| Age | Commit message (Collapse) | Author |
|---|
|
Update done using:
```
git grep -l sys-libs/zlib sys-* | xargs sed -i -e s@sys-libs/zlib@virtual/zlib@g
git grep -l virtual/zlib-ng sys-* | xargs sed -i -e s@virtual/zlib-ng@sys-libs/zlib-ng@g
git diff --name-only | xargs copybump
git diff --name-only | xargs grep -l PYTHON_COMPAT | xargs gpy-impl -@dead
pkgcheck scan --commits -c SourcingCheck,VisibilityCheck --exit error
```
Plus reverts in sys-libs/minizip-ng, sys-libs/zlib-ng and profiles.
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
|
Closes: https://bugs.gentoo.org/963683
Signed-off-by: Michał Górny <mgorny@gentoo.org>
Part-of: https://github.com/gentoo/gentoo/pull/44021
Closes: https://github.com/gentoo/gentoo/pull/44021
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
|
Apparently this file sometimes exists, but is empty, in which case we
should not try to use it.
Closes: https://bugs.gentoo.org/963425
Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>
|
|
When the kernel is re-installed via pkg_config the certificate may
be gone. Detect if this is the case and if so try to extract the
certificate from the kernel install directory and use that for
verification later on in the (re-)install process.
Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>
|
|
The .pcrpkey section of the UKI should not contain a full certificate.
And therefore it is not correct to use it in sbverify. Instead use
the set SECUREBOOT_SIGN_CERT which will contain the certificate that
was used for signing in kernel-build.eclass. For gentoo-kernel-bin
we set this variable to the certificate that was used during build
and is included in the gpkg.
Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>
|
|
The gentoo-kernel-bin does not have IUSE=modules-sign, but it does
have signed modules if it was built with KERNEL_IUSE_MODULES_SIGN.
Enforce signature verification in the test phase for this case.
Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>
|
|
Since we remove /usr/src/linux-KV_FULL but by design keep the
/lib/modules/KV_FULL, we end up with some dead symlinks after
depcleaning a dist-kernel. This has the unfortunate side effect of
tricking systemd's kernel-install into thinking that a kernel image
for this kernel still exists. Which leads to some ugliness further
down the line. We can easily resolve the problem by cleaning up these
dead symlinks.
Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>
|
|
This avoids accidentally installing a kernel image or generic UKI with an
invalid signature in both gentoo-kernel and gentoo-kernel-bin. This means we
will catch regressions such as described below earlier, notably it will now
error out when building the binpkgs for gentoo-kernel-bin.
We also add some logic to recover from the case where the kernel image is
larger then it should be. This may be the case with ukify>=257 because starting
from this version onwards the space that the kernel needs to extract and run
is reserved in the .linux section of the UKI as padding. Objcopy unfortunately
copies this padding along with the rest of the data, invalidating the signature.
In previous versions of ukify this was not an issue because the .linux section
was always the last section in the UKI and you could therefore usually get away
with not reserving the extra required space.
Sbverify helpfully reports a warning about this padding with the exact size
the kernel image should have. We use this to strip the padding from the
kernel image, and verify if the signature problem is now resolved. There may be
a better way to do this that does not involve parsing the output of sbverify,
but I have not been able to find any.
See-also: https://github.com/systemd/systemd/issues/35851
See-also: https://forums.gentoo.org/viewtopic-t-1172386.html
Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>
|
|
The kernel build system supports generating a new module signing key if the
CONFIG_MODULE_SIG_KEY is set to the default value (MODULES_SIGN_KEY is not set)
and no key exists at that default location.
This results in the unfortunate situation where private key material ends up
in generated binary packages. That is almost never what you want since binary
packages are usually readable by regular users. To avoid this we move the key
out of the ED in the install phase, and move it back in the preinst phase after
the binary package has been built.
This also means that when distributing built binary packages to other systems
the signing key will now never be installed onto all those other systems, which
is probably what you want anyway.
Note, there is no change for folks who use externally managed keys, i.e. for
everyone who has MODULES_SIGN_KEY, MODULE_SIGN_CERT set.
Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/40017
Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>
|
|
Closes: https://bugs.gentoo.org/947359
Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>
|
|
Before this change the kernel installation is silently skipped in all cases.
Using sys-kernel/installkernel to generate an initramfs/uki will indeed be
a huge mess so when an initramfs is requested we now print a helpful error
message. If we do not want an initramfs, or the initramfs/uki was generated
with portage using USE=generic-uki then we can safely try to install the kernel.
Installkernel-50 is capable of dealing with this situation in most cases, but it
will print a bunch of warnings since plugins are skipped. Bootloader
configuration, for example, cannot be updated in this case.
For kernel modules we can also safely make this change, all modules that can be
in the initramfs have the initramfs flag and if it is enabled then we will also
hit this error message.
End result of this change is more verbosity when kernel installation is skipped
and basic support for installing the kernel with --root set for simple
configurations (no initramfs or generic-uki with compat layout or uki layout).
Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/38842
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
|
systemd 257's ukify gains the ability to specify multiple "profiles" for an
UKI. This allows us to finally solve Bug 921195, which made it impossible to
simultaneously enforce verification of the kernel image (secureboot) and
enforce verification of the kernel modules (lockdown=integrity).
We also add a profile for "quiet splash", and change KERNEL_GENERIC_UKI_CMDLINE
to add another profile instead of overwriting the built-in kernel cmdline. To
support splash we add the plymouth and drm dracut modules but omit the drm
kernel modules that pull in huge firmware files. This will result in a less
visually smooth boot, but significantly decreases the size of the image.
Ukify can now also pass on the signing engine argument to systemd-measure
which enables the usage of pkcs11 uri's for measured boot.
Minimal version of systemd for USE=generic-uki is bumped to 257.
Closes: https://bugs.gentoo.org/921195
Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
|
Closes: https://bugs.gentoo.org/940905
Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>
|
|
From the manual:
If you do not specify outfile, objcopy creates a temporary file and
destructively renames the result with the name of infile.
We don't want that. Unfortunately we cannot use /dev/null as dump, objcopy
complains, so we dump it in T instead.
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
|
Closes: https://github.com/gentoo/gentoo/pull/37652
Signed-off-by: David Seifert <soap@gentoo.org>
|
|
Signed-off-by: David Seifert <soap@gentoo.org>
|
|
We ship the kernel in gentoo-kernel-bin in the form of an UKI, using
objcopy we extract from this the kernel image (and if desired the
generic initramfs).
However, llvm-objcopy does not properly handle the -O argument and as a
result the extracted kernel image is of the same file type as the UKI
(i.e. a PE32+ executable) instead of a regular kernel image. This causes
issues in bootloader such as grub which differentiate between loading
a normal kernel image and loading an EFI executable (such as an UKI).
And also causes the signature verification to fail since the kernel
image is bigger then it should be due to the additional headers.
Using the --dump-section argument instead resolves this problem.
See-also: https://github.com/llvm/llvm-project/issues/108946
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/38643
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
|
(de)compressing modules changes the path of the module files so we need to
run depmod to ensure that tools such as modprobe/modinfo work.
Note that depmod is often, but *not* always, run by sys-kernel/installkernel.
Systemd installs a hook to do this, but there is no equivalent on openrc
systems. So instead just ensure that the tree of modules we install is
consistent here in the eclass.
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
|
The source symlink does not exist on all systems.
If we can't find any config at all then there will be no preferred suffix
which means we fall back to the old '-nt' based cleaning.
Closes: https://bugs.gentoo.org/937569
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/38016
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
|
Adjusts kernel-install_compress_modules to use the new function
dist-kernel_get_module_suffix. This makes no functional difference
at the moment since gentoo-kernel-bin is the only consumer and it has
XZ compression in the config. Still this makes it possible to compile
alternate prebuilt kernels with alternate module compression support, and may
in the future help to support gzip and zstd module compression in
gentoo-kernel-bin.
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
|
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
|
The kernels 'make rpm-pkg' and 'make deb-pkg' install the config
and System.map into the modules directory for easy access. Let's
do the same here so our gpkg's are more symetric to rpm's and
deb's and tools that look for these files there can find it.
This also provides an easy location for the user to access the
config. Considering that /boot/config-x.y.z does not always
exist (the config instalation via /sbin/installkernel depends
on layout and +/-systemd configuration).
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/37684
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
|
Now that we have an improved version check in kernel-build.eclass,
copy it here so that the two eclasses match.
Signed-off-by: James Calligeros <jcalligeros99@gmail.com>
Closes: https://github.com/gentoo/gentoo/pull/37327
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
|
dist-kernel releases are required to match the package's version, with
'_' substituted for '-' as per kernel release format rules. Curiously,
we made no such substitution on the kernel install directory names.
The consequence of this is that Catalyst has technically only been
working with dist-kernels by pure coincidence - it had never been tested
with kernels containing '_' in ${PV}. When attempting to build install
media for the Gentoo Asahi project, which necessitates using kernels
versioned with '_p*', Catalyst's call to Dracut's --kver argument
passes in the name of the source directory while Dracut expects
the kernel release (module directory).
Make sure that all directories installed by the kernel match the
kernel's own idea of its version exactly. This fixes Catalyst,
makes directories like /usr/src/linux-* consistent with /lib/modules
For compatibility with existing bin kernels, KV_FULL will be
set to ${PV}${KV_LOCALVERSION} in kernel-install.eclass if it
has not been explicitly set elsewhere.
Signed-off-by: James Calligeros <jcalligeros99@gmail.com>
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
|
Signed-off-by: Zen <z@pyl.onl>
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
|
ebuilds and eclasses using dist-kernel_reinstall_initramfs should also
have the check for mounted /boot and ESP. We can do this safely via
mount-boot-utils.eclass which does not export any phases.
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
|
The kernel build system sets the permissions on the kernel
image to 644. However objcopy creates a file with permissions
755. This causes a discrepancy in the permissions on the
installed kernel image between +generic-uki,-generic-uki and
between gentoo-kernel, gentoo-kernel-bin.
Restore the symmetry by explicitly setting the objcopy'ed
files permissions to 644.
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/35214
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
|
and also link generic initrd/uki.efi
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
|
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
|
Closes: https://bugs.gentoo.org/922185
Signed-off-by: Michał Górny <mgorny@gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/34843
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
|
it is not strictly necessary, i.e. we might also want to just use the
generic initrd. Or install the uki in the grub layout. But more importantly
this requirement creates a bit of an unfortunate conflict in binpkg-docker
that would otherwise have to be resolved with manual overrides of install.conf.
See-also: https://github.com/projg2/binpkg-docker/pull/7
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
|
and switch order since we are deprecating installkernel-systemd and
have moved this functionality into installkernel(-gentoo).
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
|
Bug: https://bugs.gentoo.org/917145
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
|
because we drop the generation of the initrd/uki here
we can remove KERNEL_IUSE_SECUREBOOT since this is now
exactly the same as KERNEL_IUSE_MODULES_SIGN
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
|
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
|
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
|
plymouth pulls in drm, and drm includes all gpu drivers and their firmware
especially the firmware files are very big. The whole thing costs us
15M on each initrd, and therefore gpkg. Also exclude the netronome
drivers, these also have ridiculously large firmware files.
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
|
Add a function to compress modules manually. It will be used
in sys-kernel/gentoo-kernel-bin.
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
|
When KERNEL_IUSE_GENERIC_UKI is set (to gatekeep for new ebuilds),
enable XZ module compression in kernel and add IUSE=module-compress.
When the flag is enabled, the modules are installed .xz compressed
per the config. When it is disabled, they are installed uncompressed
but the kernel retains module compression support.
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
|
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/34450
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
|
Some basic benchmarks:
-rw------- 1 root root 103494321 Dec 24 11:10 bzip2
-rw------- 1 root root 112179814 Dec 24 11:02 gzip-nostrip
-rw------- 1 root root 112179814 Dec 24 11:06 gzip-strip
-rw------- 1 root root 112179814 Dec 24 11:08 gzip-strip-aggressive
-rw------- 1 root root 130847597 Dec 24 11:19 lz4
-rw------- 1 root root 66948253 Dec 24 11:13 lzma
-rw------- 1 root root 124285638 Dec 24 11:18 lzop
-rw------- 1 root root 80242444 Dec 24 11:14 xz
-rw------- 1 root root 66744036 Dec 24 11:59 xz-9e--check
-rw------- 1 root root 85917687 Dec 24 11:20 zstd
Strip does nothing, which makes sense since portage already did this.
xz is our size champion so pick this one to compress our initrd
With this change the generic UKI is: 82515840, versus
My own hostonly UKI of the same kernel version: 29390720.
Which is still 2.8 times larger, but significantly better then the 5 times
larger we had before!
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/34024
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
|
- optionally build a generic unified kernel image
- only install this uki.efi in any binary generated binpkgs, this saves space
- extract the initrd and kernel image from the uki in pkg_postinst
- own image, initrd and uki install paths
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
|
Right now the loong profiles in Gentoo only cover the 64-bit ISA, so we
can unconditionally specify loongarch64 for QEMU.
Signed-off-by: WANG Xuerui <xen0n@gentoo.org>
|
|
On systemd systems the dracut systemd modules are included automatically.
Systemd insists our dummy root has some valid /etc/os-release file, otherwise
it refuses the switch root operation. However, with this fix it still does not
boot up correctly on systemd systems, it gets stuck in an infinite boot loop.
Presumably the reason has something to do with our dummy root not having a real
systemd init to switch root to. We add the systemd dracut modules to the omit
list to prevent the problem and ensure the test phase behaves the same on
systemd and non-systemd systems.
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
|
We only need to call dracut to generate an initrd/uki if we are using
<=sys-kernel/installkernel-gentoo-7. sys-kernel/installkernel-systemd
already calls dracut via its plugin system if it is installed.
sys-kernel/installkernel-gentoo-8[dracut] now also contains the code
required to generate an initrd or uki.
This change makes it possible for users to use other/custom initrd
generators with our dist kernels if they are using installkernel-systemd.
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
|
Nowadays the name of the unified kernel image is always uki.efi,
not initrd.uefi.
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
|
059-r4 contains the fixes to the kernel-install plugin that we need
to be able to drop a workaround in dist-kernel-utils.eclass
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
|
sys-kernel/installkernel-systemd
This reflects better that we don't necessarily need the systemd bootloader
to use the systemd kernel-install system.
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
|
This only has effect when building the gpkg for gentoo-kernel-bin which
overrides CONFIG_MODULE_SIG_FORCE. To ensure that the module signing
was successful we instruct the kernel to reject modules with an invalid
signature.
This has no effect on other kernel packages which already have
CONFIG_MODULE_SIG_FORCE=y.
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/32463
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
|
|
Signed-off-by: Sam James <sam@gentoo.org>
|
