eclass/coreos-kernel,sys-kernel/coreos-modules:

Move module signing key to /tmp, so that it stays in RAM. Disable
shredding signing key after coreos-modules finishes, but rather shred it
after coreos-kernel finishes, so that out of tree modules (like ZFS from
upstream portage) can also use the key before it is shreded.

Author: danzatt

sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass

@@ -136,16 +136,36 @@ getconfig() {
 	echo "${value}"
 }
 
+get_sig_key() {
+	local sig_key="$(getconfig MODULE_SIG_KEY)"
+
+	if [ "$sig_key" == "${sig_key#/}" ]
+	then
+		echo "build/$sig_key"
+	else
+		echo $sig_key
+	fi
+}
+
 # Generate the module signing key for this build.
 setup_keys() {
 	local sig_hash sig_key
 	sig_hash=$(getconfig MODULE_SIG_HASH)
-	sig_key="build/$(getconfig MODULE_SIG_KEY)"
+	sig_key="$(get_sig_key)"
+
+	echo "Preparing keys at $sig_key"
 
 	if [[ "${sig_key}" == "build/certs/signing_key.pem" ]]; then
 		die "MODULE_SIG_KEY is using the default value"
 	fi
 
+	if [ "$sig_key" == "${sig_key#/tmp/}" ]
+	then
+		die "Refusing to generate the key outside of /tmp, so that it stays in RAM only."
+	fi
+
+	pushd /tmp
+
 	mkdir -p certs "${sig_key%/*}" || die
 
 	# based on the default config the kernel auto-generates
@@ -174,14 +194,19 @@ setup_keys() {
 		-keyout certs/modules.key.pem \
 		|| die "Generating module signing key failed"
 	cat certs/modules.pub.pem certs/modules.key.pem > "${sig_key}"
+	cp certs/modules.pub.pem $MODULES_SIGN_CERT
+
+	popd
 }
 
 # Discard the module signing key but keep public certificate.
 shred_keys() {
 	local sig_key
-	sig_key="build/$(getconfig MODULE_SIG_KEY)"
-	shred -u certs/modules.key.pem "${sig_key}" || die
-	cp certs/modules.pub.pem "${sig_key}" || die
+	sig_key="$(get_sig_key)"
+	echo "Shredding the key in $sig_key"
+	shred -u /tmp/certs/modules.key.pem "${sig_key}" || die
+	mv /tmp/certs/modules.pub.pem "${sig_key}" || die
+	rm -f /tmp/certs/modules.cnf
 }
 
 # Populate /lib/modules/$(uname -r)/{build,source}

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults

@@ -124,3 +124,10 @@ CGO_ENABLED=1
 
 # Keep using old binary format for now.
 BINPKG_FORMAT=xpak
+
+# move signing key and cert to /tmp so that the ephemeral key is not stored on a disk
+MODULES_SIGN_KEY="/tmp/certs/modules.pem"
+MODULES_SIGN_CERT="/tmp/certs/modules.pub.pem"
+
+# enable signing kernel modules from portage
+USE="${USE} modules-sign"

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.75.ebuild

@@ -61,9 +61,24 @@ src_prepare() {
 	# Pull in the config and public module signing key
 	KV_OUT_DIR="${SYSROOT%/}/lib/modules/${COREOS_SOURCE_NAME#linux-}/build"
 	cp -v "${KV_OUT_DIR}/.config" build/ || die
+	echo cp -v "${KV_OUT_DIR}/.config" build/
+
+	# shred_keys needs to have config in place, so that it can read the MODULE_SIG_KEY
+	shred_keys
 	local sig_key="$(getconfig MODULE_SIG_KEY)"
-	mkdir -p "build/${sig_key%/*}" || die
-	cp -v "${KV_OUT_DIR}/${sig_key}" "build/${sig_key}" || die
+
+	if [ "$sig_key" == "${sig_key#/tmp/}" ]
+	then
+		die "Refusing to use module key stored outside of /tmp."
+	fi
+
+	# keeping the old logic here for now, unreacheble due to the previous condition
+	if [ "$sig_key" == "${sig_key#/}" ]
+	then
+		# sig_key is a relative path
+		mkdir -p "build/${sig_key%/*}" || die
+		cp -v "${KV_OUT_DIR}/${sig_key}" "build/${sig_key}" || die
+	fi
 
 	# Symlink to bootengine.cpio so we can stick with relative paths in .config
 	ln -sv "${SYSROOT%/}"/usr/share/bootengine/bootengine.cpio build/ || die

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.6.75.ebuild

@@ -52,7 +52,6 @@ src_install() {
 	rm "${D}/usr/lib/debug/usr/lib/modules/${KV_FULL}/build" || die
 
 	# Clean up the build tree
-	shred_keys
 	kmake clean
 	find "build/" -type d -empty -delete || die
 	rm "build/.config.old" || die

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.6

@@ -459,7 +459,7 @@ CONFIG_MMC_SDHCI_PCI=m
 CONFIG_MODULES=y
 CONFIG_MODULE_COMPRESS_XZ=y
 CONFIG_MODULE_SIG=y
-CONFIG_MODULE_SIG_KEY="certs/modules.pem"
+CONFIG_MODULE_SIG_KEY="/tmp/certs/modules.pem"
 CONFIG_MODULE_SIG_SHA256=y
 CONFIG_MODULE_UNLOAD=y
 CONFIG_MOUSE_PS2=m