{gentoo,vanilla}-kernel: build with signed modules

Nowa-Ammerlaan · mgorny · commit 053977aa9be2 · 2023-08-26T06:52:16.000+02:00
Disable enforcing of signatures by default. Leave this up to the kernel command line or secureboot status. This ensures gentoo-kernel-bin doesn't suddenly fail to load third-party modules unless signatures are explicitly enforced by the user. Also add a .gitignore to prevent committing local files. Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org> Closes: #2 Signed-off-by: Michał Górny <mgorny@gentoo.org>
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,3 @@
+signing_key.pem
+localconfig.bash
+local.diff
diff --git a/Dockerfile b/Dockerfile
@@ -3,7 +3,7 @@ ARG BASE
 FROM ${BASE}
 
 CMD cp -a /var/cache/binpkgs /tmp/binpkg \
- && FEATURES=test emerge -1vB ${PKG} \
+ && FEATURES=test MODULES_SIGN_KEY="/tmp/signing_key.pem" emerge -1vB ${PKG} \
  && emerge -1vk ${PKG} \
  && rsync -av --checksum /tmp/binpkg/. /var/cache/binpkgs/ \
  && { [[ -z ${POST_PKGS} ]] || emerge -1vt --keep-going=y --jobs ${POST_PKGS}; }
diff --git a/Dockerfile.deps b/Dockerfile.deps
@@ -11,6 +11,8 @@ ARG LDFLAGS
 
 COPY package.accept_keywords /etc/portage/package.accept_keywords/local
 COPY package.use /etc/portage/package.use/local
+COPY kernel-configd /etc/kernel/config.d/local.config
+COPY signing_key.pem /tmp/signing_key.pem
 RUN printf '\nCFLAGS="%s"\nCXXFLAGS="%s"\nLDFLAGS="%s"\nBINPKG_COMPRESS="xz"\nBINPKG_COMPRESS_FLAGS="-T1 -9"\nFEATURES="${FEATURES} -sandbox -usersandbox -cgroup binpkg-multi-instance -binpkg-docompress -binpkg-dostrip"\nACCEPT_LICENSE="*"\nPKGDIR="/tmp/binpkg"\nBINPKG_FORMAT="gpkg"\n' "${CFLAGS}" "${CFLAGS}" "${LDFLAGS}" >> /etc/portage/make.conf \
  && { [[ -z ${DEPS} ]] || emerge -1vt --jobs ${DEPS}; } \
  && emerge --info \
diff --git a/build.bash b/build.bash
@@ -32,6 +32,7 @@ export_vars() {
 					virtual/libelf
 					sys-devel/bc
 					app-emulation/qemu
+					dev-libs/openssl
 					dev-tcltk/expect
 					sys-kernel/dracut
 					net-misc/openssh
diff --git a/kernel-configd b/kernel-configd
@@ -0,0 +1,3 @@
+## Leave this up to the user, can be enabled with
+## module.sig_enforce=1 or by enabling secureboot.
+# CONFIG_MODULE_SIG_FORCE is not set
diff --git a/package.use b/package.use
@@ -11,9 +11,9 @@ app-emulation/qemu -aio -caps -filecaps -jpeg -ncurses -png -vhost-net -vnc -xat
 #dev-python/cryptography PYTHON_TARGETS: pypy3
 
 # for kernel testing
-sys-kernel/gentoo-kernel test -strip
+sys-kernel/gentoo-kernel modules-sign test
 sys-kernel/gentoo-kernel-bin test
-sys-kernel/vanilla-kernel test -strip
+sys-kernel/vanilla-kernel modules-sign test
 sys-kernel/vanilla-kernel-bin test
 app-crypt/tpm-emulator modules
 dev-util/sysdig modules

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+signing_key.pem`
	`2`	`+localconfig.bash`
	`3`	`+local.diff`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+## Leave this up to the user, can be enabled with`
	`2`	`+## module.sig_enforce=1 or by enabling secureboot.`
	`3`	`+# CONFIG_MODULE_SIG_FORCE is not set`