From fdd2ff30a71c0a81efbad39b05ed2b500e687603 Mon Sep 17 00:00:00 2001 From: Bertrand Jacquin Date: Fri, 15 Aug 2014 16:15:47 +0200 Subject: eclass/linux-build: Implement CONFIG_MODULE_SIG --- eclass/linux-build.eclass | 105 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 104 insertions(+), 1 deletion(-) (limited to 'eclass') diff --git a/eclass/linux-build.eclass b/eclass/linux-build.eclass index 8661358b..69093ba1 100644 --- a/eclass/linux-build.eclass +++ b/eclass/linux-build.eclass @@ -21,7 +21,11 @@ ETYPE="sources" inherit savedconfig kernel-2 detect_version -EXPORT_FUNCTIONS src_prepare src_compile src_install pkg_postinst +EXPORT_FUNCTIONS pkg_setup src_prepare src_compile src_install pkg_postinst + +: ${LINUX_BUILD_MOD_SIG_DAYS:=3650} +: ${LINUX_BUILD_MOD_SIG_KEY_ALG:=rsa} +: ${LINUX_BUILD_MOD_SIG_KEY_SIZE:=4096} SLOT="${PV%.*}" @@ -71,6 +75,39 @@ _linux-build_configval() { esac } +_linux-build_pkg_setup-build() { + local _v + + for _v in "${PF}" "${P}" "${PN}" ; do + einfo "Checking existence of ${PORTAGE_CONFIGROOT%/}/etc/ssl/private/${_v}.{crt,key}" + + if [[ -e "${PORTAGE_CONFIGROOT}/etc/ssl/private/${_v}.crt" && + -e "${PORTAGE_CONFIGROOT}/etc/ssl/private/${_v}.key" ]] ; then + + mkdir -p "${T}/etc/ssl/private" + cp --preserve=mode,ownership \ + "${PORTAGE_CONFIGROOT}/etc/ssl/private/${_v}.crt" "${T}/etc/ssl/private/${PF}.crt" \ + || die "Failed to copy ${PORTAGE_CONFIGROOT%/}/etc/ssl/private/${_v}.crt" + cp --preserve=mode,ownership \ + "${PORTAGE_CONFIGROOT}/etc/ssl/private/${_v}.key" "${T}/etc/ssl/private/${PF}.key" \ + || die "Failed to copy ${PORTAGE_CONFIGROOT%/}/etc/ssl/private/${_v}.key" + + export _LINUX_BUILD_MOD_SIG_X509_PFX="${_v}" + eend 0 + + break + fi + + eend 1 + done +} + +linux-build_pkg_setup() { + kernel-2_pkg_setup + + use build && _linux-build_pkg_setup-build +} + _linux-build_src_prepare_build() { mkdir "${BUILDDIR}" @@ -95,6 +132,64 @@ _linux-build_src_prepare_build() { _linux-build_configval FHANDLE || ewarn "CONFIG_FHANDLE is needed for >=sys-fs/udev-210" _linux-build_configval NET || ewarn "CONFIG_NET is needed for >=sys-fs/udev-210" + if _linux-build_configval MODULE_SIG ; then + if ! has_version "dev-libs/openssl" ; then + die "dev-libs/openssl is required for CONFIG_MODULE_SIG" + fi + + if ! _linux-build_configval MODULE_SIG_HASH ; then + die "CONFIG_MODULE_SIG_HASH must be defined when using CONFIG_MODULE_SIG" + fi + + if [[ -e "${T}/etc/ssl/private/${PF}.crt" && + -e "${T}/etc/ssl/private/${PF}.key" ]] ; then + + einfo "Use the following X509 pair for CONFIG_MODULE_SIG" + einfo " ${PORTAGE_CONFIGROOT%/}/etc/ssl/private/${_LINUX_BUILD_MOD_SIG_X509_PFX}.crt" + einfo " ${PORTAGE_CONFIGROOT%/}/etc/ssl/private/${_LINUX_BUILD_MOD_SIG_X509_PFX}.key" + + touch "${BUILDDIR}/x509.genkey" + cp --preserve=mode,ownership \ + "${T}/etc/ssl/private/${PF}.crt" "${BUILDDIR}/signing_key.x509" + cp --preserve=mode,ownership \ + "${T}/etc/ssl/private/${PF}.key" "${BUILDDIR}/signing_key.priv" + else + einfo "Generating X509 config" + cat > "${BUILDDIR}/x509.genkey" <<-EOF + [ req ] + prompt = no + distinguished_name = ${PF}_subj + x509_extensions = ${PF}_exts + + [ ${PF}_subj ] + O = as29 + CN = ${KBUILD_BUILD_HOST:-${HOSTNAME}} + emailAddress = ${KBUILD_BUILD_USER:-${PORTAGE_USERNAME}}@${KBUILD_BUILD_HOST:-${HOSTNAME}}" + + [ ${PF}_exts ] + basicConstraints=critical,CA:FALSE + keyUsage=digitalSignature + subjectKeyIdentifier=hash + authorityKeyIdentifier=keyid + EOF + + einfo "Generating X509 pair" + openssl req -x509 -nodes -batch \ + -days "${LINUX_BUILD_MOD_SIG_DAYS}" \ + -newkey "${LINUX_BUILD_MOD_SIG_KEY_ALG}:${LINUX_BUILD_MOD_SIG_KEY_SIZE}" \ + "-${CONFIG_MODULE_SIG_HASH}" \ + -outform DER \ + -config "${BUILDDIR}/x509.genkey" \ + -out "${BUILDDIR}/signing_key.x509" \ + -keyout "${BUILDDIR}/signing_key.priv" \ + || die "openssl req fail" + fi + + openssl x509 -inform DER -noout \ + -in "${BUILDDIR}/signing_key.x509" \ + -subject + fi + einfo "Checking configuration file" emake oldconfig "${myopt[@]}" < /dev/null @@ -208,6 +303,14 @@ _linux-build_src_install_build() { fi fi + if _linux-build_configval MODULE_SIG ; then + insinto /etc/ssl/private + newins "${BUILDDIR}/signing_key.x509" "${PF}.crt" + newins "${BUILDDIR}/signing_key.priv" "${PF}.key" + + fperms 0400 "/etc/ssl/private/${PF}.key" + fi + use savedconfig && save_config "${BUILDDIR}/.config" } -- cgit v1.2.3