From: Georgy Yakovlev <gyakovlev@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing
Date: Sun, 26 Jun 2022 04:15:03 -0700 [thread overview]
Message-ID: <9317f3aa1815d9ef219625794c06a8fb3057d707.camel@gentoo.org> (raw)
In-Reply-To: <84e99a74d64f0d9dd326af0f2c54b9d5717b2f8d.camel@gentoo.org>
On Sun, 2022-06-26 at 03:52 -0700, Georgy Yakovlev wrote:
> On Tue, 2022-06-21 at 14:19 -0400, Kenton Groombridge wrote:
> > eee74b9fca1 adds support for module compression, but this breaks
> > loading
> > out of tree modules when module signing is enforced because modules
> > must
> > be signed before they are compressed. Additionally, the recommended
> > Portage hook[1] no longer works with this change.
> >
> > Add module signing support in linux-mod.eclass which more or less
> > does
> > exactly what the aforementioned Portage hook does. If the kernel
> > configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and
> > keys
> > from the kernel configuration and call the sign_file tool to sign
> > the
> > module before it is compressed.
> >
> > Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352
> > Signed-off-by: Kenton Groombridge <concord@gentoo.org>
> > ---
> > eclass/linux-mod.eclass | 16 ++++++++++++++++
> > 1 file changed, 16 insertions(+)
> >
> > diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
> > index b7c13cbf7e7..fd40f6d7c6c 100644
> > --- a/eclass/linux-mod.eclass
> > +++ b/eclass/linux-mod.eclass
> > @@ -712,6 +712,22 @@ linux-mod_src_install() {
> > cd "${objdir}" || die "${objdir} does not exist"
> > insinto
> > "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir}
> >
> > + # check here for CONFIG_MODULE_SIG_ALL and sign the
> > module being built if enabled.
> > + # modules must be signed before they are
> > compressed.
> > +
> > + if linux_chkconfig_present MODULE_SIG_ALL; then
> > + local
> > module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)"
> > + local
> > module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)"
> > + module_sig_key="${module_sig_key:-
> > certs/signing_key.pem}"
> > + if [[ "${module_sig_key#pkcs11:}" ==
> > "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}"
> > ]]; then
> > + local
> > key_path="${KERNEL_DIR}/${module_sig_key}"
> > + else
> > + local key_path="${module_sig_key}"
> > + fi
> > + local
> > cert_path="${KERNEL_DIR}/certs/signing_key.x509"
> > + "${KERNEL_DIR}"/scripts/sign-file
> > ${module_sig_hash//\"} ${key_path//\"} ${cert_path}
> > ${modulename}.${KV_OBJ}
> > + fi
> > +
> > # check here for
> > CONFIG_MODULE_COMPRESS_<compression
> > option> (NONE, GZIP, XZ, ZSTD)
> > # and similarily compress the module being built if
> > != NONE.
> >
>
>
> Hi,
>
> I've spent some time in the past ( circa 2018 ) to get this in, but
> gave up due to various reasons, I was not a gentoo dev yet at the
> time.
>
> I can't see how posted implementation will work tbh.
> portage will strip signature out of the module, unless you prevent
> stripping completely or package uses EAPI>=7, and omits stripping
> modules via dostrip -x on the ko object.
> kernel will NOT load module with stripped signature.
>
> so either you have to sign in pkg_postinst phase, or prevent
> stripping.
> signing in postinst is not ideal, because if breaks recorded file
> checksums in vdb.
>
> here's old fork of eclass I made, maybe you can find some helpful
> code
> in there
>
> https://github.com/gyakovlev/linux-mod.eclass/blob/master/linux-mod.eclass
>
> old ML discussion we had:
> https://archives.gentoo.org/gentoo-dev/message/4b15b1c851f379a1f802e2f2895cdfa8
>
> You will also need a dependency on openssl, since sign-file uses it.
>
> lmk if you need more info, I might remember more details, but for now
> that's all I have. I'll try to help get it done, but my availability
> is
> spotty due to limited time.
after reading my old code again and thinking more I think I know what's
going on.
1. I've actually solved checksum/strip problem by signing in pkg-
preinst
2. my method will likely fail with compressed modules.
3. your method likely works only if modules are compressed - because
portage does not strip those I think.
so looks like we need to combine both methods and do the following:
- if signing requested without compression - sign in pkg_preinst.
- if signing requested with compression - sign in src_install
Do I make sense? I still haven't tested it, just guessing as I read my
old bash code.
next prev parent reply other threads:[~2022-06-26 11:15 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-21 18:19 [gentoo-dev] [PATCH] linux-mod.eclass: support module signing Kenton Groombridge
2022-06-21 18:21 ` Kenton Groombridge
2022-06-23 12:51 ` Mike Pagano
2022-06-23 14:30 ` Kenton Groombridge
2022-06-26 10:52 ` Georgy Yakovlev
2022-06-26 11:15 ` Georgy Yakovlev [this message]
2022-06-27 18:35 ` Kenton Groombridge
2022-06-27 18:56 ` Mike Gilbert
2022-06-27 19:18 ` Kenton Groombridge
2022-06-27 19:42 ` Georgy Yakovlev
2022-06-27 19:49 ` Mike Gilbert
2022-06-27 21:11 ` Georgy Yakovlev
2022-06-27 21:50 ` Mike Gilbert
2022-06-27 23:42 ` Georgy Yakovlev
2022-07-05 19:02 ` Georgy Yakovlev
2022-07-05 19:55 ` Kenton Groombridge
2022-07-05 20:11 ` Mike Gilbert
2022-06-27 19:46 ` Georgy Yakovlev
2022-06-27 20:02 ` Kenton Groombridge
2022-06-27 21:25 ` Georgy Yakovlev
-- strict thread matches above, loose matches on Subject: below --
2018-04-14 21:25 Georgy Yakovlev
2018-04-15 18:13 ` NP-Hardass
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9317f3aa1815d9ef219625794c06a8fb3057d707.camel@gentoo.org \
--to=gyakovlev@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox