eee74b9fca1 adds support for module compression, but this breaks loading out of tree modules when module signing is enforced because modules must be signed before they are compressed. Additionally, the recommended Portage hook[1] no longer works with this change.
Add module signing support in linux-mod.eclass which more or less does exactly what the aforementioned Portage hook does. If the kernel configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and keys from the kernel configuration and call the sign_file tool to sign the module before it is compressed. Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352 Signed-off-by: Kenton Groombridge <conc...@gentoo.org> --- eclass/linux-mod.eclass | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass index b7c13cbf7e7..fd40f6d7c6c 100644 --- a/eclass/linux-mod.eclass +++ b/eclass/linux-mod.eclass @@ -712,6 +712,22 @@ linux-mod_src_install() { cd "${objdir}" || die "${objdir} does not exist" insinto "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir} + # check here for CONFIG_MODULE_SIG_ALL and sign the module being built if enabled. + # modules must be signed before they are compressed. + + if linux_chkconfig_present MODULE_SIG_ALL; then + local module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)" + local module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)" + module_sig_key="${module_sig_key:-certs/signing_key.pem}" + if [[ "${module_sig_key#pkcs11:}" == "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}" ]]; then + local key_path="${KERNEL_DIR}/${module_sig_key}" + else + local key_path="${module_sig_key}" + fi + local cert_path="${KERNEL_DIR}/certs/signing_key.x509" + "${KERNEL_DIR}"/scripts/sign-file ${module_sig_hash//\"} ${key_path//\"} ${cert_path} ${modulename}.${KV_OBJ} + fi + # check here for CONFIG_MODULE_COMPRESS_<compression option> (NONE, GZIP, XZ, ZSTD) # and similarily compress the module being built if != NONE. -- 2.35.1
