| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The kernel build system supports generating a new module signing key if the
CONFIG_MODULE_SIG_KEY is set to the default value (MODULES_SIGN_KEY is not set)
and no key exists at that default location.
This results in the unfortunate situation where private key material ends up
in generated binary packages. That is almost never what you want since binary
packages are usually readable by regular users. To avoid this we move the key
out of the ED in the install phase, and move it back in the preinst phase after
the binary package has been built.
This also means that when distributing built binary packages to other systems
the signing key will now never be installed onto all those other systems, which
is probably what you want anyway.
Note, there is no change for folks who use externally managed keys, i.e. for
everyone who has MODULES_SIGN_KEY, MODULE_SIGN_CERT set.
Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/40017
Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
if no keys set, then secureboot.eclass now inherits linux-info.eclass to check
for potential key candidates in the kernel config. This would set KV_FULL
and create a mess later on in the configure phase. Ensure that KV_FULL remains
local to the setup phase specifically for the kernel packages.
Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>
|
| |
|
|
|
|
|
| |
We sill need the call to openssl to ensure that we don't accidentally append
the key itself to the UKI.
Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
systemd 257's ukify gains the ability to specify multiple "profiles" for an
UKI. This allows us to finally solve Bug 921195, which made it impossible to
simultaneously enforce verification of the kernel image (secureboot) and
enforce verification of the kernel modules (lockdown=integrity).
We also add a profile for "quiet splash", and change KERNEL_GENERIC_UKI_CMDLINE
to add another profile instead of overwriting the built-in kernel cmdline. To
support splash we add the plymouth and drm dracut modules but omit the drm
kernel modules that pull in huge firmware files. This will result in a less
visually smooth boot, but significantly decreases the size of the image.
Ukify can now also pass on the signing engine argument to systemd-measure
which enables the usage of pkcs11 uri's for measured boot.
Minimal version of systemd for USE=generic-uki is bumped to 257.
Closes: https://bugs.gentoo.org/921195
Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upstream commit [1] introduces several changes to the way module compression is
configured. To summarize:
- CONFIG_MODULE_COMPRESS_NONE is renamed to CONFIG_MODULE_COMPRESS and moved up,
this (and CONFIG_MODULE_COMPRESS_<type>) control support for module
compression.
- A new switch CONFIG_MODULE_COMPRESS_ALL is introduced to control whether the
modules are actually compressed when running make modules_install.
This change introduced several problems that are fixed here:
- CONFIG_MODULE_COMPRESS is not implicitly enabled by setting
CONFIG_MODULE_COMPRESS_XZ=y in the same way that CONFIG_MODULE_COMPRESS_NONE
was previously implicitly disabled by enabling the xz compression. Fixed by
explicitly enabling these options.
- The dist-kernel_get_module_suffix() function did not recognize the renamed
option which caused the 'compressor not known' error in some configurations.
Fixed by adding another condition to the elif statement in this function.
Furthermore, we now also set the switch CONFIG_MODULE_COMPRESS_ALL based on the
state of the "modules-compress" USE flag. This technically makes the "suffix-y"
override unnecessary for the >=6.12 kernels, but it does no harm so let's keep
that as it is and not add a new version conditional here.
[1] https://github.com/torvalds/linux/commit/c7ff693fa2094ba0a9d0a20feb4ab1658eff9c33
Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/39609
Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Systemd's kernel-install hooks expect it here or in the firmware directory. We
need to find it for building UKI's and registering BLS type 1 entries. Fedora
and Arch also install the dtb files here.
If it is needed in /boot then it is probably a better idea to delegate that
task to /sbin/installkernel anyway. That way the part of the emerge that writes
to /boot is contained to only the postinst and config phases and makes it
possible to re-try this via emerge --config ... .
Closes: https://bugs.gentoo.org/945072
Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/39486
Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Users setting up kernel module signing are instructed by our and upstream
documentation to use the kernels x509.genkey config file. This ensures that
a supported key is generated.
However, in the current situation users will first have to emerge
gentoo-sources or similar to actually get this genkey file. This is inconvenient
so lets just install the genkey config file in our dist-kernels.
There are also some other tools, scripts, and lists that may be useful, so while
we are changing this anyway lets just install all of those as well and in the
process simplify the code.
Signed-off-by: Nowa Ammerlaan <andrewammerlaan@gentoo.org>
|
| |
|
|
|
| |
Closes: https://github.com/gentoo/gentoo/pull/37652
Signed-off-by: David Seifert <soap@gentoo.org>
|
| |
|
|
| |
Signed-off-by: David Seifert <soap@gentoo.org>
|
| |
|
|
|
| |
Fixes: c3f4e3f788e2d5973ce49293fe20354b20576426
Signed-off-by: Sam James <sam@gentoo.org>
|
| |
|
|
|
|
|
| |
Workaround for install + ctf_install not working in parallel for now
(have reported this).
Signed-off-by: Sam James <sam@gentoo.org>
|
| |
|
|
|
|
| |
Fixes: 983fe336a7571f822655c25e0785f067de80c64c
Signed-off-by: Sam James <sam@gentoo.org>
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
| |
|
|
|
|
| |
As suggested by Andrew at https://github.com/gentoo/gentoo/pull/38392#discussion_r1741574357.
Signed-off-by: Sam James <sam@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
genpatches will soon be adding optional CTF debug information support
via a patch. If it's enabled, we need to call a few special make targets
to create and install the CTF information. We also need to avoid stripping
the CTF archive.
Signed-off-by: Sam James <sam@gentoo.org>
|
| |
|
|
|
|
|
|
| |
Some config options (that we enable by default, e.g. CONFIG_CRYPTO_POLY1305)
cause perl scripts to be run during the build.
Closes: https://bugs.gentoo.org/930390
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
kernel-build_merge_configs should always be called first nowadays
because it applies the savedconfig.
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/38345
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
MODULES_SIGN_KEY may be unset when using USE=modules-sign. Fix an issue
introduced in e290c3c78b7acb59393f46d1d15175d6dbfc77da that breaks this
configuration due to modules-sign-key.config not existing.
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/38287
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move applying savedconfig from src_configure() into
kernel-build_merge_configs(), in order to make it possible to override
saved config options. Previously, the saved config would
unconditionally overwrite everything, which could be between
inconvenient and plain broken (particularly if savedconfig contained
signing key paths referring to ${T}).
The new logic applies saved config via merge method, on top
of the default config along with ebuild and eclass overrides. However,
MODULES_SIGN_KEY* and user config snippets do override saved config
for convenience.
Closes: https://bugs.gentoo.org/938130
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
| |
|
|
|
|
|
| |
This was merged with KERNEL_IUSE_MODULES_SIGN in
a42e98431e7538eadaee1df2b90f0e3174b22341, but this one was missed.
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Building on llvm profiles is problematic if toolchain variables are not properly
set. So set HOSTLD and HOSTAR to match at least the kernels own LLVM=1 variable
to ensure a smoother build for end users.
For example an unset HOSTLD causes issues as it defaults to GNU ld
otherwise.
https://docs.kernel.org/kbuild/llvm.html#the-llvm-argument
Signed-off-by: Alfred Wingate <parona@protonmail.com>
Closes: https://github.com/gentoo/gentoo/pull/37690
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For module-less kernels 'make modules_prepare' does nothing, we only get
kernel.release after running src_compile. Luckily the kernel has the
"kernelrelease" target which we can use for this purpose.
Note, in kernel-install.eclass we still read the kernel release directly from
the file since a) kernel.release will always exist and b) calling make there
again would require duplicating (some subset off) ${MAKEARGS[@]}.
The "make help" page specifies that this target should be called with "-s".
The version check is moved up, before 'make modules_prepare' so we quit earlier
if the KV_FULL is wrong. Note it should be run after we have completed the
config in 'make olddefconfig'.
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/37694
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The kernels 'make rpm-pkg' and 'make deb-pkg' install the config
and System.map into the modules directory for easy access. Let's
do the same here so our gpkg's are more symetric to rpm's and
deb's and tools that look for these files there can find it.
This also provides an easy location for the user to access the
config. Considering that /boot/config-x.y.z does not always
exist (the config instalation via /sbin/installkernel depends
on layout and +/-systemd configuration).
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/37684
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
| |
|
|
|
|
|
| |
the kernel build system generates a key if not set, so don't check anything
if the key is unset
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
| |
|
|
|
| |
Bug: https://bugs.gentoo.org/936402
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
| |
|
|
|
|
| |
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/37640
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
| |
|
|
|
| |
Bug: https://bugs.gentoo.org/936402
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
| |
|
|
|
| |
Fixes: da6193c02d0f (...make kernel install paths match release)
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
We want to ensure all our installed directories are consistent and
match the kernel's own idea of its release version. Do an extra
sanity check to ensure that KV_FULL is indeed what it is supposed
to be, and bail out if it isn't.
Signed-off-by: James Calligeros <jcalligeros99@gmail.com>
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Previously, this was only checked by kernel-install_pkg_preinst(). This
means that the entire kernel would have to be built and stripped before
we knew if we had built the correct kernel or not.
Duplicate this check in kernel-build_src_configure() so that we don't waste
time and energy building an incorrectly-versioned kernel.
Signed-off-by: James Calligeros <jcalligeros99@gmail.com>
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
dist-kernel releases are required to match the package's version, with
'_' substituted for '-' as per kernel release format rules. Curiously,
we made no such substitution on the kernel install directory names.
The consequence of this is that Catalyst has technically only been
working with dist-kernels by pure coincidence - it had never been tested
with kernels containing '_' in ${PV}. When attempting to build install
media for the Gentoo Asahi project, which necessitates using kernels
versioned with '_p*', Catalyst's call to Dracut's --kver argument
passes in the name of the source directory while Dracut expects
the kernel release (module directory).
Make sure that all directories installed by the kernel match the
kernel's own idea of its version exactly. This fixes Catalyst,
makes directories like /usr/src/linux-* consistent with /lib/modules
For compatibility with existing bin kernels, KV_FULL will be
set to ${PV}${KV_LOCALVERSION} in kernel-install.eclass if it
has not been explicitly set elsewhere.
Signed-off-by: James Calligeros <jcalligeros99@gmail.com>
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Many, many, new users at some point make the mistake of running "make ...."
in the source directory of a distribution kernel.
This returns a vague error due to the absence of the kernel source files:
make[2]: *** No rule to make target 'arch/x86/entry/syscalls/syscall_32.tbl', needed by 'arch/x86/include/generated/uapi/asm/unistd_32.h'. Stop.
make[1]: *** [arch/x86/Makefile:248: archheaders] Error 2
make: *** [Makefile:234: __sub-make] Error 2
Here we append to the kernel Makefile a warning that should make it more clear
what is going wrong. "$(shell [ -t 0 ] && echo 1)" is a trick to show this
warning when an user is executing "make" from their shell, but not when they are
compiling out-of-tree kernel modules (which is the reason we need to install
these makefiles to begin with).
We also add a "dist-kernel" file containing the package atom of the ebuild that
installed this kernel. This makes it possible for ebuilds/eclasses or whatever
other tools to check if a kernel is a Gentoo distribution kernel. This
identifier will be overwritten in gentoo-kernel-bin.ebuild.
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Some other distributions install (a symlink to) the kernel
image here. Tools such as 'kernel-install list',
'kernel-install inspect', dracut and ukify look for the kernel
image here. So lets install this symlink to make manual
invocation of dracut and ukify a bit easier. As well as
make it possible to use other kernel-install features
such as list, inspect and add-all.
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 486f12612d840bf4efbd324afdab59a98dd27fce. Note that
it appears to have been wrong for yacc for quite a while, as we previously
depended on virtual/yacc, even though the kernel looks for bison...
GNU Bison is at least needed, unclear about flex vs reflex, but let's
say flex for now as the kernel docs say it (most of the time, reflex does
work in place of flex, but not checked so let's be safe).
Closes: https://bugs.gentoo.org/922823
Signed-off-by: Sam James <sam@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
All of these will be using app-alternatives/lex anyway as they're not unsetting
YACC or LEX, so make the dep reflect reality.
(Included both YACC and LEX out of conservatism.)
Signed-off-by: Sam James <sam@gentoo.org>
|
| |
|
|
|
|
|
| |
All of these will be using app-alternatives/cpio anyway as they're not calling
gcpio, so make the dep reflect reality.
Signed-off-by: Sam James <sam@gentoo.org>
|
| |
|
|
|
|
|
| |
All of these will be using app-alternatives/bc anyway as they're not calling
bc-reference, so make the dep reflect reality.
Signed-off-by: Sam James <sam@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
| |
|
|
|
|
|
|
| |
because we drop the generation of the initrd/uki here
we can remove KERNEL_IUSE_SECUREBOOT since this is now
exactly the same as KERNEL_IUSE_MODULES_SIGN
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
plymouth pulls in drm, and drm includes all gpu drivers and their firmware
especially the firmware files are very big. The whole thing costs us
15M on each initrd, and therefore gpkg. Also exclude the netronome
drivers, these also have ridiculously large firmware files.
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
When KERNEL_IUSE_GENERIC_UKI is set (to gatekeep for new ebuilds),
enable XZ module compression in kernel and add IUSE=module-compress.
When the flag is enabled, the modules are installed .xz compressed
per the config. When it is disabled, they are installed uncompressed
but the kernel retains module compression support.
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some basic benchmarks:
-rw------- 1 root root 103494321 Dec 24 11:10 bzip2
-rw------- 1 root root 112179814 Dec 24 11:02 gzip-nostrip
-rw------- 1 root root 112179814 Dec 24 11:06 gzip-strip
-rw------- 1 root root 112179814 Dec 24 11:08 gzip-strip-aggressive
-rw------- 1 root root 130847597 Dec 24 11:19 lz4
-rw------- 1 root root 66948253 Dec 24 11:13 lzma
-rw------- 1 root root 124285638 Dec 24 11:18 lzop
-rw------- 1 root root 80242444 Dec 24 11:14 xz
-rw------- 1 root root 66744036 Dec 24 11:59 xz-9e--check
-rw------- 1 root root 85917687 Dec 24 11:20 zstd
Strip does nothing, which makes sense since portage already did this.
xz is our size champion so pick this one to compress our initrd
With this change the generic UKI is: 82515840, versus
My own hostonly UKI of the same kernel version: 29390720.
Which is still 2.8 times larger, but significantly better then the 5 times
larger we had before!
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/34024
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
- optionally build a generic unified kernel image
- only install this uki.efi in any binary generated binpkgs, this saves space
- extract the initrd and kernel image from the uki in pkg_postinst
- own image, initrd and uki install paths
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The several partially-supported arches (those relying on
USE=savedconfig) directly return in src_prepare(), hence previously the
CONFIG_EFI_ZBOOT probing didn't have a chance to run when building for
those arches, leading to wrong kernel artifact path and failed
src_install().
Move the probing to near the end of eclass src_configure(), so the flag
correctly reflects the reality in all circumstances.
Signed-off-by: WANG Xuerui <xen0n@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, using a custom path for MODULES_SIGN_KEY requires the key to
be readable by portage:portage. This is not ideal for security, since
the file has to be either owned by portage:portage or readable by all
users in this case. Instead, export the contents of MODULES_SIGN_KEY to
a variable in pkg_setup, and then create a temporary file with it in
src_configure to ensure that the temporary key is readable by the user
that the kernel is being built as. The variable is then unset so it does
not end up in the final environment file.
Co-authored-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Signed-off-by: Violet Purcell <vimproved@inventati.org>
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
| |
|
|
|
|
|
|
| |
Do not call `emake dtbs_install` in `src_test()` phase, as it attempts
to install straight to `/boot`. Why do people send patches without
actually testing them?!
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
| |
|
|
|
|
|
|
| |
reverted at mgorny's request, apparently we can't hardcode the portage user.
This reverts commit d03c14cd4be8665830082f424e4443906b005c7e.
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously, it was being copied in src_prepare, and thus would fail if
the signing key was not readable by portage:portage. This commit makes
kernel-build.eclass instead copy the signing key in pkg_setup, and then
correct the permissions.
Signed-off-by: Violet Purcell <vimproved@inventati.org>
Closes: https://github.com/gentoo/gentoo/pull/33850
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
Nowa Ammerlaan
Nowa Ammerlaan
David Seifert
Sam James
Michał Górny
Alfred Wingate
James Calligeros
WANG Xuerui
Violet Purcell
GitWeb