gentoo auto-resync : 21:06:2023 - 01:17:50

author: V3n3RiX <venerix@koprulu.sector> 2023-06-21 01:17:50 +0100
committer: V3n3RiX <venerix@koprulu.sector> 2023-06-21 01:17:50 +0100
commit: 7d4e34d0bcf06b357fd09a059a02687acf335132 (patch)
tree: 06974fa0252f3c0c3039ba3f9d4ce051ae11f3f6 /eclass
parent: 1941d371dc945a34f7070c341af1392edb5ca3a9 (diff)
5 files changed, 131 insertions, 14 deletions
diff --git a/eclass/Manifest.gz b/eclass/Manifest.gz
index 99a853152406..560279141440 100644
--- a/eclass/Manifest.gz
+++ b/eclass/Manifest.gz
diff --git a/eclass/dist-kernel-utils.eclass b/eclass/dist-kernel-utils.eclass
index 439bdc87695d..cfb6f40ac6fa 100644
--- a/eclass/dist-kernel-utils.eclass
+++ b/eclass/dist-kernel-utils.eclass
@@ -1,4 +1,4 @@
-# Copyright 2020-2022 Gentoo Authors
+# Copyright 2020-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 # @ECLASS: dist-kernel-utils.eclass
@@ -104,12 +104,22 @@ dist-kernel_install_kernel() {
 	if [[ ${magic} == MZ ]]; then
 		einfo "Combined UEFI kernel+initramfs executable found"
 		# install the combined executable in place of kernel
-		image=${initrd}.uefi
+		image=${initrd}.efi
 		mv "${initrd}" "${image}" || die
-		# put an empty file in place of initrd.  installing a duplicate
-		# file would waste disk space, and removing it entirely provokes
-		# kernel-install to regenerate it via dracut.
-		> "${initrd}"
+		# We moved the generated initrd, prevent dracut from running again
+		# https://github.com/dracutdevs/dracut/pull/2405
+		shopt -s nullglob
+		local plugins=()
+		for file in "${EROOT}"/usr/lib/kernel/install.d/*.install; do
+			if ! has "${file##*/}" 50-dracut.install 51-dracut-rescue.install; then
+					plugins+=( "${file}" )
+			fi
+		done
+		for file in "${EROOT}"/etc/kernel/install.d/*.install; do
+			plugins+=( "${file}" )
+		done
+		shopt -u nullglob
+		export KERNEL_INSTALL_PLUGINS="${KERNEL_INSTALL_PLUGINS} ${plugins[@]}"
 	fi
 
 	ebegin "Installing the kernel via installkernel"
diff --git a/eclass/gnustep-base.eclass b/eclass/gnustep-base.eclass
index 49bcc09caa93..b5b350106471 100644
--- a/eclass/gnustep-base.eclass
+++ b/eclass/gnustep-base.eclass
@@ -11,8 +11,8 @@
 # packages
 
 case ${EAPI} in
-	6|7) inherit eutils ;;
-	8) ;;
+	6) inherit eutils ;;
+	7|8) ;;
 	*) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;;
 esac
 
@@ -128,7 +128,6 @@ egnustep_env() {
 				-i "${WORKDIR}"/GNUstep.conf || die "GNUstep.conf sed failed"
 		fi
 
-
 		if [[ ! -d ${EPREFIX}/usr/share/GNUstep/Makefiles ]]; then
 			# Set rpath in ldflags when available
 			case ${CHOST} in
diff --git a/eclass/golang-vcs.eclass b/eclass/golang-vcs.eclass
index 6f60b6dd3ae0..7558db4776cb 100644
--- a/eclass/golang-vcs.eclass
+++ b/eclass/golang-vcs.eclass
@@ -20,7 +20,7 @@ esac
 if [[ -z ${_GOLANG_VCS_ECLASS} ]]; then
 _GOLANG_VCS_ECLASS=1
 
-inherit estack eutils golang-base
+inherit estack golang-base
 
 PROPERTIES+=" live"
 
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index 020557497ddc..963e020b3746 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -1,4 +1,4 @@
-# Copyright 2020-2022 Gentoo Authors
+# Copyright 2020-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 # @ECLASS: kernel-build.eclass
@@ -41,6 +41,50 @@ BDEPEND="
 	app-alternatives/yacc
 "
 
+IUSE="+strip"
+
+# @ECLASS_VARIABLE: KERNEL_IUSE_MODULES_SIGN
+# @PRE_INHERIT
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# If set to a non-null value, adds IUSE=modules-sign and required
+# logic to manipulate the kernel config while respecting the
+# MODULES_SIGN_HASH and MODULES_SIGN_KEY user variables.
+
+# @ECLASS_VARIABLE: MODULES_SIGN_HASH
+# @USER_VARIABLE
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# Used with USE=modules-sign.  Can be set to hash algorithm to use
+# during signature generation (CONFIG_MODULE_SIG_SHA256).
+#
+# Valid values: sha512,sha384,sha256,sha224,sha1
+#
+# Default if unset: sha512
+
+# @ECLASS_VARIABLE: MODULES_SIGN_KEY
+# @USER_VARIABLE
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# Used with USE=modules-sign.  Can be set to the path of the private
+# key in PEM format to use, or a PKCS#11 URI (CONFIG_MODULE_SIG_KEY).
+#
+# If path is relative (e.g. "certs/name.pem"), it is assumed to be
+# relative to the kernel build directory being used.
+#
+# If the key requires a passphrase or PIN, the used kernel sign-file
+# utility recognizes the KBUILD_SIGN_PIN environment variable.  Be
+# warned that the package manager may store this value in binary
+# packages, database files, temporary files, and possibly logs.  This
+# eclass unsets the variable after use to mitigate the issue (notably
+# for shared binary packages), but use this with care.
+#
+# Default if unset: certs/signing_key.pem
+
+if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
+	IUSE+=" modules-sign"
+fi
+
 # @FUNCTION: kernel-build_src_configure
 # @DESCRIPTION:
 # Prepare the toolchain for building the kernel, get the default .config
@@ -83,7 +127,7 @@ kernel-build_src_configure() {
 		LD="${LD}"
 		AR="$(tc-getAR)"
 		NM="$(tc-getNM)"
-		STRIP=":"
+		STRIP="$(tc-getSTRIP)"
 		OBJCOPY="$(tc-getOBJCOPY)"
 		OBJDUMP="$(tc-getOBJDUMP)"
 
@@ -176,8 +220,18 @@ kernel-build_src_install() {
 		targets+=( dtbs_install )
 	fi
 
+	# Use the kernel build system to strip, this ensures the modules
+	# are stripped *before* they are signed or compressed.
+	local strip_args
+	if use strip; then
+		strip_args="--strip-unneeded"
+	fi
+	# Modules were already stripped by the kernel build system
+	dostrip -x /lib/modules
+
 	emake O="${WORKDIR}"/build "${MAKEARGS[@]}" \
-		INSTALL_MOD_PATH="${ED}" INSTALL_PATH="${ED}/boot" "${targets[@]}"
+		INSTALL_MOD_PATH="${ED}" INSTALL_MOD_STRIP="${strip_args}" \
+		INSTALL_PATH="${ED}/boot" "${targets[@]}"
 
 	# note: we're using mv rather than doins to save space and time
 	# install main and arch-specific headers first, and scripts
@@ -217,6 +271,14 @@ kernel-build_src_install() {
 	local image_path=$(dist-kernel_get_image_path)
 	cp -p "build/${image_path}" "${ED}${kernel_dir}/${image_path}" || die
 
+	# If a key was generated, copy it so external modules can be signed
+	local suffix
+	for suffix in pem x509; do
+		if [[ -f "build/certs/signing_key.${suffix}" ]]; then
+			cp -p "build/certs/signing_key.${suffix}" "${ED}${kernel_dir}/certs" || die
+		fi
+	done
+
 	# building modules fails with 'vmlinux has no symtab?' if stripped
 	use ppc64 && dostrip -x "${kernel_dir}/${image_path}"
 
@@ -239,6 +301,9 @@ kernel-build_src_install() {
 	dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/build"
 	dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/source"
 
+	# unset to at least be out of the environment file in, e.g. shared binpkgs
+	unset KBUILD_SIGN_PIN
+
 	save_config build/.config
 }
 
@@ -248,6 +313,26 @@ kernel-build_src_install() {
 kernel-build_pkg_postinst() {
 	kernel-install_pkg_postinst
 	savedconfig_pkg_postinst
+
+	if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
+		if use modules-sign && [[ -z ${MODULES_SIGN_KEY} ]]; then
+			ewarn
+			ewarn "MODULES_SIGN_KEY was not set, this means the kernel build system"
+			ewarn "automatically generated the signing key. This key was installed"
+			ewarn "in ${EROOT}/usr/src/linux-${PV}${KV_LOCALVERSION}/certs"
+			ewarn "and will also be included in any binary packages."
+			ewarn "Please take appropriate action to protect the key!"
+			ewarn
+			ewarn "Recompiling this package causes a new key to be generated. As"
+			ewarn "a result any external kernel modules will need to be resigned."
+			ewarn "Use emerge @module-rebuild, or manually sign the modules as"
+			ewarn "described on the wiki [1]"
+			ewarn
+			ewarn "Consider using the MODULES_SIGN_KEY variable to use an external key."
+			ewarn
+			ewarn "[1]: https://wiki.gentoo.org/wiki/Signed_kernel_module_support"
+		fi
+	fi
 }
 
 # @FUNCTION: kernel-build_merge_configs
@@ -270,16 +355,39 @@ kernel-build_merge_configs() {
 	local user_configs=( "${BROOT}"/etc/kernel/config.d/*.config )
 	shopt -u nullglob
 
+	local merge_configs=( "${@}" )
+
+	if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
+		if use modules-sign; then
+			: "${MODULES_SIGN_HASH:=sha512}"
+			cat <<-EOF > "${WORKDIR}/modules-sign.config" || die
+				## Enable module signing
+				CONFIG_MODULE_SIG=y
+				CONFIG_MODULE_SIG_ALL=y
+				CONFIG_MODULE_SIG_FORCE=y
+				CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
+			EOF
+			if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -e ${MODULES_SIGN_KEY} ]]; then
+				echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
+					>> "${WORKDIR}/modules-sign.config"
+			elif [[ -n ${MODULES_SIGN_KEY} ]]; then
+				die "MODULES_SIGN_KEY=${MODULES_SIGN_KEY} not found!"
+			fi
+			merge_configs+=( "${WORKDIR}/modules-sign.config" )
+		fi
+	fi
+
 	if [[ ${#user_configs[@]} -gt 0 ]]; then
 		elog "User config files are being applied:"
 		local x
 		for x in "${user_configs[@]}"; do
 			elog "- ${x}"
 		done
+		merge_configs+=( "${user_configs[@]}" )
 	fi
 
 	./scripts/kconfig/merge_config.sh -m -r \
-		.config "${@}" "${user_configs[@]}" || die
+		.config "${merge_configs[@]}"  || die
 }
 
 fi
author	V3n3RiX <venerix@koprulu.sector>	2023-06-21 01:17:50 +0100
committer	V3n3RiX <venerix@koprulu.sector>	2023-06-21 01:17:50 +0100
commit	7d4e34d0bcf06b357fd09a059a02687acf335132 (patch)
tree	06974fa0252f3c0c3039ba3f9d4ce051ae11f3f6 /eclass
parent	1941d371dc945a34f7070c341af1392edb5ca3a9 (diff)