[gentoo-dev] Migration from linux-mod.eclass to linux-mod-r1.eclass
Hello, Thanks to the amazing work by Ionen I'd like to start the process to request all consumers of linux-mod.eclass to start migrating to linux-mod-r1.eclass. Tracker bug is up and I will start to add consumers. If anyone needs a hand with the migration I am happy to help. Details on linux-mod-r1.eclass can be found here[1] and the tracker bug can be found here[2]. [1] https://github.com/gentoo/gentoo/pull/31154/commits/e4b57b51b30fd348da8997aae6e4f651a0a132ce [2] https://bugs.gentoo.org/908692 Mike -- Mike Pagano Gentoo Developer - Kernel Project E-Mail : mpag...@gentoo.org GnuPG FP : 52CC A0B0 F631 0B17 0142 F83F 92A6 DBEC 81F2 B137 Public Key : http://pgp.mit.edu/pks/lookup?search=0x92A6DBEC81F2B137&op=index
Re: [gentoo-dev] [PATCH 2/2] dist-kernel-utils.eclass: skip initrd installation when using the uki layout
This replaces a workaround with a better one. Instead of tricking
50-dracut.install with an empty inird file we instruct kernel-install to
simply skip this plugin.
This way we don't end up with a bunch of confusing empty initrd files in
/boot. End result is the same.
I've got an upstream PR open to fix the underlying issue (i.e make
50-dracut.install work properly with uefi=yes and layout=uki):
https://github.com/dracutdevs/dracut/pull/2405
From c2d6ecb074d25c70677fa9c371801a0002c9a216 Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan
Date: Fri, 16 Jun 2023 22:51:00 +0200
Subject: [PATCH] dist-kernel-utils.eclass: skip initrd installation when
using
uki
Gets rid of a hack that prevents 50-dracut.install from regenerating the
initrd
when calling kernel-install. Instead instruct kernel-install to simply
not run
this plugin.
Signed-off-by: Andrew Ammerlaan
---
eclass/dist-kernel-utils.eclass | 19 +++
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/eclass/dist-kernel-utils.eclass
b/eclass/dist-kernel-utils.eclass
index c6892c2f01278..e371e035c8565 100644
--- a/eclass/dist-kernel-utils.eclass
+++ b/eclass/dist-kernel-utils.eclass
@@ -106,10 +106,21 @@ dist-kernel_install_kernel() {
# install the combined executable in place of kernel
image=${initrd}.efi
mv "${initrd}" "${image}" || die
- # put an empty file in place of initrd. installing a duplicate
- # file would waste disk space, and removing it entirely provokes
- # kernel-install to regenerate it via dracut.
- > "${initrd}"
+ # We moved the generated initrd, prevent dracut from running
again
+ local plugins=()
+ for file in "${EROOT}"/usr/lib/kernel/install.d/*; do
+ if [[ ${file} != */50-dracut.install && \
+ ${file} != */51-dracut-rescue.install && \
+ ${file} == *.install ]]; then
+ plugins+=( "${file}" )
+ fi
+ done
+ for file in "${EROOT}"/etc/kernel/install.d/*; do
+ if [[ ${file} == *.install ]]; then
+ plugins+=( "${file}" )
+ fi
+ done
+ export KERNEL_INSTALL_PLUGINS="${KERNEL_INSTALL_PLUGINS}
${plugins[@]}"
fi
ebegin "Installing the kernel via installkernel"
[gentoo-dev] [PATCH 1/2] dist-kernel-utils.eclass: fix extension of generated efi file
This fixes a bug. The 90-uki-copy.install kernel-install plugin insists
uki's have the .efi extension. You only hit this if you set layout=uki
in /etc/kernel/install.conf.
layout=uki is probably what you want if you set uefi=yes in dracut.conf
because in this layout the uki's end up on the ESP. This is required to
load the uki directly from efi firmware.
From 1c406ada60d3493203c1fbd6333caf74e53ee8ac Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan
Date: Fri, 16 Jun 2023 16:33:56 +0200
Subject: [PATCH] dist-kernel-utils.eclass: fix extension of generated
efi file
If kernel-install is configured to use the uki layout the extension of
the efi
file that we install has to be .efi otherwise kernel-install returns an
error.
Signed-off-by: Andrew Ammerlaan
---
eclass/dist-kernel-utils.eclass | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/eclass/dist-kernel-utils.eclass
b/eclass/dist-kernel-utils.eclass
index 439bdc87695df..c6892c2f01278 100644
--- a/eclass/dist-kernel-utils.eclass
+++ b/eclass/dist-kernel-utils.eclass
@@ -1,4 +1,4 @@
-# Copyright 2020-2022 Gentoo Authors
+# Copyright 2020-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
# @ECLASS: dist-kernel-utils.eclass
@@ -104,7 +104,7 @@ dist-kernel_install_kernel() {
if [[ ${magic} == MZ ]]; then
einfo "Combined UEFI kernel+initramfs executable found"
# install the combined executable in place of kernel
- image=${initrd}.uefi
+ image=${initrd}.efi
mv "${initrd}" "${image}" || die
# put an empty file in place of initrd. installing a duplicate
# file would waste disk space, and removing it entirely provokes
Re: [gentoo-dev] [PATCH 2/2 v3] kernel-build.eclass: add USE="modules-sign"
Split the patch in two pieces and changed the name of the pre-inherit
variable to KERNEL_IUSE_MODULES_SIGN. Plus some quotation fixes.
From e019e78448376b04c91397c7efc60ee72c24bf93 Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan
Date: Thu, 15 Jun 2023 21:10:02 +0200
Subject: [PATCH] kernel-build.eclass: add IUSE="modules-sign"
- Enable module signing configure options if requested by the user.
- Define the user variables MODULES_SIGN_HASH and MODULES_SIGN_KEY.
For controlling the used hashing algorithm and allowing the use of
external keys. These variables are the same as in linux-mod-r1.eclass
- Warn the user if we are letting the kernel build system generate the
signing
key. This key will end up binary packages. Plus external modules will
have to
be resigned if gentoo-kernel is re-emerged (i.e. a new key was generated).
Bug: https://bugs.gentoo.org/814344
Bug: https://bugs.gentoo.org/881651
Signed-off-by: Andrew Ammerlaan
---
eclass/kernel-build.eclass | 90 +-
1 file changed, 89 insertions(+), 1 deletion(-)
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index abfb01720817a..d28a74ef05758 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -43,6 +43,48 @@ BDEPEND="
IUSE="+strip"
+# @ECLASS_VARIABLE: KERNEL_IUSE_MODULES_SIGN
+# @PRE_INHERIT
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# If set to a non-null value, adds IUSE=modules-sign and required
+# logic to manipulate the kernel config while respecting the
+# MODULES_SIGN_HASH and MODULES_SIGN_KEY user variables.
+
+# @ECLASS_VARIABLE: MODULES_SIGN_HASH
+# @USER_VARIABLE
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# Used with USE=modules-sign. Can be set to hash algorithm to use
+# during signature generation (CONFIG_MODULE_SIG_SHA256).
+#
+# Valid values: sha512,sha384,sha256,sha224,sha1
+#
+# Default if unset: sha512
+
+# @ECLASS_VARIABLE: MODULES_SIGN_KEY
+# @USER_VARIABLE
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# Used with USE=modules-sign. Can be set to the path of the private
+# key in PEM format to use, or a PKCS#11 URI (CONFIG_MODULE_SIG_KEY).
+#
+# If path is relative (e.g. "certs/name.pem"), it is assumed to be
+# relative to the kernel build directory being used.
+#
+# If the key requires a passphrase or PIN, the used kernel sign-file
+# utility recognizes the KBUILD_SIGN_PIN environment variable. Be
+# warned that the package manager may store this value in binary
+# packages, database files, temporary files, and possibly logs. This
+# eclass unsets the variable after use to mitigate the issue (notably
+# for shared binary packages), but use this with care.
+#
+# Default if unset: certs/signing_key.pem
+
+if [[ -n ${KERNEL_IUSE_MODULES_SIGN} ]]; then
+ IUSE+=" modules-sign"
+fi
+
# @FUNCTION: kernel-build_src_configure
# @DESCRIPTION:
# Prepare the toolchain for building the kernel, get the default .config
@@ -259,6 +301,9 @@ kernel-build_src_install() {
dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/build"
dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/source"
+ # unset to at least be out of the environment file in, e.g. shared
binpkgs
+ unset KBUILD_SIGN_PIN
+
save_config build/.config
}
@@ -268,6 +313,26 @@ kernel-build_src_install() {
kernel-build_pkg_postinst() {
kernel-install_pkg_postinst
savedconfig_pkg_postinst
+
+ if [[ -n ${KERNEL_IUSE_MODULES_SIGN} ]]; then
+ if use modules-sign && [[ -z "${MODULES_SIGN_KEY}" ]]; then
+ ewarn
+ ewarn "MODULES_SIGN_KEY was not set, this means the kernel
build system"
+ ewarn "automatically generated the signing key. This key was
installed"
+ ewarn "in
${EROOT}/usr/src/linux-${PV}${KV_LOCALVERSION}/certs"
+ ewarn "and will also be included in any binary
packages."
+ ewarn "Please take appropriate action to protect the
key!"
+ ewarn
+ ewarn "Recompiling this package causes a new key to be
generated. As"
+ ewarn "a result any external kernel modules will need to be
resigned."
+ ewarn "Use emerge @module-rebuild, or manually sign the
modules as"
+ ewarn "described on the wiki [1]"
+ ewarn
+ ewarn "Consider using the MODULES_SIGN_KEY variable to use an
external key."
+ ewarn
+ ewarn "[1]:
https://wiki.gentoo.org/wiki/Signed_kernel_module_support";
+ fi
+ fi
}
# @FUNCTION: kernel-build_merge_configs
@@ -290,16 +355,39 @@ kernel-build_merge_configs() {
local user_configs=( "${BROOT}"/etc/kernel/config.d/*.config )
shopt -u nullglob
+ local merge_configs=( "${@}" )
+
+ if [[ -n ${KERNEL_IUSE_MODULES_SIGN} ]]; then
+ if use modules-sign
Re: [gentoo-dev] [PATCH 1/2 v3] kernel-build.eclass: add IUSE="strip", install generated keys
No functional changes in version 3, just renaming some variables and
splitting the version 2 patch.
From 969f242c3269c068ebfe5adc37ebfc92dcd56181 Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan
Date: Thu, 15 Jun 2023 11:50:10 +0200
Subject: [PATCH] kernel-build.eclass: add IUSE="strip", install
generated keys
- Let the kernel build system handle stripping of the modules.
This is necessary for successfully signing and compressing modules.
Inspired by linux-mod-r1.eclass.
- If the build system has generated keys or certificates, install them.
This is required to successfully sign external kernel modules.
Closes: https://bugs.gentoo.org/814344
Closes: https://bugs.gentoo.org/881651
Signed-off-by: Andrew Ammerlaan
---
eclass/kernel-build.eclass | 26 +++---
1 file changed, 23 insertions(+), 3 deletions(-)
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index da215a055a467..abfb01720817a 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -1,4 +1,4 @@
-# Copyright 2020-2022 Gentoo Authors
+# Copyright 2020-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
# @ECLASS: kernel-build.eclass
@@ -41,6 +41,8 @@ BDEPEND="
app-alternatives/yacc
"
+IUSE="+strip"
+
# @FUNCTION: kernel-build_src_configure
# @DESCRIPTION:
# Prepare the toolchain for building the kernel, get the default .config
@@ -83,7 +85,7 @@ kernel-build_src_configure() {
LD="${LD}"
AR="$(tc-getAR)"
NM="$(tc-getNM)"
- STRIP=":"
+ STRIP="$(tc-getSTRIP)"
OBJCOPY="$(tc-getOBJCOPY)"
OBJDUMP="$(tc-getOBJDUMP)"
@@ -176,8 +178,18 @@ kernel-build_src_install() {
targets+=( dtbs_install )
fi
+ # Use the kernel build system to strip, this ensures the modules
+ # are stripped *before* they are signed or compressed.
+ local strip_args
+ if use strip; then
+ strip_args="--strip-unneeded"
+ fi
+ # Modules were already stripped by the kernel build system
+ dostrip -x /lib/modules
+
emake O="${WORKDIR}"/build "${MAKEARGS[@]}" \
- INSTALL_MOD_PATH="${ED}" INSTALL_PATH="${ED}/boot"
"${targets[@]}"
+ INSTALL_MOD_PATH="${ED}" INSTALL_MOD_STRIP="${strip_args}" \
+ INSTALL_PATH="${ED}/boot" "${targets[@]}"
# note: we're using mv rather than doins to save space and time
# install main and arch-specific headers first, and scripts
@@ -217,6 +229,14 @@ kernel-build_src_install() {
local image_path=$(dist-kernel_get_image_path)
cp -p "build/${image_path}" "${ED}${kernel_dir}/${image_path}" || die
+ # If a key was generated, copy it so external modules can be signed
+ local suffix
+ for suffix in pem x509; do
+ if [[ -f "build/certs/signing_key.${suffix}" ]]; then
+ cp -p "build/certs/signing_key.${suffix}" "${ED}${kernel_dir}/certs"
|| die
+ fi
+ done
+
# building modules fails with 'vmlinux has no symtab?' if stripped
use ppc64 && dostrip -x "${kernel_dir}/${image_path}"
[gentoo-dev] Package up for grabs: dev-libs/gumbo
Hi, I originally added dev-libs/gumbo because it was a dependency for dev- ruby/nokogiri, but in the mean time nokogiri has bundled this package and modified it to fix various issues and better integrate it with nokogiri. Google's upstream version appears to be no longer maintained, it has been archived since 2023-02-15. This package still has some reverse dependencies: app-text/mupdf dev-perl/Alien-LibGumbo dev-qt/qt-creator mail-client/claws-mail There are no open bugs for it in Gentoo. Hans signature.asc Description: This is a digitally signed message part
[gentoo-dev] Packages up for grabs: x11-misc/lightdm-mini-greeter and x11-misc/xautolock
Hi, After migrating to Wayland I no longer have a need for these X packages. I have already removed myself as maintainer. x11-misc/lightdm-mini-greeter Has no open bugs. Up-to-date with upstream. x11-misc/xautolock Has one open bug that should be addressed upstream, but upstream is pretty much dead: https://bugs.gentoo.org/634766 Kind regards, Hans signature.asc Description: This is a digitally signed message part
