Forum: >>> Magnum BBS <<<

[gentoo-dev] [PATCH] kernel-install.eclass: enforce signed modules in t

From Andrew Ammerlaan@21:1/5 to All on Sat Aug 26 20:20:01 2023

This only has effect when building the gpkg for gentoo-kernel-bin which overrides CONFIG_MODULE_SIG_FORCE. To ensure that the module signing
was successful we instruct the kernel to reject modules with an invalid signature.

This has no effect on other kernel packages which already have CONFIG_MODULE_SIG_FORCE=y.

Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
eclass/kernel-install.eclass | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/eclass/kernel-install.eclass b/eclass/kernel-install.eclass
index 62fbb1dab0493..84d306c19f1ab 100644
--- a/eclass/kernel-install.eclass
+++ b/eclass/kernel-install.eclass
@@ -301,6 +301,10 @@ kernel-install_test() {
;;
esac

+ if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
+ use modules-sign && qemu_extra_append+=" module.sig_enforce=1 " + fi
+
cat > run.sh <<-EOF || die
#!/bin/sh
exec qemu-system-${qemu_arch} \

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	490
Nodes:	16 (2 / 14)
Uptime:	67:35:05
Calls:	9,676
Files:	13,719
Messages:	6,171,916