From a8f563fdf9d9db948e5db5ee4a7f74e2e6cb244a Mon Sep 17 00:00:00 2001
From: Bertrand Jacquin <bertrand@jacquin.bzh>
Date: Sun, 7 Nov 2021 20:59:45 +0000
Subject: eclass/linux-build: add support for MODULE_SIG_KEY_TYPE_ECDSA

New to 5.15
---
 eclass/linux-build.eclass | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

(limited to 'eclass')

diff --git a/eclass/linux-build.eclass b/eclass/linux-build.eclass
index e5b468bf..16afc6e6 100644
--- a/eclass/linux-build.eclass
+++ b/eclass/linux-build.eclass
@@ -25,8 +25,8 @@ detect_version
 EXPORT_FUNCTIONS pkg_pretend pkg_setup src_prepare src_compile src_install pkg_postinst
 
 : ${LINUX_BUILD_MOD_SIG_DAYS:=365}
-: ${LINUX_BUILD_MOD_SIG_KEY_ALG:=rsa}
-: ${LINUX_BUILD_MOD_SIG_KEY_SIZE:=2048}
+: ${LINUX_BUILD_MOD_SIG_RSA_KEY_SIZE:=2048}
+: ${LINUX_BUILD_MOD_SIG_ECC_KEY_CURVE:=secp384r1}
 
 SLOT="${PV%.*}"
 
@@ -389,6 +389,9 @@ _linux-build_src_prepare_build() {
 	fi
 
 	if _linux-build_configval MODULE_SIG ; then
+		local _OPENSSL_REQ_ALGORITHM
+		local _OPENSSL_REQ_PKEYOPT
+
 		if ! has_version --host-root "dev-libs/openssl" ; then
 			die "dev-libs/openssl is required for CONFIG_MODULE_SIG"
 		fi
@@ -397,6 +400,14 @@ _linux-build_src_prepare_build() {
 			die "CONFIG_MODULE_SIG_HASH must be defined when using CONFIG_MODULE_SIG"
 		fi
 
+		if _linux-build_configval MODULE_SIG_KEY_TYPE_ECDSA ; then
+			_OPENSSL_REQ_ALGORITHM="ec"
+			_OPENSSL_REQ_PKEYOPT="ec_paramgen_curve:${LINUX_BUILD_MOD_SIG_ECC_KEY_CURVE}"
+		else
+			_OPENSSL_REQ_ALGORITHM="rsa"
+			_OPENSSL_REQ_PKEYOPT="rsa_keygen_bits:${LINUX_BUILD_MOD_SIG_RSA_KEY_SIZE}"
+		fi
+
 		mkdir "${BUILDDIR}/certs"
 
 		if [[ -e "${T}/certs/signing_key.pem" ]] ; then
@@ -424,10 +435,11 @@ _linux-build_src_prepare_build() {
 				authorityKeyIdentifier=keyid
 			EOF
 
-			einfo "Generating x509 ${LINUX_BUILD_MOD_SIG_KEY_ALG} ${LINUX_BUILD_MOD_SIG_KEY_SIZE} / ${CONFIG_MODULE_SIG_HASH} pair"
+			einfo "Generating x509 ${_OPENSSL_REQ_ALGORITHM} pair with ${_OPENSSL_REQ_PKEYOPT} and ${CONFIG_MODULE_SIG_HASH}"
 			openssl req -x509 -nodes -batch \
 				-days "${LINUX_BUILD_MOD_SIG_DAYS}" \
-				-newkey "${LINUX_BUILD_MOD_SIG_KEY_ALG}:${LINUX_BUILD_MOD_SIG_KEY_SIZE}" \
+				-newkey "${_OPENSSL_REQ_ALGORITHM}" \
+				-pkeyopt "${_OPENSSL_REQ_PKEYOPT}" \
 				"-${CONFIG_MODULE_SIG_HASH}" \
 				-outform PEM \
 				-config "${BUILDDIR}/certs/x509.genkey" \
-- 
cgit v1.2.3