diff options
author | Violet Purcell <vimproved@inventati.org> | 2023-11-27 12:12:09 -0500 |
---|---|---|
committer | Andrew Ammerlaan <andrewammerlaan@gentoo.org> | 2023-12-11 13:39:35 +0100 |
commit | 3e0c89e3b299928215dd505467e49f13f8bbbbd3 (patch) | |
tree | ae51300c1ea4013a58948c8342ad4874b76b2a9c /eclass/kernel-build.eclass | |
parent | kernel-install.eclass: fix test phase on systemd systems (diff) | |
download | gentoo-3e0c89e3b299928215dd505467e49f13f8bbbbd3.tar.gz gentoo-3e0c89e3b299928215dd505467e49f13f8bbbbd3.tar.bz2 gentoo-3e0c89e3b299928215dd505467e49f13f8bbbbd3.zip |
kernel-build.eclass: work around permissions issue with module signing
Currently, using a custom path for MODULES_SIGN_KEY requires the key to
be readable by portage:portage. This is not ideal for security, since
the file has to be either owned by portage:portage or readable by all
users in this case. Instead, export the contents of MODULES_SIGN_KEY to
a variable in pkg_setup, and then create a temporary file with it in
src_configure to ensure that the temporary key is readable by the user
that the kernel is being built as. The variable is then unset so it does
not end up in the final environment file.
Co-authored-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Signed-off-by: Violet Purcell <vimproved@inventati.org>
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Diffstat (limited to 'eclass/kernel-build.eclass')
-rw-r--r-- | eclass/kernel-build.eclass | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass index f5529c319f9f..6b692dc4f9a0 100644 --- a/eclass/kernel-build.eclass +++ b/eclass/kernel-build.eclass @@ -114,6 +114,13 @@ kernel-build_pkg_setup() { python-any-r1_pkg_setup if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then secureboot_pkg_setup + if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then + if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} != ${MODULES_SIGN_KEY} ]]; then + MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" || die)" + else + MODULES_SIGN_KEY_CONTENTS="$(< "${MODULES_SIGN_KEY}")" + fi + fi fi } @@ -422,12 +429,11 @@ kernel-build_merge_configs() { CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y EOF - if [[ -e ${MODULES_SIGN_KEY} && -e ${MODULES_SIGN_CERT} && - ${MODULES_SIGN_KEY} != ${MODULES_SIGN_CERT} && - ${MODULES_SIGN_KEY} != pkcs11:* ]] - then - cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" > "${T}/kernel_key.pem" || die - MODULES_SIGN_KEY="${T}/kernel_key.pem" + if [[ -n ${MODULES_SIGN_KEY_CONTENTS} ]]; then + (umask 066 && touch "${T}/kernel_key.pem" || die) + echo "${MODULES_SIGN_KEY_CONTENTS}" > "${T}/kernel_key.pem" || die + unset MODULES_SIGN_KEY_CONTENTS + export MODULES_SIGN_KEY="${T}/kernel_key.pem" fi if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -r ${MODULES_SIGN_KEY} ]]; then echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \ |