diff options
| author |   Nowa Ammerlaan <nowa@gentoo.org> | 2024-12-23 18:31:08 +0100 |
|---|---|---|
| committer |   Michał Górny <mgorny@gentoo.org> | 2025-01-02 18:08:27 +0100 |
| commit | fde53f23bb5aceee88ca188ffcfb522ffc6b419d (patch) | |
| tree | 2c44db1ef57b69e3ab9af6327563f2ee7aa575cf /eclass/kernel-install.eclass | |
| parent | virtual/dist-kernel: Bump to 6.1.123 (diff) | |
| download | gentoo-fde53f23bb5aceee88ca188ffcfb522ffc6b419d.tar.gz gentoo-fde53f23bb5aceee88ca188ffcfb522ffc6b419d.tar.bz2 gentoo-fde53f23bb5aceee88ca188ffcfb522ffc6b419d.zip | |
kernel-{build,install}.eclass: create multi-profile generic UKIs
systemd 257's ukify gains the ability to specify multiple "profiles" for an
UKI. This allows us to finally solve Bug 921195, which made it impossible to
simultaneously enforce verification of the kernel image (secureboot) and
enforce verification of the kernel modules (lockdown=integrity).
We also add a profile for "quiet splash", and change KERNEL_GENERIC_UKI_CMDLINE
to add another profile instead of overwriting the built-in kernel cmdline. To
support splash we add the plymouth and drm dracut modules but omit the drm
kernel modules that pull in huge firmware files. This will result in a less
visually smooth boot, but significantly decreases the size of the image.
Ukify can now also pass on the signing engine argument to systemd-measure
which enables the usage of pkcs11 uri's for measured boot.
Minimal version of systemd for USE=generic-uki is bumped to 257.
Closes: https://bugs.gentoo.org/921195
Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>
Signed-off-by: Michał Górny <mgorny@gentoo.org>
Diffstat (limited to 'eclass/kernel-install.eclass')
| -rw-r--r-- | eclass/kernel-install.eclass | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/eclass/kernel-install.eclass b/eclass/kernel-install.eclass index a341dd9426ff..5b4f3b096c41 100644 --- a/eclass/kernel-install.eclass +++ b/eclass/kernel-install.eclass @@ -1,4 +1,4 @@ -# Copyright 2020-2024 Gentoo Authors +# Copyright 2020-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: kernel-install.eclass @@ -162,9 +162,10 @@ if [[ ${KERNEL_IUSE_GENERIC_UKI} ]]; then ["sys-apps/rng-tools"]="GPL-2" ["sys-apps/sed"]="GPL-3+" ["sys-apps/shadow"]="BSD GPL-2" - ["sys-apps/systemd[boot(-),cryptsetup,pkcs11,policykit,tpm,ukify(-)]"]="GPL-2 LGPL-2.1 MIT public-domain" + [">=sys-apps/systemd-257[boot(-),cryptsetup,pkcs11,policykit,tpm,ukify(-)]"]="GPL-2 LGPL-2.1 MIT public-domain" ["sys-apps/util-linux"]="GPL-2 GPL-3 LGPL-2.1 BSD-4 MIT public-domain" ["sys-auth/polkit"]="LGPL-2" + ["sys-boot/plymouth[drm,systemd(+),udev]"]="GPL-2+" ["sys-block/nbd"]="GPL-2" ["sys-devel/gcc"]="GPL-3+ LGPL-3+ || ( GPL-3+ libgcc libstdc++ gcc-runtime-library-exception-3.1 ) FDL-1.3+" ["sys-fs/btrfs-progs"]="GPL-2" @@ -190,6 +191,7 @@ if [[ ${KERNEL_IUSE_GENERIC_UKI} ]]; then ["sys-libs/readline"]="GPL-3+" ["sys-libs/zlib"]="ZLIB" ["sys-process/procps"]="GPL-2+ LGPL-2+ LGPL-2.1+" + ["x11-libs/libdrm"]="MIT" ["amd64? ( sys-firmware/intel-microcode )"]="amd64? ( intel-ucode )" ["x86? ( sys-firmware/intel-microcode )"]="x86? ( intel-ucode )" ) |