abuild-keygen: add support for creating kernel signing key

We need to have a key that can be used to sign kernel modules and
specifically 3rd party kernel modules. Add support for creating this key
in abuild-keygen.

ref: https://gitlab.alpinelinux.org/alpine/aports/-/issues/14873

abuild-keygen.in

@@ -90,6 +90,41 @@ do_keygen() {
 	msg ""
 }
 
+do_kernel_key() {
+	mkdir -p "$ABUILD_USERDIR"
+	pem="$ABUILD_USERDIR"/kernel_signing_key.pem
+	(
+	umask 0007
+	# https://www.kernel.org/doc/html/v6.1/admin-guide/module-signing.html#generating-signing-keys
+	openssl req -verbose -new -nodes -utf8 -sha256 -days 36500 -batch -x509 \
+		-outform PEM -out "$pem" \
+		-keyout "$pem" -config - <<-EOF
+			[ req ]
+			default_bits = 4096
+			distinguished_name = req_distinguished_name
+			prompt = no
+			string_mask = utf8only
+			x509_extensions = myexts
+
+			[ req_distinguished_name ]
+			O = alpinelinux.org
+			CN = Alpine Linux kernel key
+			#emailAddress = unspecified.user@unspecified.company
+
+			[ myexts ]
+			basicConstraints=critical,CA:FALSE
+			keyUsage=digitalSignature
+			subjectKeyIdentifier=hash
+			authorityKeyIdentifier=keyid
+		EOF
+	)
+	msg "Kernel signing key was created: $pem"
+	if ! grep -q "^KERNEL_SIGNING_KEY=" "$ABUILD_USERCONF" 2>/dev/null; then
+		echo "KERNEL_SIGNING_KEY='$pem'" >> "$ABUILD_USERCONF"
+	fi
+	msg "KERNEL_SIGNING_KEY='$pem' was added to $ABUILD_USERCONF"
+}
+
 usage() {
 	cat <<-__EOF__
 		$program $program_version - generate signing keys
@@ -100,6 +135,7 @@ usage() {
 
 		  -i, --install        Install public key into /etc/apk/keys using doas
 		  -n                   Non-interactive. Use defaults
+		      --kernel         Generate a key for kernel modules
 		  -b, --numbits [BITS] The size of the private key to generate in bits.
 		  -q, --quiet
 		  -h, --help           Show this help
@@ -116,8 +152,9 @@ install_pubkey=
 interactive=1
 numbits=4096
 quiet=
+kernel_key=
 
-args=$(getopt -o ab:inqh --long append,numbits:,install,quiet,help -n "$program" -- "$@")
+args=$(getopt -o ab:inqh --long append,numbits:,install,quiet,help,kernel -n "$program" -- "$@")
 if [ $? -ne 0 ]; then
 	usage
 	exit 2
@@ -127,6 +164,7 @@ while true; do
 	case $1 in
 		-a|--append) append_config=1;;
 		-i|--install) install_pubkey=1;;
+		--kernel) kernel_key=1;;
 		-n) unset interactive ;;
 		-b|--numbits) numbits="$2"; shift 1;;
 		-q|--quiet) quiet=1;; # suppresses msg
@@ -141,4 +179,8 @@ if [ $# -ne 0 ]; then
 	exit 2
 fi
 
+if [ -n "$kernel_key" ]; then
+	do_kernel_key
+	exit
+fi
 do_keygen

tests/abuild_keygen_test

@@ -11,7 +11,8 @@ init_tests \
 	abuild_keygen_install_without_sudo \
 	abuild_keygen_install_interactive \
 	abuild_keygen_install_non_interactive \
-	abuild_keygen_install_doas
+	abuild_keygen_install_doas \
+	abuild_keygen_kernel \
 
 export ABUILD_SHAREDIR="$SRCDIR"/..
 export GIT=false
@@ -103,3 +104,14 @@ abuild_keygen_install_doas_body() {
 		abuild-keygen --install -n
 }
 
+abuild_keygen_kernel_body() {
+	atf_check -s exit:0 \
+		-e match:"(Generating|writing) RSA" \
+		-e match:"signing key was created:.*kernel_signing_key.pem" \
+		-e match:"KERNEL_SIGNING_KEY=.*was added to.*abuild.conf" \
+		abuild-keygen --kernel
+	grep '^KERNEL_SIGNING_KEY=.*' "$HOME"/.abuild/abuild.conf \
+			|| atf_fail 'KERNEL_SIGNING_KEY not set in abuild.conf'
+	test -f "$HOME"/.abuild/kernel_signing_key.pem \
+			|| atf_fail '$HOME/.abuild/kernel_signing_key.pem was not created'
+}

tests/bin/openssl

@@ -3,9 +3,13 @@
 # fake openssl
 while [ $# -gt 0 ]; do
 	case "$1" in
-		genrsa|rsa)
+		genrsa|rsa|req)
 			cmd="$1"
 			;;
+		-config)
+			shift
+			config="$1"
+			;;
 		-out)
 			shift
 			outfile="$1"
@@ -25,5 +29,16 @@ case "$cmd" in
 		echo "writing RSA key" >&2
 		cat "$FAKEKEYPUB" > "$outfile"
 		;;
+	req)
+		echo "Using configuration from $config" >&2
+		echo "Generating RSA key with 4096 bits" >&2
+		echo "Writing private key to '$outfile'" >&2
+		cat "$FAKEKEY" "$FAKEKEYPUB" > "$outfile"
+		;;
+	*)
+		echo "unimplemented fake openssl command: $cmd" >&2
+		exit 1
+		;;
+
 esac