* [gentoo-dev] [PATCH] kernel-build.eclass: replace cert with pubkey in generic-uki .pcrpkey
@ 2025-09-11 16:47 Nowa Ammerlaan
0 siblings, 0 replies; only message in thread
From: Nowa Ammerlaan @ 2025-09-11 16:47 UTC (permalink / raw
To: gentoo-dev; +Cc: Nowa Ammerlaan
This is the final piece in the Measured Boot puzzle, we have been
putting the full certificate in the pcrpkey section. But though the
certificate does contain the public key, the tools downstream get
confused by the incorrect format. We now resolve the problem by
extracting the public key from the certificate and using that instead.
See-also: https://github.com/systemd/systemd/issues/38833
Closes: https://bugs.gentoo.org/960276
Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>
---
eclass/kernel-build.eclass | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index 7a5c80cfd6a6..2b16d0a226dd 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -609,14 +609,13 @@ kernel-build_src_install() {
done
if [[ ${KERNEL_IUSE_MODULES_SIGN} ]] && use secureboot; then
- # --pcrpkey is appended as is. If the certificate and key
- # are in the same file, we could accidentally leak the key
- # into the UKI. Pass the certificate through openssl to ensure
- # that it truly contains *only* the certificate.
+ # The PCR public key option should contain *only* the
+ # public key, not the full certificate containing the
+ # public key. Bug #960276
openssl x509 \
-in "${SECUREBOOT_SIGN_CERT}" -inform PEM \
- -out "${T}/pcrpkey.pem" -outform PEM ||
- die "Failed to extract certificate"
+ -noout -pubkey > "${T}/pcrpkey.pem" ||
+ die "Failed to extract public key"
ukify_args+=(
--secureboot-private-key="${SECUREBOOT_SIGN_KEY}"
--secureboot-certificate="${SECUREBOOT_SIGN_CERT}"
@@ -627,17 +626,19 @@ kernel-build_src_install() {
ukify_args+=(
--signing-engine="pkcs11"
--pcr-private-key="${SECUREBOOT_SIGN_KEY}"
- --pcr-public-key="${SECUREBOOT_SIGN_CERT}"
+ --pcr-public-key="${T}/pcrpkey.pem"
--phases="enter-initrd"
--pcr-private-key="${SECUREBOOT_SIGN_KEY}"
- --pcr-public-key="${SECUREBOOT_SIGN_CERT}"
+ --pcr-public-key="${T}/pcrpkey.pem"
--phases="enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit enter-initrd:leave-initrd:sysinit:ready"
)
else
ukify_args+=(
--pcr-private-key="${SECUREBOOT_SIGN_KEY}"
+ --pcr-public-key="${T}/pcrpkey.pem"
--phases="enter-initrd"
--pcr-private-key="${SECUREBOOT_SIGN_KEY}"
+ --pcr-public-key="${T}/pcrpkey.pem"
--phases="enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit enter-initrd:leave-initrd:sysinit:ready"
)
fi
--
2.51.0
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2025-09-11 16:48 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-11 16:47 [gentoo-dev] [PATCH] kernel-build.eclass: replace cert with pubkey in generic-uki .pcrpkey Nowa Ammerlaan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox