| 1 |
В Чт, 20/09/2018 в 22:13 -0700, Georgy Yakovlev пишет: |
| 2 |
> ----------------->%------------------- |
| 3 |
> @@ -144,13 +158,16 @@ esac |
| 4 |
> 0) die "EAPI=${EAPI} is not supported with |
| 5 |
> MODULES_OPTIONAL_USE_IUSE_DEFAULT due to lack of IUSE defaults" ;; |
| 6 |
> esac |
| 7 |
> |
| 8 |
> -IUSE="kernel_linux |
| 9 |
> ${MODULES_OPTIONAL_USE:+${_modules_optional_use_iuse_default}}${MODUL |
| 10 |
> ES_OPTIONAL_USE}" |
| 11 |
> +IUSE="module-sign kernel_linux |
| 12 |
> ${MODULES_OPTIONAL_USE:+${_modules_optional_use_iuse_default}}${MODUL |
| 13 |
> ES_OPTIONAL_USE}" |
| 14 |
> SLOT="0" |
| 15 |
> RDEPEND="${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (} |
| 16 |
> kernel_linux? ( virtual/modutils ) ${MODULES_OPTIONAL_USE:+)}" |
| 17 |
> DEPEND="${RDEPEND} |
| 18 |
> ${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (} |
| 19 |
> sys-apps/sed |
| 20 |
> - kernel_linux? ( virtual/linux-sources virtual/libelf ) |
| 21 |
> + kernel_linux? ( |
| 22 |
> + virtual/linux-sources virtual/libelf |
| 23 |
> + module-sign? ( || ( dev-libs/openssl dev- |
| 24 |
> libs/libressl ) ) |
| 25 |
> + ) |
| 26 |
|
| 27 |
It should depend on the proper openssl slot: dev-libs/openssl:0 |
| 28 |
|
| 29 |
> ${MODULES_OPTIONAL_USE:+)}" |
| 30 |
> |
| 31 |
> # eclass utilities |
| 32 |
> @@ -352,6 +369,84 @@ get-KERNEL_CC() { |
| 33 |
> echo "${kernel_cc}" |
| 34 |
> } |
| 35 |
> |
| 36 |
> +# @FUNCTION: _check_sig_force |
| 37 |
> +# @INTERNAL |
| 38 |
> +# @DESCRIPTION: |
| 39 |
> +# Check if kernel requires module signing and die |
| 40 |
> +# if modules are not going to be signed. |
| 41 |
> +_check_sig_force() { |
| 42 |
> + debug-print-function ${FUNCNAME} "${@}" |
| 43 |
> + |
| 44 |
> + if linux_chkconfig_present MODULE_SIG_FORCE; then |
| 45 |
> + if use !module-sign; then |
| 46 |
> + eerror "kernel .config has |
| 47 |
> MODULE_SIG_FORCE=y option set" |
| 48 |
> + eerror "This means that kernel requires all |
| 49 |
> modules" |
| 50 |
> + eerror "to be signed and verified before |
| 51 |
> loading" |
| 52 |
> + eerror "please enable USE=\"module-sign\" or |
| 53 |
> reconfigure your kernel" |
| 54 |
> + eerror "otherwise loading the module will |
| 55 |
> fail" |
| 56 |
> + die "signature required" |
| 57 |
> + fi |
| 58 |
> + fi |
| 59 |
> +} |
| 60 |
> + |
| 61 |
> +# @FUNCTION: _sign_module |
| 62 |
> +# @INTERNAL |
| 63 |
> +# @USAGE: <filename> |
| 64 |
> +# @DESCRIPTION: |
| 65 |
> +# Sign a kernel module |
| 66 |
> +_sign_module() { |
| 67 |
> + debug-print-function ${FUNCNAME} "${@}" |
| 68 |
> + |
| 69 |
> + local dotconfig_sig_hash dotconfig_sig_key |
| 70 |
> + local sign_binary_path sig_key_path sig_x509_path |
| 71 |
> + local module |
| 72 |
> + |
| 73 |
> + # extract values from kernel .config |
| 74 |
> + # extracted key path is not full, e.g. |
| 75 |
> "certs/signing_key.pem" |
| 76 |
> + dotconfig_sig_hash="$(linux_chkconfig_string |
| 77 |
> MODULE_SIG_HASH)" |
| 78 |
> + dotconfig_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)" |
| 79 |
> + |
| 80 |
> + # sign-file binary chokes on double quotes |
| 81 |
> + dotconfig_sig_hash=${dotconfig_sig_hash//\"/} |
| 82 |
> + dotconfig_sig_key=${dotconfig_sig_key//\"/} |
| 83 |
> + |
| 84 |
> + sign_binary_path="${KV_OUT_DIR}/scripts/sign-file" |
| 85 |
|
| 86 |
Yet another way to screw up modules building. It relies on some binary |
| 87 |
in the kernel build dir that may break after openssl update (e.g. |
| 88 |
soname change). |
Archives