diff options
| author |   Nowa Ammerlaan <nowa@gentoo.org> | 2025-01-04 13:56:20 +0100 |
|---|---|---|
| committer | Nowa Ammerlaan <nowa@gentoo.org> | 2025-01-05 14:39:25 +0100 |
| commit | b678c191a5e453a42b6dcf2b3406fd41fcd6d5c7 (patch) | |
| tree | 367a4426eeb2430a095cb0e3a43560439826e85f /eclass | |
| parent | media-gfx/wings: bump to 2.4 (diff) | |
| download | gentoo-b678c191a5e453a42b6dcf2b3406fd41fcd6d5c7.tar.gz gentoo-b678c191a5e453a42b6dcf2b3406fd41fcd6d5c7.tar.bz2 gentoo-b678c191a5e453a42b6dcf2b3406fd41fcd6d5c7.zip | |
kernel-build.eclass: pcrpkey should be PEM not DER
We sill need the call to openssl to ensure that we don't accidentally append
the key itself to the UKI.
Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>
Diffstat (limited to 'eclass')
| -rw-r--r-- | eclass/kernel-build.eclass | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass index aae55d9e3ac5..e3175453fea7 100644 --- a/eclass/kernel-build.eclass +++ b/eclass/kernel-build.eclass @@ -587,14 +587,18 @@ kernel-build_src_install() { done if [[ ${KERNEL_IUSE_MODULES_SIGN} ]] && use secureboot; then + # --pcrpkey is appended as is. If the certificate and key + # are in the same file, we could accidentally leak the key + # into the UKI. Pass the certificate through openssl to ensure + # that it truly contains *only* the certificate. openssl x509 \ -in "${SECUREBOOT_SIGN_CERT}" -inform PEM \ - -out ${T}/pcrpkey.der -outform DER || - die "Failed to convert certificate to DER format" + -out "${T}/pcrpkey.pem" -outform PEM || + die "Failed to extract certificate" ukify_args+=( --secureboot-private-key="${SECUREBOOT_SIGN_KEY}" --secureboot-certificate="${SECUREBOOT_SIGN_CERT}" - --pcrpkey="${T}/pcrpkey.der" + --pcrpkey="${T}/pcrpkey.pem" --measure ) if [[ ${SECUREBOOT_SIGN_KEY} == pkcs11:* ]]; then |