1. Forum
  2. Usenet
  3. LINUX.GENTOO.DEV

  • [gentoo-dev] [PATCH 0/2] kernel-build.eclass: fix signing and compressi

    From Andrew Ammerlaan@21:1/5 to All on Thu Jun 15 12:00:02 2023
    Hi all,

    This first patch reworks the stripping of kernel modules, mirroring the
    changes from linux-mod.eclass to linux-mod-r1.eclass, and fixing Bug
    814344 and Bug 881651.

    Before this change enabling the CONFIG_MODULE_SIG=y and
    CONFIG_MODULE_SIG_ALL=y kernel options would cause the kernel build
    system to sign the kernel modules (as it should) but then portage would
    strip this signature again during install. Additionally, any keys
    generated during the build process were not installed, making it
    impossible to sign additional external kernel modules.

    Similarly enabling the CONFIG_MODULE_COMPRESS_*=y options would cause
    the kernel build system to compress the modules (as it should). But then portage can no longer strip the modules. Resulting in modules that,
    while compressed, still contain the debug symbols.

    The solution is to introduce 'IUSE="+strip"' (like in
    linux-mod-r1.eclass) and have the kernel build system itself take care
    of stripping. This way modules are stripped, if the flag is enabled,
    *before* they are signed and/or compressed.

    Additionally the eclass now also installs any signing keys that may have
    been generated during the build process.

    The second patch does not fix any bugs but does add convenience. This
    patch makes gentoo-kernel-x.y.z.ebuild respect the variables already
    introduced by linux-mod-r1.eclass. And adds a warning if we are letting
    the kernel build system generate the keys (CONFIG_MODULE_SIG=y but CONFIG_MODULE_SIG_KEY set to default). Because these generated keys will
    end up in any binary packages which might be undesirable. From a
    security point of view it is better to use an external key (i.e. define MODULES_SIGN_KEY="").

    The end result of both patches is that users who do not wish to
    configure the kernel, but still would like signed kernel modules can
    simply set 'USE="dist-kernel modules-sign"' and optionally 'MODULES_SIGN_HASH=""' and 'MODULES_SIGN_KEY=""', portage will take care
    of the rest.

    Special thanks to Ionen Wolkens for his feedback on the initial draft.

    Let me know what you think,

    Best regards,
    Andrew

    See Also: https://github.com/gentoo/gentoo/pull/31358

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)