From: Georgy Yakovlev <gyakovlev@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing
Date: Mon, 27 Jun 2022 12:46:34 -0700 [thread overview]
Message-ID: <f1871b56f53ecf75193e7d8c34cce42f80f822e9.camel@gentoo.org> (raw)
In-Reply-To: <20220627183531.palnmdpvgzf44ssk@fuuko>
On Mon, 2022-06-27 at 14:35 -0400, Kenton Groombridge wrote:
> On 22/06/26 04:15AM, Georgy Yakovlev wrote:
> > On Sun, 2022-06-26 at 03:52 -0700, Georgy Yakovlev wrote:
> > > On Tue, 2022-06-21 at 14:19 -0400, Kenton Groombridge wrote:
> > > > eee74b9fca1 adds support for module compression, but this
> > > > breaks
> > > > loading
> > > > out of tree modules when module signing is enforced because
> > > > modules
> > > > must
> > > > be signed before they are compressed. Additionally, the
> > > > recommended
> > > > Portage hook[1] no longer works with this change.
> > > >
> > > > Add module signing support in linux-mod.eclass which more or
> > > > less
> > > > does
> > > > exactly what the aforementioned Portage hook does. If the
> > > > kernel
> > > > configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash
> > > > and
> > > > keys
> > > > from the kernel configuration and call the sign_file tool to
> > > > sign
> > > > the
> > > > module before it is compressed.
> > > >
> > > > Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352
> > > > Signed-off-by: Kenton Groombridge <concord@gentoo.org>
> > > > ---
> > > > eclass/linux-mod.eclass | 16 ++++++++++++++++
> > > > 1 file changed, 16 insertions(+)
> > > >
> > > > diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
> > > > index b7c13cbf7e7..fd40f6d7c6c 100644
> > > > --- a/eclass/linux-mod.eclass
> > > > +++ b/eclass/linux-mod.eclass
> > > > @@ -712,6 +712,22 @@ linux-mod_src_install() {
> > > > cd "${objdir}" || die "${objdir} does not
> > > > exist"
> > > > insinto
> > > > "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir}
> > > >
> > > > + # check here for CONFIG_MODULE_SIG_ALL and sign
> > > > the
> > > > module being built if enabled.
> > > > + # modules must be signed before they are
> > > > compressed.
> > > > +
> > > > + if linux_chkconfig_present MODULE_SIG_ALL; then
> > > > + local
> > > > module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)"
> > > > + local
> > > > module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)"
> > > > + module_sig_key="${module_sig_key:-
> > > > certs/signing_key.pem}"
> > > > + if [[ "${module_sig_key#pkcs11:}" ==
> > > > "${module_sig_key}" && "${module_sig_key#/}" ==
> > > > "${module_sig_key}"
> > > > ]]; then
> > > > + local
> > > > key_path="${KERNEL_DIR}/${module_sig_key}"
> > > > + else
> > > > + local
> > > > key_path="${module_sig_key}"
> > > > + fi
> > > > + local
> > > > cert_path="${KERNEL_DIR}/certs/signing_key.x509"
> > > > + "${KERNEL_DIR}"/scripts/sign-file
> > > > ${module_sig_hash//\"} ${key_path//\"} ${cert_path}
> > > > ${modulename}.${KV_OBJ}
> > > > + fi
> > > > +
> > > > # check here for
> > > > CONFIG_MODULE_COMPRESS_<compression
> > > > option> (NONE, GZIP, XZ, ZSTD)
> > > > # and similarily compress the module being
> > > > built if
> > > > != NONE.
> > > >
> > >
> > >
> > > Hi,
> > >
> > > I've spent some time in the past ( circa 2018 ) to get this in,
> > > but
> > > gave up due to various reasons, I was not a gentoo dev yet at the
> > > time.
> > >
> > > I can't see how posted implementation will work tbh.
> > > portage will strip signature out of the module, unless you
> > > prevent
> > > stripping completely or package uses EAPI>=7, and omits stripping
> > > modules via dostrip -x on the ko object.
> > > kernel will NOT load module with stripped signature.
> > >
> > > so either you have to sign in pkg_postinst phase, or prevent
> > > stripping.
> > > signing in postinst is not ideal, because if breaks recorded file
> > > checksums in vdb.
> > >
> > > here's old fork of eclass I made, maybe you can find some helpful
> > > code
> > > in there
> > >
> > > https://github.com/gyakovlev/linux-mod.eclass/blob/master/linux-mod.eclass
> > >
> > > old ML discussion we had:
> > > https://archives.gentoo.org/gentoo-dev/message/4b15b1c851f379a1f802e2f2895cdfa8
> > >
> > > You will also need a dependency on openssl, since sign-file uses
> > > it.
> > >
> > > lmk if you need more info, I might remember more details, but for
> > > now
> > > that's all I have. I'll try to help get it done, but my
> > > availability
> > > is
> > > spotty due to limited time.
> >
> > after reading my old code again and thinking more I think I know
> > what's
> > going on.
> > 1. I've actually solved checksum/strip problem by signing in pkg-
> > preinst
> > 2. my method will likely fail with compressed modules.
> > 3. your method likely works only if modules are compressed -
> > because
> > portage does not strip those I think.
> >
>
> This is exactly what I was thinking. I'm pretty sure I wasn't seeing
> the
> problematic signature stripping behavior because I have module
> compression enabled.
>
> Also good point about the OpenSSL dependency. That's something I
> didn't
> consider.
>
> > so looks like we need to combine both methods and do the following:
> > - if signing requested without compression - sign in pkg_preinst.
> > - if signing requested with compression - sign in src_install
> >
>
> Why can't we do both in pkg_preinst? I am thinking it would be best
> if
> we drop the current compression implementation and rework your old
> code
> to handle both compression and signing since the signing code is more
> or
> less already complete.
i'm not sure if sign-file can sign compressed modules.
if we let kernel build handle compression - we have to sign prior to
compression.
if we compress modules ourselves then yes, we could sign first indeed.
but preinst has it's own issues, you've already seen floppym's remark.
>
> > Do I make sense? I still haven't tested it, just guessing as I read
> > my
> > old bash code.
> >
next prev parent reply other threads:[~2022-06-27 19:46 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-21 18:19 [gentoo-dev] [PATCH] linux-mod.eclass: support module signing Kenton Groombridge
2022-06-21 18:21 ` Kenton Groombridge
2022-06-23 12:51 ` Mike Pagano
2022-06-23 14:30 ` Kenton Groombridge
2022-06-26 10:52 ` Georgy Yakovlev
2022-06-26 11:15 ` Georgy Yakovlev
2022-06-27 18:35 ` Kenton Groombridge
2022-06-27 18:56 ` Mike Gilbert
2022-06-27 19:18 ` Kenton Groombridge
2022-06-27 19:42 ` Georgy Yakovlev
2022-06-27 19:49 ` Mike Gilbert
2022-06-27 21:11 ` Georgy Yakovlev
2022-06-27 21:50 ` Mike Gilbert
2022-06-27 23:42 ` Georgy Yakovlev
2022-07-05 19:02 ` Georgy Yakovlev
2022-07-05 19:55 ` Kenton Groombridge
2022-07-05 20:11 ` Mike Gilbert
2022-06-27 19:46 ` Georgy Yakovlev [this message]
2022-06-27 20:02 ` Kenton Groombridge
2022-06-27 21:25 ` Georgy Yakovlev
-- strict thread matches above, loose matches on Subject: below --
2018-04-14 21:25 Georgy Yakovlev
2018-04-15 18:13 ` NP-Hardass
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f1871b56f53ecf75193e7d8c34cce42f80f822e9.camel@gentoo.org \
--to=gyakovlev@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox