diff options
| author |   Nowa Ammerlaan <nowa@gentoo.org> | 2025-01-06 18:46:01 +0100 |
|---|---|---|
| committer | Nowa Ammerlaan <nowa@gentoo.org> | 2025-01-06 21:25:37 +0100 |
| commit | 9163b23ef60ec34e3739e06eabe5167e36295ab7 (patch) | |
| tree | 976b13f0d87302377dad7e4cd1ef975918db4f99 /eclass | |
| parent | sys-firmware/intel-microcode: drop left over -z ROOT condition (diff) | |
| download | gentoo-9163b23ef60ec34e3739e06eabe5167e36295ab7.tar.gz gentoo-9163b23ef60ec34e3739e06eabe5167e36295ab7.tar.bz2 gentoo-9163b23ef60ec34e3739e06eabe5167e36295ab7.zip | |
kernel-{build,install}.eclass: exclude any generated keys from binpkgs
The kernel build system supports generating a new module signing key if the
CONFIG_MODULE_SIG_KEY is set to the default value (MODULES_SIGN_KEY is not set)
and no key exists at that default location.
This results in the unfortunate situation where private key material ends up
in generated binary packages. That is almost never what you want since binary
packages are usually readable by regular users. To avoid this we move the key
out of the ED in the install phase, and move it back in the preinst phase after
the binary package has been built.
This also means that when distributing built binary packages to other systems
the signing key will now never be installed onto all those other systems, which
is probably what you want anyway.
Note, there is no change for folks who use externally managed keys, i.e. for
everyone who has MODULES_SIGN_KEY, MODULE_SIGN_CERT set.
Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/40017
Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>
Diffstat (limited to 'eclass')
| -rw-r--r-- | eclass/kernel-build.eclass | 6 | ||||
| -rw-r--r-- | eclass/kernel-install.eclass | 9 |
2 files changed, 14 insertions, 1 deletions
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass index 8f3346bb4874..65433d9fc9c0 100644 --- a/eclass/kernel-build.eclass +++ b/eclass/kernel-build.eclass @@ -447,6 +447,11 @@ kernel-build_src_install() { # Copy built key/certificate files cp -p build/certs/* "${ED}${kernel_dir}/certs/" || die + # If a key was generated, exclude it from the binpkg + local generated_key=${ED}${kernel_dir}/certs/signing_key.pem + if [[ -r ${generated_key} ]]; then + mv "${generated_key}" "${T}/signing_key.pem" || die + fi # building modules fails with 'vmlinux has no symtab?' if stripped use ppc64 && dostrip -x "${kernel_dir}/${image_path}" @@ -654,7 +659,6 @@ kernel-build_pkg_postinst() { ewarn "MODULES_SIGN_KEY was not set, this means the kernel build system" ewarn "automatically generated the signing key. This key was installed" ewarn "in ${EROOT}/usr/src/linux-${KV_FULL}/certs" - ewarn "and will also be included in any binary packages." ewarn "Please take appropriate action to protect the key!" ewarn ewarn "Recompiling this package causes a new key to be generated. As" diff --git a/eclass/kernel-install.eclass b/eclass/kernel-install.eclass index f70556ad41f5..1cc2bd0bb737 100644 --- a/eclass/kernel-install.eclass +++ b/eclass/kernel-install.eclass @@ -607,6 +607,15 @@ kernel-install_pkg_preinst() { [[ ! -d ${kernel_dir} ]] && die "Kernel directory ${kernel_dir} not installed!" + # We moved this in order to omit it from the binpkg, move it back + if [[ -r "${T}/signing_key.pem" ]]; then + # cp instead of mv to set owner to root in one go + ( + umask 066 && + cp "${T}/signing_key.pem" "${kernel_dir}/certs/signing_key.pem" + ) || die + fi + # perform the version check for release ebuilds only if [[ ${PV} != *9999 ]]; then local expected_ver=$(dist-kernel_PV_to_KV "${PV}") |