88 lines
2.5 KiB
Bash
88 lines
2.5 KiB
Bash
# Copyright 2020 Gentoo Authors
|
|
# Distributed under the terms of the GNU General Public License v2
|
|
|
|
EAPI=7
|
|
|
|
inherit kernel-build
|
|
|
|
MY_P=linux-${PV%.*}
|
|
GENPATCHES_P=genpatches-${PV%.*}-${PV##*.}
|
|
HARDENED_PATCH_VER="${PV}.a"
|
|
GENPATCHES_EXCLUDE="1500_XATTR_USER_PREFIX.patch
|
|
1510_fs-enable-link-security-restrictions-by-default.patch
|
|
2900_dev-root-proc-mount-fix.patch
|
|
4200_fbcondecor.patch
|
|
4400_alpha-sysctl-uac.patch"
|
|
|
|
|
|
DESCRIPTION="Linux kernel built with Gentoo patches"
|
|
HOMEPAGE="https://www.kernel.org/"
|
|
SRC_URI+=" https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/${MY_P}.tar.xz
|
|
https://dev.gentoo.org/~mpagano/dist/genpatches/${GENPATCHES_P}.base.tar.xz
|
|
https://dev.gentoo.org/~mpagano/dist/genpatches/${GENPATCHES_P}.extras.tar.xz
|
|
https://github.com/anthraxx/linux-hardened/releases/download/${HARDENED_PATCH_VER}/linux-hardened-${HARDENED_PATCH_VER}.patch"
|
|
|
|
S=${WORKDIR}/${MY_P}
|
|
|
|
LICENSE="GPL-2"
|
|
KEYWORDS="~amd64"
|
|
|
|
BDEPEND="
|
|
!initramfs? ( sys-kernel/initramfs-image )
|
|
app-crypt/sbsigntools"
|
|
RDEPEND="
|
|
!sys-kernel/gentoo-kernel:${SLOT}
|
|
!sys-kernel/gentoo-kernel-bin:${SLOT}
|
|
!sys-kernel/vanilla-kernel:${SLOT}
|
|
!sys-kernel/vanilla-kernel-bin:${SLOT}"
|
|
|
|
src_prepare() {
|
|
# remove some genpatches causes conflicts with linux-hardened patch
|
|
for patch in ${GENPATCHES_EXCLUDE}; do
|
|
rm -f ${WORKDIR}/${patch}
|
|
done
|
|
# include linux-hardened patch with priority
|
|
cp ${DISTDIR}/linux-hardened-${HARDENED_PATCH_VER}.patch ${WORKDIR}/1199_linux-hardened-${HARDENED_PATCH_VER}.patch
|
|
# copy Clear Linux patches
|
|
if [ -d "${FILESDIR}"/${MY_P} ]; then
|
|
cp "${FILESDIR}"/${MY_P}/*.patch ${WORKDIR}/
|
|
fi
|
|
|
|
local PATCHES=(
|
|
# meh, genpatches have no directory
|
|
"${WORKDIR}"/*.patch
|
|
)
|
|
default
|
|
|
|
# prepare the default config
|
|
case ${ARCH} in
|
|
amd64)
|
|
cp "${FILESDIR}"/${MY_P}.amd64.config .config || die
|
|
;;
|
|
*)
|
|
die "Unsupported arch ${ARCH}"
|
|
;;
|
|
esac
|
|
|
|
local config_tweaks=(
|
|
# shove arch under the carpet!
|
|
-e 's:^CONFIG_DEFAULT_HOSTNAME=:&"gentoo":'
|
|
# disable signatures
|
|
-e '/CONFIG_MODULE_SIG/d'
|
|
-e '/CONFIG_SECURITY_LOCKDOWN/d'
|
|
# disable compression to allow stripping
|
|
-e '/CONFIG_MODULE_COMPRESS/d'
|
|
)
|
|
sed -i "${config_tweaks[@]}" .config || die
|
|
}
|
|
|
|
src_install() {
|
|
default
|
|
|
|
if [[ -z "${UEFI_SB_KEY}" && -z "${UEFI_SB_CRT}" ]] ;then
|
|
sbsign --key ${UEFI_SB_KEY} --cert ${UEFI_SB_CRT} --output ${D}/usr/src/linux-${PV}/arch/x86/boot/bzImage.signed \
|
|
${D}/usr/src/linux-${PV}/arch/x86/boot/bzImage && \
|
|
mv ${D}/usr/src/linux-${PV}/arch/x86/boot/bzImage.signed ${D}/usr/src/linux-${PV}/arch/x86/boot/bzImage
|
|
fi
|
|
}
|