kernel-install.eclass: ensure a secureboot cert is always set

When the kernel is re-installed via pkg_config the certificate may
be gone. Detect if this is the case and if so try to extract the
certificate from the kernel install directory and use that for
verification later on in the (re-)install process.

Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>

1 files changed, 9 insertions, 0 deletions

diff --git a/eclass/kernel-install.eclass b/eclass/kernel-install.eclass
index 35254b357005..7fd714111daf 100644
--- a/eclass/kernel-install.eclass
+++ b/eclass/kernel-install.eclass
@@ -728,11 +728,20 @@ kernel-install_install_all() {
 	local dir_ver=${1}
 	local kernel_dir=${EROOT}/usr/src/linux-${dir_ver}
 	local relfile=${kernel_dir}/include/config/kernel.release
+	local kernel_cert=${kernel_dir}/certs/signing_key.x509
 	local image_path=$(dist-kernel_get_image_path)
 	local image_dir=${image_path%/*}
 	local module_ver
 	module_ver=$(<"${relfile}") || die
 
+	if [[ ! -r ${SECUREBOOT_SIGN_CERT} && -r ${kernel_cert} ]]; then
+		openssl x509 \
+			-inform DER -in "${kernel_cert}" \
+			-outform PEM -out "${T}/cert.pem" ||
+				die "Failed to convert kernel certificate to PEM format"
+			export SECUREBOOT_SIGN_CERT=${T}/cert.pem
+	fi
+
 	if [[ ${KERNEL_IUSE_GENERIC_UKI} ]]; then
 		if use generic-uki; then
 			# Populate placeholders