From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 994D1158094 for ; Mon, 27 Jun 2022 23:42:58 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 506EBE0CA4; Mon, 27 Jun 2022 23:42:55 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id EA312E0C4D for ; Mon, 27 Jun 2022 23:42:54 +0000 (UTC) Message-ID: <0f4a80cb6ee817dc015c1791960df032ae528ea4.camel@gentoo.org> Subject: Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing From: Georgy Yakovlev To: gentoo-dev@lists.gentoo.org Date: Mon, 27 Jun 2022 16:42:52 -0700 In-Reply-To: References: <20220621181959.920941-1-concord@gentoo.org> <84e99a74d64f0d9dd326af0f2c54b9d5717b2f8d.camel@gentoo.org> <9317f3aa1815d9ef219625794c06a8fb3057d707.camel@gentoo.org> <20220627183531.palnmdpvgzf44ssk@fuuko> <7311bbf9de54e3fb08953a40a9cd03df61f4dd00.camel@gentoo.org> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.44.2 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 X-Archives-Salt: 88db4ea0-d28a-4428-a43d-42974cd86af1 X-Archives-Hash: 6537a60f510bb63cdbbc99388a86b952 On Mon, 2022-06-27 at 17:50 -0400, Mike Gilbert wrote: > On Mon, Jun 27, 2022 at 5:11 PM Georgy Yakovlev > wrote: > >=20 > > On Mon, 2022-06-27 at 15:49 -0400, Mike Gilbert wrote: > > > On Mon, Jun 27, 2022 at 3:42 PM Georgy Yakovlev > > > wrote: > > > >=20 > > > > On Mon, 2022-06-27 at 14:56 -0400, Mike Gilbert wrote: > > > > > On Mon, Jun 27, 2022 at 2:35 PM Kenton Groombridge > > > > > wrote: > > > > > > > so looks like we need to combine both methods and do the > > > > > > > following: > > > > > > > =C2=A0- if signing requested without compression - sign in > > > > > > > pkg_preinst. > > > > > > > =C2=A0- if signing requested with compression - sign in > > > > > > > src_install > > > > > > >=20 > > > > > >=20 > > > > > > Why can't we do both in pkg_preinst? I am thinking it would > > > > > > be > > > > > > best > > > > > > if > > > > > > we drop the current compression implementation and rework > > > > > > your > > > > > > old > > > > > > code > > > > > > to handle both compression and signing since the signing > > > > > > code > > > > > > is > > > > > > more or > > > > > > less already complete. > > > > >=20 > > > > > Signing modules in pkg_preinst seems like a bad idea to me. > > > > > That > > > > > means > > > > > you need to copy your private keys around to every host where > > > > > the > > > > > package might be installed. > > > > >=20 > > > > > If you sign in src_compile or src_install, you only need > > > > > private > > > > > keys > > > > > on the system building your binpkg. > > > > >=20 > > > >=20 > > > > unfortunately portage will unconditionally strip .ko objects, > > > > rendering > > > > modules unloadable by stripping signature,=C2=A0 unless we do > > > > dostrip -x > > > > (requires EAPI7+, which should not be a problem nowadays, but > > > > was a > > > > problem back in 2018), which can be quite unfortunate on debug > > > > enabled > > > > kernels. > > >=20 > > > Sounds like something to fix/change in Portage. It could probably > > > be > > > updated to not strip the signature. However, I would guess the > > > signature needs to be updated after the binary is modified in any > > > case. > > >=20 > > > Or as a workaround you could disable automatic striping via > > > dostrip - > > > x > > > and run the proper commands to strip the modules in src_install > > > as > > > well. > > >=20 > > I think even strip itself does not have proper options not to break > > module. Several years back it was the case, basically one has to > > strip > > first, sign second, otherwise module will be unloadable. > >=20 > > "Signed modules are BRITTLE as the signature is outside of the > > defined > > ELF container. Thus they MAY NOT be stripped once the signature is > > computed and attached. Note the entire module is the signed > > payload, > > including any and all debug information present at the time of > > signing." > >=20 > > https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html#s= igned-modules-and-stripping > >=20 >=20 > In that case, I think the only viable way to make this work is to > disable automatic stripping and handle stripping via custom code in > the ebuild/eclass. >=20 might work indeed if we do something like (pseudo-bash) if [[ module_sign =3D=3D yes ]]; then dostrip -x /lib/modules # to stop portage stripping .ko objects manual-strip-respecting-features-nostrip -r /lib/modules sign-all-modules -r /lib/modules fi [[ compress_modules =3D=3D yes ]] && compress-modules -r /lib/modules this will equire eapi-bumping couple of packages https://qa-reports.gentoo.org/output/eapi-per-eclass/linux-mod.eclass/6.txt and restricting linux-mod.eclass to eapi7 or later.