diff --git a/main/abuild/0001-abuild-keygen-add-support-for-creating-kernel-signin.patch b/main/abuild/0001-abuild-keygen-add-support-for-creating-kernel-signin.patch new file mode 100644 index 00000000000..31cec3d9631 --- /dev/null +++ b/main/abuild/0001-abuild-keygen-add-support-for-creating-kernel-signin.patch @@ -0,0 +1,166 @@ +From f2978eb33fcf961412169cbca757d42386899955 Mon Sep 17 00:00:00 2001 +From: Natanael Copa +Date: Fri, 5 May 2023 12:03:01 +0200 +Subject: [PATCH] abuild-keygen: add support for creating kernel signing key + +We need to have a key that can be used to sign kernel modules and +specifically 3rd party kernel modules. Add support for creating this key +in abuild-keygen. + +ref: https://gitlab.alpinelinux.org/alpine/aports/-/issues/14873 +--- + abuild-keygen.in | 44 +++++++++++++++++++++++++++++++++++++++- + tests/abuild_keygen_test | 14 ++++++++++++- + tests/bin/openssl | 17 +++++++++++++++- + 3 files changed, 72 insertions(+), 3 deletions(-) + +diff --git a/abuild-keygen.in b/abuild-keygen.in +index d9ac0bc..1d1c775 100644 +--- a/abuild-keygen.in ++++ b/abuild-keygen.in +@@ -90,6 +90,41 @@ do_keygen() { + msg "" + } + ++do_kernel_key() { ++ mkdir -p "$ABUILD_USERDIR" ++ pem="$ABUILD_USERDIR"/kernel_signing_key.pem ++ ( ++ umask 0007 ++ # https://www.kernel.org/doc/html/v6.1/admin-guide/module-signing.html#generating-signing-keys ++ openssl req -verbose -new -nodes -utf8 -sha256 -days 36500 -batch -x509 \ ++ -outform PEM -out "$pem" \ ++ -keyout "$pem" -config - <<-EOF ++ [ req ] ++ default_bits = 4096 ++ distinguished_name = req_distinguished_name ++ prompt = no ++ string_mask = utf8only ++ x509_extensions = myexts ++ ++ [ req_distinguished_name ] ++ O = alpinelinux.org ++ CN = Alpine Linux kernel key ++ #emailAddress = unspecified.user@unspecified.company ++ ++ [ myexts ] ++ basicConstraints=critical,CA:FALSE ++ keyUsage=digitalSignature ++ subjectKeyIdentifier=hash ++ authorityKeyIdentifier=keyid ++ EOF ++ ) ++ msg "Kernel signing key was created: $pem" ++ if ! grep -q "^KERNEL_SIGNING_KEY=" "$ABUILD_USERCONF" 2>/dev/null; then ++ echo "KERNEL_SIGNING_KEY='$pem'" >> "$ABUILD_USERCONF" ++ fi ++ msg "KERNEL_SIGNING_KEY='$pem' was added to $ABUILD_USERCONF" ++} ++ + usage() { + cat <<-__EOF__ + $program $program_version - generate signing keys +@@ -100,6 +135,7 @@ usage() { + + -i, --install Install public key into /etc/apk/keys using doas + -n Non-interactive. Use defaults ++ --kernel Generate a key for kernel modules + -b, --numbits [BITS] The size of the private key to generate in bits. + -q, --quiet + -h, --help Show this help +@@ -116,8 +152,9 @@ install_pubkey= + interactive=1 + numbits=4096 + quiet= ++kernel_key= + +-args=$(getopt -o ab:inqh --long append,numbits:,install,quiet,help -n "$program" -- "$@") ++args=$(getopt -o ab:inqh --long append,numbits:,install,quiet,help,kernel -n "$program" -- "$@") + if [ $? -ne 0 ]; then + usage + exit 2 +@@ -127,6 +164,7 @@ while true; do + case $1 in + -a|--append) append_config=1;; + -i|--install) install_pubkey=1;; ++ --kernel) kernel_key=1;; + -n) unset interactive ;; + -b|--numbits) numbits="$2"; shift 1;; + -q|--quiet) quiet=1;; # suppresses msg +@@ -141,4 +179,8 @@ if [ $# -ne 0 ]; then + exit 2 + fi + ++if [ -n "$kernel_key" ]; then ++ do_kernel_key ++ exit ++fi + do_keygen +diff --git a/tests/abuild_keygen_test b/tests/abuild_keygen_test +index 09026a5..be266fb 100755 +--- a/tests/abuild_keygen_test ++++ b/tests/abuild_keygen_test +@@ -11,7 +11,8 @@ init_tests \ + abuild_keygen_install_without_sudo \ + abuild_keygen_install_interactive \ + abuild_keygen_install_non_interactive \ +- abuild_keygen_install_doas ++ abuild_keygen_install_doas \ ++ abuild_keygen_kernel \ + + export ABUILD_SHAREDIR="$SRCDIR"/.. + export GIT=false +@@ -103,3 +104,14 @@ abuild_keygen_install_doas_body() { + abuild-keygen --install -n + } + ++abuild_keygen_kernel_body() { ++ atf_check -s exit:0 \ ++ -e match:"(Generating|writing) RSA" \ ++ -e match:"signing key was created:.*kernel_signing_key.pem" \ ++ -e match:"KERNEL_SIGNING_KEY=.*was added to.*abuild.conf" \ ++ abuild-keygen --kernel ++ grep '^KERNEL_SIGNING_KEY=.*' "$HOME"/.abuild/abuild.conf \ ++ || atf_fail 'KERNEL_SIGNING_KEY not set in abuild.conf' ++ test -f "$HOME"/.abuild/kernel_signing_key.pem \ ++ || atf_fail '$HOME/.abuild/kernel_signing_key.pem was not created' ++} +diff --git a/tests/bin/openssl b/tests/bin/openssl +index 231bad4..e0b4049 100755 +--- a/tests/bin/openssl ++++ b/tests/bin/openssl +@@ -3,9 +3,13 @@ + # fake openssl + while [ $# -gt 0 ]; do + case "$1" in +- genrsa|rsa) ++ genrsa|rsa|req) + cmd="$1" + ;; ++ -config) ++ shift ++ config="$1" ++ ;; + -out) + shift + outfile="$1" +@@ -25,5 +29,16 @@ case "$cmd" in + echo "writing RSA key" >&2 + cat "$FAKEKEYPUB" > "$outfile" + ;; ++ req) ++ echo "Using configuration from $config" >&2 ++ echo "Generating RSA key with 4096 bits" >&2 ++ echo "Writing private key to '$outfile'" >&2 ++ cat "$FAKEKEY" "$FAKEKEYPUB" > "$outfile" ++ ;; ++ *) ++ echo "unimplemented fake openssl command: $cmd" >&2 ++ exit 1 ++ ;; ++ + esac + +-- +2.40.1 + diff --git a/main/abuild/APKBUILD b/main/abuild/APKBUILD index 2f68b21ac1c..3164c05030f 100644 --- a/main/abuild/APKBUILD +++ b/main/abuild/APKBUILD @@ -2,7 +2,7 @@ pkgname=abuild pkgver=3.11.0_rc13 _ver=${pkgver%_git*} -pkgrel=0 +pkgrel=1 pkgdesc="Script to build Alpine Packages" url="https://git.alpinelinux.org/cgit/abuild/" arch="all" @@ -28,6 +28,7 @@ options="suid" pkggroups="abuild" source="https://gitlab.alpinelinux.org/alpine/abuild/-/archive/$pkgver/abuild-$pkgver.tar.gz 0001-functions-set-sharedir-properly.patch + 0001-abuild-keygen-add-support-for-creating-kernel-signin.patch " builddir="$srcdir"/abuild-$pkgver @@ -92,4 +93,5 @@ _rootbld() { sha512sums=" a097e21aa79035b75386f644aa9b43200a7e4d5e8f48227230b4d7bd2d4c97b2eb38915890163cef59100623f6bb117a6e1550557cf2a7edbf16e9f40c95ed2c abuild-3.11.0_rc13.tar.gz 5c6b5564d41dd450a508ecda54c8582de96e7c0bc812ff64809928ba3cf98cfdb180acc9a97d18c32d7948d473064821eec8a625caeb781c391462aab4660045 0001-functions-set-sharedir-properly.patch +105bcc0343639067ce661413ae983fec494012697c6c59918c95a4e638d9a62b57037a1ccfbff66730509a947be82e4eacac9572a2a1eed413aab123284f6483 0001-abuild-keygen-add-support-for-creating-kernel-signin.patch "