From 10dc8ce4f83c24c5878621aa25cb4be298e2b09c Mon Sep 17 00:00:00 2001
From: Petronio Coelho <petronio@petroniocoelho.com>
Date: Sat, 27 Apr 2019 18:03:06 +0300
Subject: [PATCH 1/4] Add support for automatically signing external modules

---
 buildkernel        | 30 ++++++++++++++++++++++++++++++
 buildkernel.conf   |  8 ++++++++
 buildkernel.conf.5 | 20 ++++++++++++++++++++
 3 files changed, 58 insertions(+)

diff --git a/buildkernel b/buildkernel
index a67157c..4930833 100755
--- a/buildkernel
+++ b/buildkernel
@@ -109,6 +109,7 @@ GPGBUILDDIR="/root/tmpgpgbuild"
 TMPGPGPATH="${GPGBUILDDIR}/usr/bin/gpg"
 declare -i USINGUSBKEYFOREFI=0
 declare -i BACKUPOLDKERNEL=1
+declare -i BUILT_EXTERNAL_MODULES=1
 
 EFIPARTNAME="EFI boot partition"
 DEFAULTKEYMAP="us"
@@ -423,6 +424,29 @@ source_etc_conf_file() {
     if [[ -v INITSYSTEM ]]; then
         INITSYSTEM="${INITSYSTEM,,}"
     fi
+    # perform checks on KERNEL_SIGNING_CERT and KERNEL_SIGNING_KEY
+    if [[ -v KERNEL_SIGNING_CERT ]]; then
+        if [[ ! -v KERNEL_SIGNING_KEY ]]; then
+            die "Cannot proceed; KERNEL_SIGNING_CERT is configured, but KERNEL_SIGNING_KEY is not."
+        fi
+        if [[ "${KERNEL_SIGNING_CERT}" == "auto" || "${KERNEL_SIGNING_KEY}" == "auto" ]]; then
+            if [[ "${KERNEL_SIGNING_CERT}" != "${KERNEL_SIGNING_KEY}" ]]; then
+                die "Cannot proceed; in automatic external module signing mode, both KERNEL_SIGNING_CERT and KERNEL_SIGNING_KEY must be set to \"auto\""
+            fi
+            KERNEL_SIGNING_CERT="${LINUXDIR}/certs/signing_key.x509"
+            KERNEL_SIGNING_KEY="${LINUXDIR}/certs/signing_key.pem"
+        else
+            if [[ ! -f KERNEL_SIGNING_CERT ]]; then
+                die "Cannot proceed; KERNEL_SIGNING_CERT is not a valid path to a file."
+            fi
+            if [[ ! -f KERNEL_SIGNING_KEY ]]; then
+                die "Cannot proceed; KERNEL_SIGNING_KEY is not a valid path to a file."
+            fi
+        fi
+    fi
+    if [[ -v KERNEL_SIGNING_KEY && ! -v KERNEL_SIGNING_CERT ]]; then
+        die "Cannot proceed; KERNEL_SIGNING_KEY is configured, but KERNEL_SIGNING_CERT is not."
+    fi
 }
 setup_final_variables() {
     # post-processing once buildkernel.conf loaded
@@ -1818,8 +1842,14 @@ rebuild_external_modules_if_necessary() {
             else
                 warning "Failed to complete emerge @module-rebuild due to error"
                 warning "Continuing..."
+                BUILT_EXTERNAL_MODULES=0
             fi
         fi
+        if [[ ${BUILT_EXTERNAL_MODULES}==1 && -v KERNEL_SIGNING_CERT ]] ; then
+            for EXTERNAL_MODULE in `find /lib/modules/${NEWVERSION#"linux-"}/* -type f -name '*.ko' -not -path '*/kernel/*'`; do
+                "${LINUXDIR}/scripts/sign-file" sha512 "${KERNEL_SIGNING_KEY}" "${KERNEL_SIGNING_CERT}" "${EXTERNAL_MODULE}"
+            done
+        fi
     fi
 }
 create_initramfs_using_genkernel() {
diff --git a/buildkernel.conf b/buildkernel.conf
index ac4a008..4eb0498 100644
--- a/buildkernel.conf
+++ b/buildkernel.conf
@@ -83,6 +83,14 @@
 # however, doing so should not be necessary.
 #CMDLINE_ROOTFSTYPE="ext4"
 
+# if you sign your kernel modules, configure the signing certificate and key
+# paths to sign external modules as well once built. Setting the variables to
+# "auto" will use the kernel's automatically generated certificate and key if
+# you have configured it to generate them. By default the variable is unset and
+# modules will not be signed.
+#KERNEL_SIGNING_CERT="auto"
+#KERNEL_SIGNING_KEY="auto"
+
 # if you need to conform the config file for some reason, uncomment this
 # hook function and fill it out to suit your requirements
 # NB you should only really need to do this to override a setting forced
diff --git a/buildkernel.conf.5 b/buildkernel.conf.5
index b634371..8cd7d57 100644
--- a/buildkernel.conf.5
+++ b/buildkernel.conf.5
@@ -194,6 +194,26 @@ automatically detect the filesystem type of \fBCMDLINE_REAL_ROOT\fR
 (falling back to \fBext4\fR, in case of error).
 
 Most users will not need to override the default.
+.br
+.TP
+.BR KERNEL_SIGNING_CERT
+If you sign your kernel modules, set this to the path for the signing
+certificate so that your external modules are signed after being built.
+Setting to \fBauto\fR uses the kernel's automatically generated signing
+certificate if you have configured it to generate it.
+
+By default this is not set and causes external modules to not be signed.
+Requires that the \fBKERNEL_SIGNING_KEY\fR variable is set.
+.br
+.TP
+.BR KERNEL_SIGNING_KEY
+If you sign your kernel modules, set this to the path for the signing key so
+that your external modules are signed after being built. Setting to \fBauto\fR
+uses the kernel's automatically generated signing key if you have configured it
+to generate it.
+
+By default this is not set and causes external modules to not be signed.
+Requires that the \fBKERNEL_SIGNING_CERT\fR variable is set.
 
 .RE
 .SH FUNCTIONS

From 45f6517b2be4bb89b0c59787a075559254d6a6be Mon Sep 17 00:00:00 2001
From: Petronio Coelho <petronio@petroniocoelho.com>
Date: Sat, 27 Apr 2019 20:16:03 +0300
Subject: [PATCH 2/4] Bump version to 1.0.34

---
 buildkernel        | 2 +-
 buildkernel.8      | 2 +-
 buildkernel.conf.5 | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/buildkernel b/buildkernel
index 4930833..cea2080 100755
--- a/buildkernel
+++ b/buildkernel
@@ -31,7 +31,7 @@ shopt -s nullglob
 # ********************** variables ********************* 
 PROGNAME="$(basename "${0}")"
 CONFFILE="/etc/${PROGNAME}.conf"
-VERSION="1.0.33"
+VERSION="1.0.34"
 ETCPROFILE="/etc/profile"
 DEFAULTEFIBOOTFILE="bootx64.efi"
 EFIBOOTFILE="${DEFAULTEFIBOOTFILE}"
diff --git a/buildkernel.8 b/buildkernel.8
index b638aec..aceb1f2 100644
--- a/buildkernel.8
+++ b/buildkernel.8
@@ -1,4 +1,4 @@
-.TH BUILDKERNEL 8 "Version 1.0.33: October 2018"
+.TH BUILDKERNEL 8 "Version 1.0.34: April 2019"
 .SH NAME
 buildkernel \- build secure boot kernel, save to EFI system partition
 .SH SYNOPSIS
diff --git a/buildkernel.conf.5 b/buildkernel.conf.5
index 8cd7d57..199be3b 100644
--- a/buildkernel.conf.5
+++ b/buildkernel.conf.5
@@ -1,4 +1,4 @@
-.TH BUILDKERNEL 5 "Version 1.0.33: October 2018"
+.TH BUILDKERNEL 5 "Version 1.0.34: April 2019"
 .SH NAME
 buildkernel.conf \- a configuration file for \fBbuildkernel\fR(8)
 .SH SYNOPSIS

From e609d27e81c858ffaaeff653147e42f3727abe9d Mon Sep 17 00:00:00 2001
From: Petronio Coelho <petronio@petroniocoelho.com>
Date: Sat, 27 Apr 2019 22:16:38 +0300
Subject: [PATCH 3/4] Correct file tests

---
 buildkernel | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/buildkernel b/buildkernel
index cea2080..ed58064 100755
--- a/buildkernel
+++ b/buildkernel
@@ -436,10 +436,10 @@ source_etc_conf_file() {
             KERNEL_SIGNING_CERT="${LINUXDIR}/certs/signing_key.x509"
             KERNEL_SIGNING_KEY="${LINUXDIR}/certs/signing_key.pem"
         else
-            if [[ ! -f KERNEL_SIGNING_CERT ]]; then
+            if [[ ! -f "${KERNEL_SIGNING_CERT}" ]]; then
                 die "Cannot proceed; KERNEL_SIGNING_CERT is not a valid path to a file."
             fi
-            if [[ ! -f KERNEL_SIGNING_KEY ]]; then
+            if [[ ! -f "${KERNEL_SIGNING_KEY}" ]]; then
                 die "Cannot proceed; KERNEL_SIGNING_KEY is not a valid path to a file."
             fi
         fi

From 8097e3c34a496fc3a43238e9e4ff45d6b5674974 Mon Sep 17 00:00:00 2001
From: sakaki <sakaki@deciban.com>
Date: Sun, 28 Apr 2019 19:29:43 +0100
Subject: [PATCH 4/4] Note ability to sign modules in ALGORITHM DETAIL section.

---
 buildkernel.8 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/buildkernel.8 b/buildkernel.8
index aceb1f2..fe44896 100644
--- a/buildkernel.8
+++ b/buildkernel.8
@@ -61,7 +61,7 @@ cleans the kernel tree (if you specify \fB--clean\fR; you will be asked whether
 .IP \(bu 2
 builds the kernel, and its modules, with the specified configuration; in this first pass, an empty initramfs is used (since it must be incorporated in the kernel, to be protected by UEFI secure boot, but we don't have everything necessary to include in it, yet!);
 .IP \(bu 2
-builds any external modules (such as those required for VirtualBox), using \fBemerge @module-rebuild\fR, if you so specify (using the option \fB--rebuild-external-modules\fR);
+builds any external modules (such as those required for VirtualBox), using \fBemerge @module-rebuild\fR, if you so specify (using the option \fB--rebuild-external-modules\fR), and optionally signs them (if you have set up the variables \fBKERNEL_SIGNING_CERT\fR and \fBKERNEL_SIGNING_KEY\fR in \fI/etc/buildkernel.conf\fR);
 .IP \(bu 2
 creates a first cut of the initramfs using \fBgenkernel\fR(8) (see below for more details); this will contain \fBgenkernel\fR(8)'s \fBinit\fR(8) script, compiled modules, any necessary firmware (if you haven't deblobbed), and a minimal set of binaries; it does \fInot\fR at this point contain a static copy of \fBgpg\fR;
 .IP \(bu 2