1. Forum
  2. Usenet
  3. LINUX.GENTOO.DEV

  • Re: [gentoo-dev] [PATCH 2/2] dist-kernel-utils.eclass: skip initrd inst

    From Andrew Ammerlaan@21:1/5 to All on Sat Jun 17 20:30:01 2023
    This replaces a workaround with a better one. Instead of tricking 50-dracut.install with an empty inird file we instruct kernel-install to
    simply skip this plugin.

    This way we don't end up with a bunch of confusing empty initrd files in
    /boot. End result is the same.

    I've got an upstream PR open to fix the underlying issue (i.e make 50-dracut.install work properly with uefi=yes and layout=uki): https://github.com/dracutdevs/dracut/pull/2405


    From c2d6ecb074d25c70677fa9c371801a0002c9a216 Mon Sep 17 00:00:00 2001
    From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
    Date: Fri, 16 Jun 2023 22:51:00 +0200
    Subject: [PATCH] dist-kernel-utils.eclass: skip initrd installation when
    using
    uki

    Gets rid of a hack that prevents 50-dracut.install from regenerating the
    initrd
    when calling kernel-install. Instead instruct kernel-install to simply
    not run
    this plugin.

    Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
    ---
    eclass/dist-kernel-utils.eclass | 19 +++++++++++++++----
    1 file changed, 15 insertions(+), 4 deletions(-)

    diff --git a/eclass/dist-kernel-utils.eclass
    b/eclass/dist-kernel-utils.eclass
    index c6892c2f01278..e371e035c8565 100644
    --- a/eclass/dist-kernel-utils.eclass
    +++ b/eclass/dist-kernel-utils.eclass
    @@ -106,10 +106,21 @@ dist-kernel_install_kernel() {
    # install the combined executable in place of kernel
    image=${initrd}.efi
    mv "${initrd}" "${image}" || die
    - # put an empty file in place of initrd. installing a duplicate - # file would waste disk space, and removing it entirely provokes
    - # kernel-install to regenerate it via dracut.
    - > "${initrd}"
    + # We moved the generated initrd, prevent dracut from running again
    + local plugins=()
    + for file in "${EROOT}"/usr/lib/kernel/install.d/*; do
    + if [[ ${file} != */50-dracut.install && \
    + ${file} != */51-dracut-rescue.install && \
    + ${file} == *.install ]]; then
    + plugins+=( "${file}" )
    + fi
    +
  • From Andrew Ammerlaan@21:1/5 to All on Mon Jun 19 14:40:01 2023
    Version 2 makes things a bit simpler by using the 'has' function and
    ensures things don't break if the install.d directory is empty using
    'shopt -s nullglob'.

    After merging these patches and the previous patches to
    kernel-build.eclass, users of sys-kernel/gentoo-kernel will be able to
    not only have their internal and external modules signed but also to automatically generate, install and sign unified kernel images for use
    with secure boot. An example configuration would look like this:

    /etc/portage/make.conf:
    USE="dist-kernel modules-sign"
    # And optionally
    MODULES_SIGN_HASH="..."
    MODULES_SIGN_KEY="..."

    /etc/kernel/install.conf:
    layout=uki
    initrd_generator=dracut

    /etc/dracut.conf:
    uefi="yes"
    uefi_secureboot_cert="/usr/src/linux/certs/signing_key.pem" # or the
    path of MODULES_SIGN_CERT uefi_secureboot_key="/usr/src/linux/certs/signing_key.pem" # or the path
    of MODULES_SIGN_KEY
    kernel_cmdline="..."

    And if you are also using dkms (not in ::gentoo) for additional modules: /etc/dkms/framework.conf: mok_signing_key="/usr/src/linux/certs/signing_key.pem" # or the path of MODULES_SIGN_KEY
    mok_certificate="/usr/src/linux/certs/signing_key.x509" # or the path of MODULES_SIGN_CERT

    Of course you will still have to manually deal with getting the firmware
    to actually accept this key or use sys-boot/shim as a preloader.

    When the fix from my upstream PR[1] lands in ::gentoo this will also
    work when using 'make install' with manually configured kernels (i.e. sys-kernel/gentoo-sources). Currently the dracut kernel-install plugin
    breaks in this configuration, we work around this in the eclass but you
    still run into this problem when using the kernel Makefile.

    Best regards,
    Andrew

    [1] https://github.com/dracutdevs/dracut/pull/2405


    From 08302fddf42f9c34fa0cf5647ff44a55f25f75c2 Mon Sep 17 00:00:00 2001
    From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
    Date: Fri, 16 Jun 2023 22:51:00 +0200
    Subject: [PATCH] dist-kernel-utils.eclass: skip initrd installation when
    using
    uki

    Gets rid of a hack that prevents 50-dracut.install from regenerating the
    initrd
    when calling kernel-install. Instead instruct kernel-install to simply
    not run
    this plugin.

    Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
    ---
    eclass/dist-kernel-utils.eclass | 18 ++++++++++++++----
    1 file changed, 14 insertions(+), 4 deletions(-)

    diff --git a/eclass/dist-kernel-utils.eclass
    b/eclass/dist-kernel-utils.eclass
    index c6892c2f01278..cfb6f40ac6fae 100644
    --- a/eclass/dist-kernel-utils.eclass
    +++ b/eclass/dist-kernel-utils.eclass
    @@ -106,10 +106,20 @@ dist-kernel_install_kernel() {
    # install the combined executable in place of kernel
    image=${initrd}.efi
    mv "${initrd}" "${image}" || die
    - # put an empty file in place of initrd. installing a duplicate - # file would waste disk space, and removing it entirely provokes
    - # kernel-install to regenerate it via dracut.
    - > "${initrd}"
    + # We moved the generated initrd, prevent dracut from running again
    + # https://github.com/dracutdevs/dracut/pull/2405
    + shopt -s nullglob
    + local plugins=()
    + for file in "${EROOT}"/usr/lib/kernel/install.d/*.install; do
    + if ! has "${file##*/}" 50-dracut.install 51-dracut-rescue.install; then
    + plugins+