kernel-install.eclass: verify uki/kernel image before installing

This avoids accidentally installing a kernel image or generic UKI with an
invalid signature in both gentoo-kernel and gentoo-kernel-bin. This means we
will catch regressions such as described below earlier, notably it will now
error out when building the binpkgs for gentoo-kernel-bin.

We also add some logic to recover from the case where the kernel image is
larger then it should be. This may be the case with ukify>=257 because starting
from this version onwards the space that the kernel needs to extract and run
is reserved in the .linux section of the UKI as padding. Objcopy unfortunately
copies this padding along with the rest of the data, invalidating the signature.
In previous versions of ukify this was not an issue because the .linux section
was always the last section in the UKI and you could therefore usually get away
with not reserving the extra required space.

Sbverify helpfully reports a warning about this padding with the exact size
the kernel image should have. We use this to strip the padding from the
kernel image, and verify if the signature problem is now resolved. There may be
a better way to do this that does not involve parsing the output of sbverify,
but I have not been able to find any.

See-also: https://github.com/systemd/systemd/issues/35851
See-also: https://forums.gentoo.org/viewtopic-t-1172386.html
Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>

0 files changed, 0 insertions, 0 deletions