1 |
eee74b9fca1 adds support for module compression, but this breaks loading |
2 |
out of tree modules when module signing is enforced because modules must |
3 |
be signed before they are compressed. Additionally, the recommended |
4 |
Portage hook[1] no longer works with this change. |
5 |
|
6 |
Add module signing support in linux-mod.eclass which more or less does |
7 |
exactly what the aforementioned Portage hook does. If the kernel |
8 |
configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and keys |
9 |
from the kernel configuration and call the sign_file tool to sign the |
10 |
module before it is compressed. |
11 |
|
12 |
Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352 |
13 |
Signed-off-by: Kenton Groombridge <concord@g.o> |
14 |
--- |
15 |
eclass/linux-mod.eclass | 16 ++++++++++++++++ |
16 |
1 file changed, 16 insertions(+) |
17 |
|
18 |
diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass |
19 |
index b7c13cbf7e7..fd40f6d7c6c 100644 |
20 |
--- a/eclass/linux-mod.eclass |
21 |
+++ b/eclass/linux-mod.eclass |
22 |
@@ -712,6 +712,22 @@ linux-mod_src_install() { |
23 |
cd "${objdir}" || die "${objdir} does not exist" |
24 |
insinto "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir} |
25 |
|
26 |
+ # check here for CONFIG_MODULE_SIG_ALL and sign the module being built if enabled. |
27 |
+ # modules must be signed before they are compressed. |
28 |
+ |
29 |
+ if linux_chkconfig_present MODULE_SIG_ALL; then |
30 |
+ local module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)" |
31 |
+ local module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)" |
32 |
+ module_sig_key="${module_sig_key:-certs/signing_key.pem}" |
33 |
+ if [[ "${module_sig_key#pkcs11:}" == "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}" ]]; then |
34 |
+ local key_path="${KERNEL_DIR}/${module_sig_key}" |
35 |
+ else |
36 |
+ local key_path="${module_sig_key}" |
37 |
+ fi |
38 |
+ local cert_path="${KERNEL_DIR}/certs/signing_key.x509" |
39 |
+ "${KERNEL_DIR}"/scripts/sign-file ${module_sig_hash//\"} ${key_path//\"} ${cert_path} ${modulename}.${KV_OBJ} |
40 |
+ fi |
41 |
+ |
42 |
# check here for CONFIG_MODULE_COMPRESS_<compression option> (NONE, GZIP, XZ, ZSTD) |
43 |
# and similarily compress the module being built if != NONE. |
44 |
|
45 |
-- |
46 |
2.35.1 |