sys-kernel/hardened-kernel: bump v6.10.2

sys-kernel/hardened-kernel/hardened-kernel-6.1.69.ebuild

@@ -1,100 +0,0 @@
-# Copyright 2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-inherit kernel-build
-
-MY_P=linux-${PV%.*}
-GENPATCHES_P=genpatches-${PV%.*}-$((${PV##*.}+8))
-HARDENED_PATCH_VER="${PV}-hardened1"
-GENPATCHES_EXCLUDE="1500_XATTR_USER_PREFIX.patch
-	1510_fs-enable-link-security-restrictions-by-default.patch
-	2900_dev-root-proc-mount-fix.patch
-	4200_fbcondecor.patch
-	4400_alpha-sysctl-uac.patch
-	4567_distro-Gentoo-Kconfig.patch"
-
-
-DESCRIPTION="Linux kernel built with Gentoo patches"
-HOMEPAGE="https://www.kernel.org/"
-SRC_URI+=" https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/${MY_P}.tar.xz
-	https://dev.gentoo.org/~mpagano/dist/genpatches/${GENPATCHES_P}.base.tar.xz
-	https://dev.gentoo.org/~mpagano/dist/genpatches/${GENPATCHES_P}.extras.tar.xz
-	https://github.com/anthraxx/linux-hardened/releases/download/${HARDENED_PATCH_VER}/linux-hardened-${HARDENED_PATCH_VER}.patch"
-
-S=${WORKDIR}/${MY_P}
-
-LICENSE="GPL-2"
-KEYWORDS="~amd64"
-IUSE="debug extra-hardened"
-
-REQUIRED_USE="extra-hardened? ( !debug )"
-
-BDEPEND="sys-firmware/intel-microcode
-		debug? ( dev-util/dwarves )"
-RDEPEND="
-	!sys-kernel/gentoo-kernel:${SLOT}
-	!sys-kernel/gentoo-kernel-bin:${SLOT}
-	!sys-kernel/vanilla-kernel:${SLOT}
-	!sys-kernel/vanilla-kernel-bin:${SLOT}"
-
-RESTRICT="strip"
-
-src_prepare() {
-	# remove some genpatches causes conflicts with linux-hardened patch
-	for patch in ${GENPATCHES_EXCLUDE}; do
-		rm -f ${WORKDIR}/${patch}
-	done
-	# include linux-hardened patch with priority
-	cp ${DISTDIR}/linux-hardened-${HARDENED_PATCH_VER}.patch ${WORKDIR}/1199_linux-hardened-${HARDENED_PATCH_VER}.patch
-	# copy Clear Linux patches
-	if [ -d "${FILESDIR}"/${MY_P} ]; then
-		cp "${FILESDIR}"/${MY_P}/*.patch ${WORKDIR}/
-	fi
-
-	local PATCHES=(
-		# meh, genpatches have no directory
-		"${WORKDIR}"/*.patch
-	)
-	default
-
-	# prepare the default config
-	case ${ARCH} in
-		amd64)
-			cp "${FILESDIR}"/${MY_P}.amd64.config .config || die
-			;;
-		*)
-			die "Unsupported arch ${ARCH}"
-			;;
-	esac
-
-	local config_tweaks=(
-		# shove arch under the carpet!
-		-e 's:^CONFIG_DEFAULT_HOSTNAME=:&"gentoo":'
-		# disable compression to allow stripping
-		-e '/CONFIG_MODULE_COMPRESS/d'
-	)
-	use debug || config_tweaks+=(
-		-e '/CONFIG_DEBUG_INFO/d'
-	)
-	use extra-hardened || config_tweaks+=(
-        # disable signatures
-        -e '/CONFIG_MODULE_SIG/d'
-        -e '/CONFIG_SECURITY_LOCKDOWN/d'
-        # Reqired to be disabled for out of tree kernel modules
-        -e '/CONFIG_TRIM_UNUSED_KSYMS/d'
-	)
-	sed -i "${config_tweaks[@]}" .config || die
-	sed -i "s@\-hardened1@@g" Makefile || die
-}
-
-src_install() {
-	kernel-build_src_install
-
-	if [[ -n "${UEFI_SB_KEY}" && -n "${UEFI_SB_CRT}" ]] ;then
-		sbsign --key ${UEFI_SB_KEY} --cert ${UEFI_SB_CRT} --output ${D}/usr/src/linux-${PV}/arch/x86/boot/bzImage.signed \
-		  ${D}/usr/src/linux-${PV}/arch/x86/boot/bzImage && \
-		mv ${D}/usr/src/linux-${PV}/arch/x86/boot/bzImage.signed ${D}/usr/src/linux-${PV}/arch/x86/boot/bzImage
-	fi
-}

sys-kernel/hardened-kernel/hardened-kernel-6.10.12.ebuild

@@ -0,0 +1,142 @@
+# Copyright 2020-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+KERNEL_IUSE_GENERIC_UKI=1
+KERNEL_IUSE_MODULES_SIGN=1
+
+inherit kernel-build toolchain-funcs
+
+MY_P=linux-${PV%.*}
+GENPATCHES_P=genpatches-${PV%.*}-$(( ${PV##*.} + 3 ))
+CONFIG_VER=6.10.1-gentoo
+GENTOO_CONFIG_VER=g13
+HARDENED_PATCH_VER="${PV}-hardened1"
+GENPATCHES_EXCLUDE="1500_XATTR_USER_PREFIX.patch
+	1510_fs-enable-link-security-restrictions-by-default.patch
+	2900_dev-root-proc-mount-fix.patch
+	4200_fbcondecor.patch
+	4400_alpha-sysctl-uac.patch"
+
+DESCRIPTION="Linux kernel built with Gentoo patches"
+HOMEPAGE="
+	https://wiki.gentoo.org/wiki/Project:Distribution_Kernel
+	https://www.kernel.org/
+"
+SRC_URI+="
+	https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/${MY_P}.tar.xz
+	https://dev.gentoo.org/~mpagano/dist/genpatches/${GENPATCHES_P}.base.tar.xz
+	https://dev.gentoo.org/~mpagano/dist/genpatches/${GENPATCHES_P}.extras.tar.xz
+	experimental? (
+		https://dev.gentoo.org/~mpagano/dist/genpatches/${GENPATCHES_P}.experimental.tar.xz
+	)
+	https://github.com/anthraxx/linux-hardened/releases/download/v${HARDENED_PATCH_VER}/linux-hardened-v${HARDENED_PATCH_VER}.patch
+	https://github.com/projg2/gentoo-kernel-config/archive/${GENTOO_CONFIG_VER}.tar.gz
+		-> gentoo-kernel-config-${GENTOO_CONFIG_VER}.tar.gz
+	amd64? (
+		https://raw.githubusercontent.com/projg2/fedora-kernel-config-for-gentoo/${CONFIG_VER}/kernel-x86_64-fedora.config
+			-> kernel-x86_64-fedora.config.${CONFIG_VER}
+	)
+	arm64? (
+		https://raw.githubusercontent.com/projg2/fedora-kernel-config-for-gentoo/${CONFIG_VER}/kernel-aarch64-fedora.config
+			-> kernel-aarch64-fedora.config.${CONFIG_VER}
+	)
+	ppc64? (
+		https://raw.githubusercontent.com/projg2/fedora-kernel-config-for-gentoo/${CONFIG_VER}/kernel-ppc64le-fedora.config
+			-> kernel-ppc64le-fedora.config.${CONFIG_VER}
+	)
+	x86? (
+		https://raw.githubusercontent.com/projg2/fedora-kernel-config-for-gentoo/${CONFIG_VER}/kernel-i686-fedora.config
+			-> kernel-i686-fedora.config.${CONFIG_VER}
+	)
+"
+S=${WORKDIR}/${MY_P}
+
+KEYWORDS="amd64 ~arm arm64 ~hppa ~loong ~ppc ppc64 ~riscv ~sparc x86"
+IUSE="debug +experimental"
+REQUIRED_USE="
+	arm? ( savedconfig )
+	hppa? ( savedconfig )
+	riscv? ( savedconfig )
+	sparc? ( savedconfig )
+"
+
+RDEPEND="
+	!sys-kernel/gentoo-kernel-bin:${SLOT}
+"
+BDEPEND="
+	debug? ( dev-util/pahole )
+"
+PDEPEND="
+	>=virtual/dist-kernel-${PV}
+"
+
+QA_FLAGS_IGNORED="
+	usr/src/linux-.*/scripts/gcc-plugins/.*.so
+	usr/src/linux-.*/vmlinux
+	usr/src/linux-.*/arch/powerpc/kernel/vdso.*/vdso.*.so.dbg
+"
+
+src_prepare() {
+	# remove some genpatches causes conflicts with linux-hardened patch
+	for patch in ${GENPATCHES_EXCLUDE}; do
+		rm -f ${WORKDIR}/${patch}
+	done
+	# Remove already exists changes in linux-hardened patch
+	sed -i '322,337d' "${WORKDIR}/4567_distro-Gentoo-Kconfig.patch"
+	# include linux-hardened patch with priority
+	cp ${DISTDIR}/linux-hardened-v${HARDENED_PATCH_VER}.patch ${WORKDIR}/1199_linux-hardened-${HARDENED_PATCH_VER}.patch
+	# copy Clear Linux patches
+	if [ -d "${FILESDIR}"/${MY_P} ]; then
+		cp "${FILESDIR}"/${MY_P}/*.patch ${WORKDIR}/
+	fi
+
+	local PATCHES=(
+		# meh, genpatches have no directory
+		"${WORKDIR}"/*.patch
+	)
+	default
+
+	sed -i "s@\-hardened1@@g" Makefile || die
+
+	local biendian=false
+
+	# prepare the default config
+	case ${ARCH} in
+		amd64)
+			cp "${FILESDIR}/linux-6.10.amd64.config" .config || die
+			;;
+		*)
+			die "Unsupported arch ${ARCH}"
+			;;
+	esac
+
+	local myversion="-hardened"
+	echo "CONFIG_LOCALVERSION=\"${myversion}\"" > "${T}"/version.config || die
+	local dist_conf_path="${WORKDIR}/gentoo-kernel-config-${GENTOO_CONFIG_VER}"
+
+	local merge_configs=(
+		"${T}"/version.config
+	)
+	use debug || merge_configs+=(
+		"${dist_conf_path}"/no-debug.config
+	)
+
+	merge_configs+=( "${dist_conf_path}"/hardened-base.config )
+
+	tc-is-gcc && merge_configs+=( "${dist_conf_path}"/hardened-gcc-plugins.config )
+
+	if [[ -f "${dist_conf_path}/hardened-${ARCH}.config" ]]; then
+		merge_configs+=( "${dist_conf_path}/hardened-${ARCH}.config" )
+	fi
+
+	# this covers ppc64 and aarch64_be only for now
+	if [[ ${biendian} == true && $(tc-endian) == big ]]; then
+		merge_configs+=( "${dist_conf_path}/big-endian.config" )
+	fi
+
+	use secureboot && merge_configs+=( "${dist_conf_path}/secureboot.config" )
+
+	kernel-build_merge_configs "${merge_configs[@]}"
+}