On Mon, 2023-11-27 at 12:12 -0500, Violet Purcell wrote:

Currently, using a custom path for MODULES_SIGN_KEY requires the key to
be readable by portage:portage. This is not ideal for security, since
the file has to be either owned by portage:portage or readable by all
users in this case. Instead, export the contents of MODULES_SIGN_KEY to
a variable in pkg_setup, and then create a temporary file with it in src_configure to ensure that the temporary key is readable by the user
that the kernel is being built as. The variable is then unset so it does
not end up in the final environment file.

Signed-off-by: Violet Purcell <vimproved@inventati.org>
---
eclass/kernel-build.eclass | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index 4f7e4d047739..cf958c86ff29 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -114,6 +114,13 @@ kernel-build_pkg_setup() {
python-any-r1_pkg_setup
if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
secureboot_pkg_setup
+ if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then
+ if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} != ${MODULES_SIGN_KEY} ]]; then
+ export MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}")"
+ else
+ export MODULES_SIGN_KEY_CONTENTS="$(< "${MODULES_SIGN_KEY}")"

You don't need to export it. Unexported variables are also preserved.

+ fi
+ fi
fi
}

@@ -427,12 +434,12 @@ kernel-build_merge_configs() {
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
EOF
- if [[ -e ${MODULES_SIGN_KEY} && -e ${MODULES_SIGN_CERT} &&
- ${MODULES_SIGN_KEY} != ${MODULES_SIGN_CERT} && - ${MODULES_SIGN_KEY} != pkcs11:* ]]
- then
- cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" > "${T}/kernel_key.pem" || die
- MODULES_SIGN_KEY="${T}/kernel_key.pem"
+ if [[ -n "${MODULES_SIGN_KEY_CONTENTS}" ]]; then
+ touch "${T}/kernel_key.pem" || die
+ chmod 0600 "${T}/kernel_key.pem" || die

This creates a race condition whereupon the file can be opened between
the call to touch and chmod. It's better to use a subshell and set
umask.

+ echo "${MODULES_SIGN_KEY_CONTENTS}" > "${T}/kernel_key.pem" || die
+ unset MODULES_SIGN_KEY_CONTENTS
+ export MODULES_SIGN_KEY="${T}/kernel_key.pem"
fi
if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -r ${MODULES_SIGN_KEY} ]]; then
echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \

--
Best regards,
Michał Górny


-----BEGIN PGP SIGNATURE-----

iQFGBAABCgAwFiEEx2qEUJQJjSjMiybFY5ra4jKeJA4FAmVk1t0SHG1nb3JueUBn ZW50b28ub3JnAAoJEGOa2uIyniQOMxEIANCqB2AL0QH+cMERACJf34SfUlLOTyjq 8ykPtsxuGEq+mAD3dIyRnh49ExjJlAJ+eG0LHPso8KQ319bWRQ5aUGn12VdPeLlj nCV/0txf7EaDJSmqgk/6V3qHeQz/UzKbVwf0KriEtGIMB+XJDAdeOigKGhTzuQNL rADAnHIcnRXKmisMWjH9zoBRobVHFMVTsEeiHRkMypgrCyR9yf7HK5P3rWXbP8j/ g0pFdEEaH3swP4z2wQWK25pt52Q6lvCMWT1vIGlHJ++a3ANT3wXPCOf9AIUT7A7G PbB/8ZpJn4mZsndqo4053SknYQ2ifma9GnkJPzGhi5se3MpAa7EwrGE=
=Ivyv
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

v3:

From dbf92605437b4a457bad2da92f69baab23fcfa44 Mon Sep 17 00:00:00 2001
From: Violet Purcell <vimproved@inventati.org>
Date: Mon, 27 Nov 2023 12:12:09 -0500
Subject: [PATCH] kernel-build.eclass: work around permissions issue with
module signing

Currently, using a custom path for MODULES_SIGN_KEY requires the key to
be readable by portage:portage. This is not ideal for security, since
the file has to be either owned by portage:portage or readable by all
users in this case. Instead, export the contents of MODULES_SIGN_KEY to
a variable in pkg_setup, and then create a temporary file with it in src_configure to ensure that the temporary key is readable by the user
that the kernel is being built as. The variable is then unset so it does
not end up in the final environment file.

Co-authored-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Signed-off-by: Violet Purcell <vimproved@inventati.org>
---
eclass/kernel-build.eclass | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index f5529c319f9fc..94b499f82fc1e 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -114,6 +114,13 @@ kernel-build_pkg_setup() {
python-any-r1_pkg_setup
if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
secureboot_pkg_setup
+ if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then
+ if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} !=
${MODULES_SIGN_KEY} ]]; then
+ MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}"
"${MODULES_SIGN_KEY}" || die)"
+ else
+ MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_KEY}" || die)"
+ fi
+ fi
fi
}

@@ -422,12 +429,11 @@ kernel-build_merge_configs() {
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
EOF
- if [[ -e ${MODULES_SIGN_KEY} && -e ${MODULES_SIGN_CERT} &

On Mon, 2023-12-11 at 09:00 +0100, Andrew Ammerlaan wrote:

v3:

From dbf92605437b4a457bad2da92f69baab23fcfa44 Mon Sep 17 00:00:00 2001
From: Violet Purcell <vimproved@inventati.org>
Date: Mon, 27 Nov 2023 12:12:09 -0500
Subject: [PATCH] kernel-build.eclass: work around permissions issue with
module signing

Currently, using a custom path for MODULES_SIGN_KEY requires the key to
be readable by portage:portage. This is not ideal for security, since
the file has to be either owned by portage:portage or readable by all
users in this case. Instead, export the contents of MODULES_SIGN_KEY to
a variable in pkg_setup, and then create a temporary file with it in src_configure to ensure that the temporary key is readable by the user
that the kernel is being built as. The variable is then unset so it does
not end up in the final environment file.

Co-authored-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Signed-off-by: Violet Purcell <vimproved@inventati.org>
---
eclass/kernel-build.eclass | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index f5529c319f9fc..94b499f82fc1e 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -114,6 +114,13 @@ kernel-build_pkg_setup() {
python-any-r1_pkg_setup
if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
secureboot_pkg_setup
+ if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then
+ if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} !=
${MODULES_SIGN_KEY} ]]; then
+ MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}"
"${MODULES_SIGN_KEY}" || die)"

You can use $(<...) builtin instead of calling cat(1).

+ else
+ MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_KEY}" || die)"
+ fi
+ fi
fi
}

@@ -422,12 +429,11 @@ kernel-build_merge_configs() {
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
EOF
- if [[ -e ${MODULES_SIGN_KEY} && -e ${MODULES_SIGN_CERT} &&
- ${MODULES_SIGN_KEY} != ${MODULES_SIGN_CERT} && - ${MODULES_SIGN_KEY} != pkcs11:* ]]
- then
- cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" >
"${T}/kernel_key.pem" || die
- MODULES_SIGN_KEY="${T}/kernel_key.pem"
+ if [[ -n "${MODULES_SIGN_KEY_CONTENTS}" ]]; then

No quoting is needed here.

+ (umask 066; touch "${T}/kernel_key.pem" || die)

'&&' instead of ';', even if umask shouldn't really fail here.

+ echo "${MODULES_SIGN_KEY_CONTENTS}" > "${T}/kernel_key.pem" || die
+ unset MODULES_SIGN_KEY_CONTENTS
+ export MODULES_SIGN_KEY="${T}/kernel_key.pem"
fi
if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -r ${MODULES_SIGN_KEY} ]];
then
echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \

--
Best regards,
Michał Górny


-----BEGIN PGP SIGNATURE-----

iQFGBAABCgAwFiEEx2qEUJQJjSjMiybFY5ra4jKeJA4FAmV27s8SHG1nb3JueUBn ZW50b28ub3JnAAoJEGOa2uIyniQOW8kIAM0F6OgkRAVbXVY4ocL+CniVetJ5CRRo kw/ppBfrQuFB0fQdOXKr1p4IlYrLaSrws9xbhIcqgc23RuT4OI2wIvIZLaGos8hA bBvhUmEZnfkMoThYpiRWqI8XnJtME7jZInDBKhJlcz3D9xowE2B2O86op4hNF0GC tLsFvfpXCFW83YYqfQ2R+UI/WUQxHm6EzUtt7HWnadttiSMXUBpfZmSNf92R599L TAsWxhPNvTWxiCwbKK8rojLGnuWwJdButc7290RhZMHSYiWq06KM+sSnZwD7WshF WG7SJ83mud+oYwaKq0pRd/Nnlti6DMDWmkCpccsAra6T+ypACfVVqd4=
=p/02
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index f5529c319f9fc..94b499f82fc1e 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -114,6 +114,13 @@ kernel-build_pkg_setup() {
python-any-r1_pkg_setup
if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
secureboot_pkg_setup
+ if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then
+ if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} !=
${MODULES_SIGN_KEY} ]]; then
+ MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}"
"${MODULES_SIGN_KEY}" || die)"

You can use $(<...) builtin instead of calling cat(1).

I don't have a strong preference, but I used cat here for esthetic
symmetry reasons with the line above. Anyway, here's v4:

From 3890c558ff93b9cdb608a3bbcf4c3039f456b571 Mon Sep 17 00:00:00 2001
From: Violet Purcell <vimproved@inventati.org>
Date: Mon, 27 Nov 2023 12:12:09 -0500
Subject: [PATCH] kernel-build.eclass: work around permissions issue with
module signing

Currently, using a custom path for MODULES_SIGN_KEY requires the key to
be readable by portage:portage. This is not ideal for security, since
the file has to be either owned by portage:portage or readable by all
users in this case. Instead, export the contents of MODULES_SIGN_KEY to
a variable in pkg_setup, and then create a temporary file with it in src_configure to ensure that the temporary key is readable by the user
that the kernel is being built as. The variable is then unset so it does
not end up in the final environment file.

Co-authored-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Signed-off-by: Violet Purcell <vimproved@inventati.org>
---
eclass/kernel-build.eclass | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index f5529c319f9fc..6b692dc4f9a08 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -114,6 +114,13 @@ kernel-build_pkg_setup() {
python-any-r1_pkg_setup
if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
secureboot_pkg_setup
+ if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then
+ if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} !=
${MODULES_SIGN_KEY} ]]; then
+ MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}"
"${MODULES_SIGN_KEY}" || die)"
+ else
+ MODULES_SIGN_KEY_CONTENTS="$(< "${MODULES_SIGN_KEY}")"
+ fi
+ fi
fi
}

@@ -422,12 +429,11 @@ kernel-build_merge_configs() {
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
EOF
- if [[ -e ${MODULES_SIGN_KEY} && -e ${MODULES_SIGN_CERT} &&
- $

On Mon, 2023-12-11 at 12:28 +0100, Andrew Ammerlaan wrote:

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass index f5529c319f9fc..94b499f82fc1e 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -114,6 +114,13 @@ kernel-build_pkg_setup() {
    python-any-r1_pkg_setup
    if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
    secureboot_pkg_setup
+ if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then
+ if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} !=
${MODULES_SIGN_KEY} ]]; then
+ MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}"
"${MODULES_SIGN_KEY}" || die)"

You can use $(<...) builtin instead of calling cat(1).

I don't have a strong preference, but I used cat here for esthetic
symmetry reasons with the line above. Anyway, here's v4:

 From 3890c558ff93b9cdb608a3bbcf4c3039f456b571 Mon Sep 17 00:00:00 2001 From: Violet Purcell <vimproved@inventati.org>
Date: Mon, 27 Nov 2023 12:12:09 -0500
Subject: [PATCH] kernel-build.eclass: work around permissions issue with   module signing

Currently, using a custom path for MODULES_SIGN_KEY requires the key to
be readable by portage:portage. This is not ideal for security, since
the file has to be either owned by portage:portage or readable by all
users in this case. Instead, export the contents of MODULES_SIGN_KEY to
a variable in pkg_setup, and then create a temporary file with it in src_configure to ensure that the temporary key is readable by the user
that the kernel is being built as. The variable is then unset so it does
not end up in the final environment file.

Co-authored-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Signed-off-by: Violet Purcell <vimproved@inventati.org>
---
  eclass/kernel-build.eclass | 18 ++++++++++++------
  1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index f5529c319f9fc..6b692dc4f9a08 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -114,6 +114,13 @@ kernel-build_pkg_setup() {
   python-any-r1_pkg_setup
   if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
   secureboot_pkg_setup
+ if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then
+ if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} !=
${MODULES_SIGN_KEY} ]]; then
+ MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}"
"${MODULES_SIGN_KEY}" || die)"
+ else
+ MODULES_SIGN_KEY_CONTENTS="$(< "${MODULES_SIGN_KEY}")"
+ fi
+ fi
   fi
  }

@@ -422,12 +429,11 @@ kernel-build_merge_configs() {
   CONFIG_MODULE_SIG_FORCE=y
   CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
   EOF
- if [[ -e ${MODULES_SIGN_KEY} && -e ${MODULES_SIGN_CERT} &&
- ${MODULES_SIGN_KEY} != ${MODULES_SIGN_CERT} && - ${MODULES_SIGN_KEY} != pkcs11:* ]]
- then
- cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" >
"${T}/kernel_key.pem" || die
- MODULES_SIGN_KEY="${T}/kernel_key.pem"
+ if [[ -n ${MODULES_SIGN_KEY_CONTENTS} ]]; then
+ (umask 066 && touch "${T}/kernel_key.pem" || die)
+ echo "${MODULES_SIGN_KEY_CONTENTS}" > "${T}/kernel_key.pem" || die
+ unset MODULES_SIGN_KEY_CONTENTS
+ export MODULES_SIGN_KEY="${T}/kernel_key.pem"    fi
   if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -r ${MODULES_SIGN_KEY} ]];
then
   echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \

LGTM but I didn't test it.

--
Best regards,
Michał Górny


-----BEGIN PGP SIGNATURE-----

iQFGBAABCgAwFiEEx2qEUJQJjSjMiybFY5ra4jKeJA4FAmV2+NUSHG1nb3JueUBn ZW50b28ub3JnAAoJEGOa2uIyniQOkrUH/ip+7YKxHRz6DeIhNdvCygjlugv8Hncs meGngUriq/vD+Ne4WgNNnSzCsLV+l3I/imebEseAk4NVl0FV4fXUZfXDefkik5Sw HpIJWnFrdZO5P9nxHX9iD2ZRd3aBGFG6c+el8U/fbVwyji6J6cKbK9PatKXrz75h oDoX0T20YX5QOTBKnd3KKF0X6tIbICwufGqYTgzj/exuRzPeRbLhXQAj4PA4iXwg tseJZlgWHLtBAiKa8QAz8Ne9NgMNOAUxn4sfb4PA4d36Feh3rl0wzPmR6vBX2FUA NrNQEzkZPRczoWNbxgVxHuRFCR3jbzZWf6RvY1m7zkIr36HGVEyemBc=
=zYb3
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)