Hi all,

This is a small patch from [1] that allows signing kernel modules using
a separate key and certificate PEM file. See the commit message below
for a more in-depth explanation.

Best regards,
Andrew

[1] https://github.com/gentoo/gentoo/pull/32275


From 61b7db57f343ab172bcc449320c4e96cafb9cd06 Mon Sep 17 00:00:00 2001
From: Violet Purcell <[email protected]>
Date: Sat, 12 Aug 2023 16:59:14 -0400
Subject: [PATCH] kernel-build.eclass: Fix separate private and public module
signing keys

The kernel expects CONFIG_MODULE_SIG_KEY to be either a pkcs11 URI
containing refences to both a private and public key, or a path to a PEM
file containing both the private and public keys. However, currently the
kernel build will fail if MODULES_SIGNING_KEY is set to a PEM file
containing only the private key. This commit adds a step in kernel-build_merge_configs that concatenates MODULES_SIGNING_KEY and MODULES_SIGNING_CERT into ${T}/kernel_key.pem if both files exist and
are not the same path. It then sets MODULES_SIGNING_KEY to
${T}/kernel_key.pem. This should fix building with separate private and
public module signing keys.

Signed-off-by: Violet Purcell <[email protected]>
---
eclass/kernel-build.eclass | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index 276a08a104e0e..1a33ce2e875f2 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -57,7 +57,8 @@ IUSE="+strip"
# @DESCRIPTION:
# If set to a non-null value, adds IUSE=modules-sign and required
# logic to manipulate the kernel config while respecting the
-# MODULES_SIGN_HASH and MODULES_SIGN_KEY user variables.
+# MODULES_SIGN_HASH, MODULES_SIGN_CERT, and MODULES_SIGN_KEY user
+# variables.

# @ECLASS_VARIABLE: MODULES_SIGN_HASH
# @USER_VARIABLE
@@ -89,6 +90,14 @@ IUSE="+strip"
#
# Default if unset: certs/signing_key.pem

+# @ECLASS_VARIABLE: MODULES_SIGN_CERT
+# @USER_VARIABLE
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# Used with USE=modules-sign. Can be set to the path of the public
+# key in PEM format to use. Must be specified if MODULES_SIGN_KEY
+# is set to a path o

On Thu, 2023-08-17 at 10:40 +0200, Andrew Ammerlaan wrote:

Hi all,

This is a small patch from [1] that allows signing kernel modules using
a separate key and certificate PEM file. See the commit message below
for a more in-depth explanation.

Best regards,
Andrew

[1] https://github.com/gentoo/gentoo/pull/32275

From 61b7db57f343ab172bcc449320c4e96cafb9cd06 Mon Sep 17 00:00:00 2001
From: Violet Purcell <[email protected]>
Date: Sat, 12 Aug 2023 16:59:14 -0400
Subject: [PATCH] kernel-build.eclass: Fix separate private and public module
signing keys

The kernel expects CONFIG_MODULE_SIG_KEY to be either a pkcs11 URI
containing refences to both a private and public key, or a path to a PEM
file containing both the private and public keys. However, currently the kernel build will fail if MODULES_SIGNING_KEY is set to a PEM file
containing only the private key. This commit adds a step in kernel-build_merge_configs that concatenates MODULES_SIGNING_KEY and MODULES_SIGNING_CERT into ${T}/kernel_key.pem if both files exist and
are not the same path. It then sets MODULES_SIGNING_KEY to ${T}/kernel_key.pem. This should fix building with separate private and public module signing keys.

Signed-off-by: Violet Purcell <[email protected]>
---
eclass/kernel-build.eclass | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index 276a08a104e0e..1a33ce2e875f2 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -57,7 +57,8 @@ IUSE="+strip"
# @DESCRIPTION:
# If set to a non-null value, adds IUSE=modules-sign and required
# logic to manipulate the kernel config while respecting the
-# MODULES_SIGN_HASH and MODULES_SIGN_KEY user variables.
+# MODULES_SIGN_HASH, MODULES_SIGN_CERT, and MODULES_SIGN_KEY user
+# variables.

# @ECLASS_VARIABLE: MODULES_SIGN_HASH
# @USER_VARIABLE
@@ -89,6 +90,14 @@ IUSE="+strip"
#
# Default if unset: certs/signing_key.pem

+# @ECLASS_VARIABLE: MODULES_SIGN_CERT
+# @USER_VARIABLE
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# Used with USE=modules-sign. Can be set to the path of the public
+# key in PEM format to use. Must be specified if MODULES_SIGN_KEY
+# is set to a path of a file that only contains the private key.
+
if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
IUSE+=" modules-sign"
REQUIRED_USE="secureboot? ( modules-sign )"
@@ -394,6 +403,12 @@ kernel-build_merge_configs() {
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
EOF
+ if [[ -e ${MODULES_SIGN_KEY} ]] && [[ -e ${MODULES_SIGN_CERT} ]] \
+ && [[ ${MODULES_SIGN_KEY} != ${MODULES_SIGN_CERT} ]] \
+ && [[ ${MODULES_SIGN_KEY} != pkcs11:* ]]; then

Please don't split [[ ... ]], and then use && for line wrapping instead
of backslashes.

+ cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" >
"${T}/kernel_key.pem" || die
+ MODULES_SIGN_KEY="${T}/kernel_key.pem"
+ fi
if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -e ${MODULES_SIGN_KEY} ]];
then
echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
>> "${WORKDIR}/modules-sign.config"

--
Best regards,
Michał Górny

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)