1 |
В Чт, 20/09/2018 в 22:13 -0700, Georgy Yakovlev пишет: |
2 |
> ----------------->%------------------- |
3 |
> @@ -144,13 +158,16 @@ esac |
4 |
> 0) die "EAPI=${EAPI} is not supported with |
5 |
> MODULES_OPTIONAL_USE_IUSE_DEFAULT due to lack of IUSE defaults" ;; |
6 |
> esac |
7 |
> |
8 |
> -IUSE="kernel_linux |
9 |
> ${MODULES_OPTIONAL_USE:+${_modules_optional_use_iuse_default}}${MODUL |
10 |
> ES_OPTIONAL_USE}" |
11 |
> +IUSE="module-sign kernel_linux |
12 |
> ${MODULES_OPTIONAL_USE:+${_modules_optional_use_iuse_default}}${MODUL |
13 |
> ES_OPTIONAL_USE}" |
14 |
> SLOT="0" |
15 |
> RDEPEND="${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (} |
16 |
> kernel_linux? ( virtual/modutils ) ${MODULES_OPTIONAL_USE:+)}" |
17 |
> DEPEND="${RDEPEND} |
18 |
> ${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (} |
19 |
> sys-apps/sed |
20 |
> - kernel_linux? ( virtual/linux-sources virtual/libelf ) |
21 |
> + kernel_linux? ( |
22 |
> + virtual/linux-sources virtual/libelf |
23 |
> + module-sign? ( || ( dev-libs/openssl dev- |
24 |
> libs/libressl ) ) |
25 |
> + ) |
26 |
|
27 |
It should depend on the proper openssl slot: dev-libs/openssl:0 |
28 |
|
29 |
> ${MODULES_OPTIONAL_USE:+)}" |
30 |
> |
31 |
> # eclass utilities |
32 |
> @@ -352,6 +369,84 @@ get-KERNEL_CC() { |
33 |
> echo "${kernel_cc}" |
34 |
> } |
35 |
> |
36 |
> +# @FUNCTION: _check_sig_force |
37 |
> +# @INTERNAL |
38 |
> +# @DESCRIPTION: |
39 |
> +# Check if kernel requires module signing and die |
40 |
> +# if modules are not going to be signed. |
41 |
> +_check_sig_force() { |
42 |
> + debug-print-function ${FUNCNAME} "${@}" |
43 |
> + |
44 |
> + if linux_chkconfig_present MODULE_SIG_FORCE; then |
45 |
> + if use !module-sign; then |
46 |
> + eerror "kernel .config has |
47 |
> MODULE_SIG_FORCE=y option set" |
48 |
> + eerror "This means that kernel requires all |
49 |
> modules" |
50 |
> + eerror "to be signed and verified before |
51 |
> loading" |
52 |
> + eerror "please enable USE=\"module-sign\" or |
53 |
> reconfigure your kernel" |
54 |
> + eerror "otherwise loading the module will |
55 |
> fail" |
56 |
> + die "signature required" |
57 |
> + fi |
58 |
> + fi |
59 |
> +} |
60 |
> + |
61 |
> +# @FUNCTION: _sign_module |
62 |
> +# @INTERNAL |
63 |
> +# @USAGE: <filename> |
64 |
> +# @DESCRIPTION: |
65 |
> +# Sign a kernel module |
66 |
> +_sign_module() { |
67 |
> + debug-print-function ${FUNCNAME} "${@}" |
68 |
> + |
69 |
> + local dotconfig_sig_hash dotconfig_sig_key |
70 |
> + local sign_binary_path sig_key_path sig_x509_path |
71 |
> + local module |
72 |
> + |
73 |
> + # extract values from kernel .config |
74 |
> + # extracted key path is not full, e.g. |
75 |
> "certs/signing_key.pem" |
76 |
> + dotconfig_sig_hash="$(linux_chkconfig_string |
77 |
> MODULE_SIG_HASH)" |
78 |
> + dotconfig_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)" |
79 |
> + |
80 |
> + # sign-file binary chokes on double quotes |
81 |
> + dotconfig_sig_hash=${dotconfig_sig_hash//\"/} |
82 |
> + dotconfig_sig_key=${dotconfig_sig_key//\"/} |
83 |
> + |
84 |
> + sign_binary_path="${KV_OUT_DIR}/scripts/sign-file" |
85 |
|
86 |
Yet another way to screw up modules building. It relies on some binary |
87 |
in the kernel build dir that may break after openssl update (e.g. |
88 |
soname change). |