]; then local expected_ver=$(dist-kernel_PV_to_KV "${PV}") - local expected_rel=$(<"${relfile}") - if [[ ${KV_FULL} != ${expected_rel} ]]; then + if [[ ${KV_FULL} != ${k_release} ]]; then eerror "KV_FULL mismatch!" eerror "KV_FULL: ${KV_FULL}" - eerror "Expected: ${expected_rel}" - die "KV_FULL mismatch: got ${KV_FULL}, expected ${expected_rel}" + eerror "Expected: ${k_release}" + die "KV_FULL mismatch: got ${KV_FULL}, expected ${k_release}" fi if [[ ${KV_FULL} != ${expected_ver}* ]]; then @@ -260,6 +285,9 @@ kernel-build_src_configure() { die "Kernel version mismatch: got ${KV_FULL}, expected ${expected_ver}*" fi fi + + emake O="${WORKDIR}"/modprep "${MAKEARGS[@]}" modules_prepare + cp -pR "${WORKDIR}"/modprep "${WORKDIR}"/build || die } # @FUNCTION: kernel-build_src_compile @@ -426,6 +454,8 @@ kernel-build_src_install() { # fix source tree and build dir symlinks dosym "../../../${kernel_dir}" "/lib/modules/${KV_FULL}/build" dosym "../../../${kernel_dir}" "/lib/modules/${KV_FULL}/source" + dosym "../../../${kernel_dir}/.config" "/lib/modules/${KV_FULL}/config" + dosym "../../../${kernel_dir}/System.map" "/lib/modules/${KV_FULL}/System.map" if [[ "${image_path}" == *vmlinux* ]]; then dosym "../../../${kernel_dir}/${image_path}" "/lib/modules/${KV_FULL}/vmlinux" else @@ -491,7 +521,7 @@ kernel-build_src_install() { --output="${image%/*}/uki.efi" ) - if [[ ${KERNEL_IUSE_SECUREBOOT} ]] && use secureboot; then + if [[ ${KERNEL_IUSE_MODULES_SIGN} ]] && use secureboot; then ukify_args+=( --signtool=sbsign --secureboot-private-key="${SECUREBOOT_SIGN_KEY}" |