* [gentoo-dev] [PATCH] kernel-install.eclass: ensure a secureboot cert is always set
@ 2025-09-25 16:51 Nowa Ammerlaan
0 siblings, 0 replies; only message in thread
From: Nowa Ammerlaan @ 2025-09-25 16:51 UTC (permalink / raw
To: gentoo-dev; +Cc: Nowa Ammerlaan
When the kernel is re-installed via pkg_config the certificate may
be gone. Detect if this is the case and if so try to extract the
certificate from the kernel install directory and use that for
verification later on in the (re-)install process.
Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>
---
eclass/kernel-install.eclass | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/eclass/kernel-install.eclass b/eclass/kernel-install.eclass
index 35254b357005..7fd714111daf 100644
--- a/eclass/kernel-install.eclass
+++ b/eclass/kernel-install.eclass
@@ -728,11 +728,20 @@ kernel-install_install_all() {
local dir_ver=${1}
local kernel_dir=${EROOT}/usr/src/linux-${dir_ver}
local relfile=${kernel_dir}/include/config/kernel.release
+ local kernel_cert=${kernel_dir}/certs/signing_key.x509
local image_path=$(dist-kernel_get_image_path)
local image_dir=${image_path%/*}
local module_ver
module_ver=$(<"${relfile}") || die
+ if [[ ! -r ${SECUREBOOT_SIGN_CERT} && -r ${kernel_cert} ]]; then
+ openssl x509 \
+ -inform DER -in "${kernel_cert}" \
+ -outform PEM -out "${T}/cert.pem" ||
+ die "Failed to convert kernel certificate to PEM format"
+ export SECUREBOOT_SIGN_CERT=${T}/cert.pem
+ fi
+
if [[ ${KERNEL_IUSE_GENERIC_UKI} ]]; then
if use generic-uki; then
# Populate placeholders
--
2.51.0
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2025-09-25 16:52 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-25 16:51 [gentoo-dev] [PATCH] kernel-install.eclass: ensure a secureboot cert is always set Nowa Ammerlaan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox