kernel-{build,install}.eclass: exclude any generated keys from binpkgs

The kernel build system supports generating a new module signing key if the CONFIG_MODULE_SIG_KEY is set to the default value (MODULES_SIGN_KEY is not set) and no key exists at that default location. This results in the unfortunate situation where private key material ends up in generated binary packages. That is almost never what you want since binary packages are usually readable by regular users. To avoid this we move the key out of the ED in the install phase, and move it back in the preinst phase after the binary package has been built. This also means that when distributing built binary packages to other systems the signing key will now never be installed onto all those other systems, which is probably what you want anyway. Note, there is no change for folks who use externally managed keys, i.e. for everyone who has MODULES_SIGN_KEY, MODULE_SIGN_CERT set. Signed-off-by: Nowa Ammerlaan <[email protected]> Closes: gentoo#40017 Signed-off-by: Nowa Ammerlaan <[email protected]>
ceamac · Jan 6, 2025 · 9163b23 · 9163b23
1 parent b93fd5a
commit 9163b23
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
@@ -447,6 +447,11 @@ kernel-build_src_install() {
 
 	# Copy built key/certificate files
 	cp -p build/certs/* "${ED}${kernel_dir}/certs/" || die
+	# If a key was generated, exclude it from the binpkg
+	local generated_key=${ED}${kernel_dir}/certs/signing_key.pem
+	if [[ -r ${generated_key} ]]; then
+		mv "${generated_key}" "${T}/signing_key.pem" || die
+	fi
 
 	# building modules fails with 'vmlinux has no symtab?' if stripped
 	use ppc64 && dostrip -x "${kernel_dir}/${image_path}"
@@ -654,7 +659,6 @@ kernel-build_pkg_postinst() {
 			ewarn "MODULES_SIGN_KEY was not set, this means the kernel build system"
 			ewarn "automatically generated the signing key. This key was installed"
 			ewarn "in ${EROOT}/usr/src/linux-${KV_FULL}/certs"
-			ewarn "and will also be included in any binary packages."
 			ewarn "Please take appropriate action to protect the key!"
 			ewarn
 			ewarn "Recompiling this package causes a new key to be generated. As"

diff --git a/eclass/kernel-install.eclass b/eclass/kernel-install.eclass
@@ -607,6 +607,15 @@ kernel-install_pkg_preinst() {
 	[[ ! -d ${kernel_dir} ]] &&
 		die "Kernel directory ${kernel_dir} not installed!"
 
+	# We moved this in order to omit it from the binpkg, move it back
+	if [[ -r "${T}/signing_key.pem" ]]; then
+		# cp instead of mv to set owner to root in one go
+		(
+			umask 066 &&
+				cp "${T}/signing_key.pem" "${kernel_dir}/certs/signing_key.pem"
+		) || die
+	fi
+
 	# perform the version check for release ebuilds only
 	if [[ ${PV} != *9999 ]]; then
 		local expected_ver=$(dist-kernel_PV_to_KV "${PV}")