Forum: >>> Magnum BBS <<<

[gentoo-dev] [PATCH 1/2] kernel-build.eclass: add IUSE="strip", install

From Andrew Ammerlaan@21:1/5 to All on Thu Jun 15 12:00:02 2023

From 480e54c27d09ceeb1dab662fcb395c33f807402a Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <[email protected]>
Date: Fri, 9 Jun 2023 10:36:18 +0200
Subject: [PATCH] kernel-build.eclass: add IUSE="strip", install
generated keys

- Let the kernel build system handle stripping of the modules.
This is necessary for successfully signing and stripping
compressed modules. Inspired by linux-mod-r1.eclass.

- If the build system has generated keys or certificates,
install them. This is required to successfully sign
external kernel modules.

Closes: https://bugs.gentoo.org/814344
Closes: https://bugs.gentoo.org/881651
Signed-off-by: Andrew Ammerlaan <[email protected]>
---
eclass/kernel-build.eclass | 26 +++++++++++++++++++++++---
1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index da215a055a467..05a2b9459f5ff 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -1,4 +1,4 @@
-# Copyright 2020-2022 Gentoo Authors
+# Copyright 2020-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2

# @ECLASS: kernel-build.eclass
@@ -41,6 +41,8 @@ BDEPEND="
app-alternatives/yacc
"

+IUSE="+strip"
+
# @FUNCTION: kernel-build_src_configure
# @DESCRIPTION:
# Prepare the toolchain for building the kernel, get the default .config
@@ -83,7 +85,7 @@ kernel-build_src_configure() {
LD="${LD}"
AR="$(tc-getAR)"
NM="$(tc-getNM)"
- STRIP=":"
+ STRIP="$(tc-getSTRIP)"
OBJCOPY="$(tc-getOBJCOPY)"
OBJDUMP="$(tc-getOBJDUMP)"

@@ -176,8 +178,18 @@ kernel-build_src_install() {
targets+=( dtbs_install )

From Andrew Ammerlaan@21:1/5 to All on Thu Jun 15 15:10:01 2023

Version 2 moves all of the logic into the eclass, reducing code
duplication at the cost of potentially having to adjust the
CONFIG_MODULE_SIG_* logic at some later stage if this changes upstream.

We now also unset KBUILD_SIGN_PIN, as is done in linux-mod-r1.eclass as
well.

From b0e42a34469c3799b2c2c636d794a95040549133 Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <[email protected]>
Date: Thu, 15 Jun 2023 11:50:10 +0200
Subject: [PATCH] kernel-build.eclass: add IUSE="+strip modules-sign",
install
generated keys

- Let the kernel build system handle stripping of the modules.
This is necessary for successfully signing and compressing modules.
Inspired by linux-mod-r1.eclass.

- If the build system has generated keys or certificates, install them.
This is required to successfully sign external kernel modules.

- Enable module signing configure options if requested by the user.

- Define the user variables MODULES_SIGN_HASH and MODULES_SIGN_KEY.
For controlling the used hashing algorithm and allowing the use of
external keys. These variables are the same as in linux-mod-r1.eclass

- Warn the user if we are letting the kernel build system generate the
signing
key. This key will end up binary packages. Plus external modules will
have to
be resigned if gentoo-kernel is re-emerged (i.e. a new key was generated).

Closes: https://bugs.gentoo.org/814344
Closes: https://bugs.gentoo.org/881651
Signed-off-by: Andrew Ammerlaan <[email protected]>
---
eclass/kernel-build.eclass | 115 +++++++++++++++++++++++++++++++++++--
1 file changed, 111 insertions(+), 4 deletions(-)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index da215a055a467..7634a4445350f 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -1,4 +1,4 @@
-# Copyright 2020-2022 Gentoo Authors
+# Copyright 2020-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2

# @ECLASS: kernel-build.eclass
@@ -41,6 +41,50 @@ BDEPEND="
app-alternatives/yacc
"

+IUSE="+strip"
+
+# @ECLASS_VARIABLE: ALLOW_MODULES_SIGN
+# @PRE_INHERIT
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# If set to a non-null value, adds IUSE=modules-sign and required
+# logic to manipulate the kernel config while respecting the
+# MODULES_SIGN_HASH and MODULES_SIGN_KEY user variables.
+
+# @ECLASS_VARIABLE: MODULES_SIGN_HASH
+# @USER_VARIABLE
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# Used with USE=modules-sign. Can be set

From Andrew Ammerlaan@21:1/5 to Mike Gilbert on Thu Jun 15 16:00:01 2023

On 15/06/2023 15:46, Mike Gilbert wrote:

On Thu, Jun 15, 2023 at 9:06 AM Andrew Ammerlaan <[email protected]> wrote:

# @FUNCTION: kernel-build_merge_configs
@@ -270,16 +354,39 @@ kernel-build_merge_configs() {
local user_configs=( "${BROOT}"/etc/kernel/config.d/*.config )
shopt -u nullglob

+ local merge_configs=( "${@}" )
+
+ if [[ -n "${ALLOW_MODULES_SIGN}" ]]; then
+ if use modules-sign; then
+ : "${MODULES_SIGN_HASH:=sha512}"
+ cat <<-EOF > "${WORKDIR}/modules-sign.config" || die >> + ## Enable module signing
+ CONFIG_MODULE_SIG=y
+ CONFIG_MODULE_SIG_ALL=y
+ CONFIG_MODULE_SIG_FORCE=y
+ CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y

I'm not sure if it matters, but menuconfig would also set CONFIG_MODULE_SIG_HASH. eg.

When I tested this earlier CONFIG_MODULE_SIG_HASH was entirely dependent
on the setting of CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}.
I.e. setting CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y automatically
sets CONFIG_MODULE_SIG_HASH=${MODULES_SIGN_HASH} to the same value. Only setting CONFIG_MODULE_SIG_HASH is ignored and it reverts back to the
default value of CONFIG_MODULE_SIG_SHA512. We could set both, but there
is no functional difference.

Best regards,
Andrew

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Mike Gilbert@21:1/5 to [email protected] on Thu Jun 15 15:50:01 2023

On Thu, Jun 15, 2023 at 9:06 AM Andrew Ammerlaan
<[email protected]> wrote:

# @FUNCTION: kernel-build_merge_configs
@@ -270,16 +354,39 @@ kernel-build_merge_configs() {
local user_configs=( "${BROOT}"/etc/kernel/config.d/*.config )
shopt -u nullglob

+ local merge_configs=( "${@}" )
+
+ if [[ -n "${ALLOW_MODULES_SIGN}" ]]; then
+ if use modules-sign; then
+ : "${MODULES_SIGN_HASH:=sha512}"
+ cat <<-EOF > "${WORKDIR}/modules-sign.config" || die + ## Enable module signing
+ CONFIG_MODULE_SIG=y
+ CONFIG_MODULE_SIG_ALL=y
+ CONFIG_MODULE_SIG_FORCE=y
+ CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y

I'm not sure if it matters, but menuconfig would also set CONFIG_MODULE_SIG_HASH. eg.

CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_ALL=y
# CONFIG_MODULE_SIG_SHA1 is not set
# CONFIG_MODULE_SIG_SHA224 is not set
# CONFIG_MODULE_SIG_SHA256 is not set
# CONFIG_MODULE_SIG_SHA384 is not set
CONFIG_MODULE_SIG_SHA512=y
CONFIG_MODULE_SIG_HASH="sha512"

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Andrew Ammerlaan@21:1/5 to All on Sat Jun 17 20:20:01 2023

No functional changes in version 3, just renaming some variables and
splitting the version 2 patch.

From 969f242c3269c068ebfe5adc37ebfc92dcd56181 Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <[email protected]>
Date: Thu, 15 Jun 2023 11:50:10 +0200
Subject: [PATCH] kernel-build.eclass: add IUSE="strip", install
generated keys

- Let the kernel build system handle stripping of the modules.
This is necessary for successfully signing and compressing modules.
Inspired by linux-mod-r1.eclass.

- If the build system has generated keys or certificates, install them.
This is required to successfully sign external kernel modules.

Closes: https://bugs.gentoo.org/814344
Closes: https://bugs.gentoo.org/881651
Signed-off-by: Andrew Ammerlaan <[email protected]>
---
eclass/kernel-build.eclass | 26 +++++++++++++++++++++++---
1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index da215a055a467..abfb01720817a 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -1,4 +1,4 @@
-# Copyright 2020-2022 Gentoo Authors
+# Copyright 2020-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2

# @ECLASS: kernel-build.eclass
@@ -41,6 +41,8 @@ BDEPEND="
app-alternatives/yacc
"

+IUSE="+strip"
+
# @FUNCTION: kernel-build_src_configure
# @DESCRIPTION:
# Prepare the toolchain for building the kernel, get the default .config
@@ -83,7 +85,7 @@ kernel-build_src_configure() {
LD="${LD}"
AR="$(tc-getAR)"
NM="$(tc-getNM)"
- STRIP=":"
+ STRIP="$(tc-getSTRIP)"
OBJCOPY="$(tc-getOBJCOPY)"
OBJDUMP="$(tc-getOBJDUMP)"

@@ -176,8 +178,18 @@ kernel-build_src_install() {
targets+=( dtbs_install )

Who's Online
Recent Visitors
- Krenn
  Sat Jun 6 11:38:56 2026
  from Sydney, Nsw via Telnet
- Furryboy
  Sat Jun 6 10:56:29 2026
  from Romania, Galati via SSH
- Centurion
  Fri Jun 5 22:28:01 2026
  from Berea, Ohio via Telnet
- Ab Cadd
  Fri Jun 5 17:52:51 2026
  from Sheboygan, Wi via Telnet
- Gwylbert
  Fri Jun 5 06:28:52 2026
  from Sydney, Nsw via Telnet
- Centurion
  Thu Jun 4 23:42:23 2026
  from Berea, Ohio via Telnet
- Michal Wronka
  Thu Jun 4 23:19:58 2026
  from Wroclaw, Poland via Telnet
- Michal Wronka
  Thu Jun 4 23:17:20 2026
  from Wroclaw, Poland via SSH

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	715
Nodes:	16 (2 / 14)
Uptime:	144:22:01
Calls:	12,089
Calls today:	2
Files:	15,000
Messages:	6,517,490

[gentoo-dev] [PATCH 1/2] kernel-build.eclass: add IUSE="strip", install

Who's Online

Recent Visitors

System Info