From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 1DD741382C5 for ; Sat, 14 Apr 2018 21:25:19 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 53C84E085B; Sat, 14 Apr 2018 21:25:13 +0000 (UTC) Received: from mail-pl0-x22a.google.com (mail-pl0-x22a.google.com [IPv6:2607:f8b0:400e:c01::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C0334E0827 for ; Sat, 14 Apr 2018 21:25:12 +0000 (UTC) Received: by mail-pl0-x22a.google.com with SMTP id 61-v6so7940798plb.2 for ; Sat, 14 Apr 2018 14:25:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sysdump.net; s=google; h=message-id:subject:from:reply-to:to:cc:date:mime-version :content-transfer-encoding; bh=xP/LohBWVIssASSD1uLOKrDPbW1FtKcLKJcW0WzeZFs=; b=kRj8ImZxKSSqhIE5AOPd5cU2MeYCA3QDNYz8V44ykyb9LIb1Ojlfxrry5/5MU04B6q 6v4fmGKnG8uV3OD6tKqHiVeH6FFV2c5w3X3TXq/LwQOc5eIu7tkdUnSYcy30u//Okfyu EwaeDPl6ZQfbVk8w8qOhxx9PykEeoKRxMbJbbw2D7cZjO3xvvYpmNqi08Lx/fl5X7MW9 rnIpHRr3aSDncfs1kvYRK25YkrSL+Cui0UXeDMq/8f7T3sGcfa25MCpI7StYtfEUp2FB A5NJ872Wbo8tgH7Zkix3IjwrQ4qR73XKvXsYkurQaWsva1K33WGOE5wZXk7gKO+pl/ph 61AQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:reply-to:to:cc:date :mime-version:content-transfer-encoding; bh=xP/LohBWVIssASSD1uLOKrDPbW1FtKcLKJcW0WzeZFs=; b=koo6PxZsICQXUCYKo9jwSNKeDwHfezNZKxqxn7xKEBYSCfNN7Zoez8itrfY5uuiuo7 8eYfw2FtoI+zXk+s+M5Q4QbdLXOiFxHg8APOPv/meBOCB0RjJuYpawdj5I1Suig6CwHo 0OEKh1T5jwwaKtSmTccOPJczCGuQX2yXoCSYZORxJ8MxQYUYYe967ev+OSGnclHdcNFe iXx/vrsaxGlaieheBDccMa2vQF6gIi8gslpjv84kanP+FFC37Zh/WC/7EGyzrdcf7kMI LT4R2ASJyelUGY7DTGdgw/2172O322PVn82EsvvzHu2lGQWzUPXBIRfwi6ZK3Ck1l3eI Ycug== X-Gm-Message-State: ALQs6tD38eWMo5pahrYNypXEC7x+N0UbkiLhoWVl8rohb6L/P8yKPfl0 U8DafHWyZDd7d/JYN9sMwDAj61FE/Wg= X-Google-Smtp-Source: AIpwx4/tYv/cGv0cGAHhr79TzNSLl9CJ+mQ/VDYgCesVqkwNbGz10jod51iNWczqzs4r+tgUS5HY5g== X-Received: by 2002:a17:902:7291:: with SMTP id d17-v6mr9983527pll.218.1523741111289; Sat, 14 Apr 2018 14:25:11 -0700 (PDT) Received: from usg.local.sysdump.net.local.sysdump.net (cpe-75-83-91-39.socal.res.rr.com. [75.83.91.39]) by smtp.gmail.com with ESMTPSA id 189sm18622223pfu.44.2018.04.14.14.25.10 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 14 Apr 2018 14:25:10 -0700 (PDT) Message-ID: <1523741109.12403.28.camel@sysdump.net> Subject: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing From: Georgy Yakovlev To: "gentoo-dev@lists.gentoo.org" Cc: gentoo-kernel@lists.gentoo.org Date: Sat, 14 Apr 2018 14:25:09 -0700 Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.24.6 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-Archives-Salt: ca7c5cec-c375-45c9-9a97-3c0c688bf1af X-Archives-Hash: 4b15b1c851f379a1f802e2f2895cdfa8 Hi, There is an old bug[1] to support linux kernel module signing at install. And here is my first attempt to modify an eclass. Need proper input on it and a kick in the right direction. Add 3 variables, settable by users if they keep keys somewhere safe. Otherwise it just works with the auto-generated keys if CONFIG_MODULE_SIG=y and vars are unset. eclass will die if kernel requires a signed module, but signing is not requested. Known problems: Packages that do not use linux-mod_src_install() will not sign the modules, But those packages will still inherit module-sign useflag. It's misleading and I'm not sure how to fix that. Examples : sys-kernel/spl, sys-fs/zfs-kmod May need additional handling of KBUILD_SIGN_PIN variable[2], which can be set to hold the passphrase to the key. But it may end up in vdb environment files, not sure how to handle that or if it worth it not eapi-7 ready because of STRIP_MASK usage. will need to cover this case as well, probably later. older (<4.3.3) kernels use perl to sign modules, not sure if it's worth supporting old kernels, there is no gentoo-sources in the tree old enough, except masked 4.1 there are old vanilla-sources that will be affected by this. [1] https://bugs.gentoo.org/447352 [2] https://www.kernel.org/doc/html/v4.16/admin-guide/module-signing.html diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass index bf580cf4cfa9..211b0496f528 100644 --- a/eclass/linux-mod.eclass +++ b/eclass/linux-mod.eclass @@ -14,7 +14,7 @@ # required to install external modules against a kernel source # tree. -# A Couple of env vars are available to effect usage of this eclass +# Several env vars are available to effect usage of this eclass # These are as follows: # @ECLASS-VARIABLE: MODULES_OPTIONAL_USE @@ -132,6 +132,31 @@ # @DESCRIPTION: # It's a read-only variable. It contains the extension of the kernel modules. +# @ECLASS-VARIABLE: KERNEL_MODULE_SIG_HASH +# @DEFAULT_UNSET +# @DESCRIPTION: +# A string to control signing algorithm +# Possible values: sha1:sha224:sha256:sha384:sha512 +# Defaults to value extracted from .config +# Can be set by user in make.conf, as it can differ from kernel's. +# In case of overriding this it's users responsibility to make sure +# that kernel supports desired hash algo + +# @ECLASS-VARIABLE: KERNEL_MODULE_SIG_PEM +# @DEFAULT_UNSET +# @DESCRIPTION: +# A string, containing path to the private key filename or PKCS#11 URI +# Defaults to ${KV_DIR}/certs/signing_key.pem} if unset. +# Can be set by user in make.conf + +# @ECLASS-VARIABLE: KERNEL_MODULE_SIG_X509 +# @DEFAULT_UNSET +# @DESCRIPTION: +# A string, containing path to the public key filename +# Defaults to ${KV_DIR}/certs/signing_key.x509} if unset. +# Can be set by user in make.conf + + inherit eutils linux-info multilib EXPORT_FUNCTIONS pkg_setup pkg_preinst pkg_postinst src_install src_compile pkg_postrm @@ -144,12 +169,13 @@ esac 0) die "EAPI=${EAPI} is not supported with MODULES_OPTIONAL_USE_IUSE_DEFAULT due to lack of IUSE defaults" ;; esac -IUSE="kernel_linux ${MODULES_OPTIONAL_USE:+${_modules_optional_use_iuse_default}}${MODULES_OPTIONAL_USE}" +IUSE="module-sign kernel_linux ${MODULES_OPTIONAL_USE:+${_modules_optional_use_iuse_default}}${MODULES_OPTIONAL_USE}" SLOT="0" RDEPEND="${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (} kernel_linux? ( virtual/modutils ) ${MODULES_OPTIONAL_USE:+)}" DEPEND="${RDEPEND} ${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (} sys-apps/sed + module-sign? ( || ( dev-libs/openssl dev-libs/libressl ) ) kernel_linux? ( virtual/linux-sources ) ${MODULES_OPTIONAL_USE:+)}" @@ -196,6 +222,25 @@ check_vermagic() { fi } +# @FUNCTION: check_sig_force +# @INTERNAL +# @DESCRIPTION: +# Check if kernel requires module signing and die +# if module is not going to be signed. +check_sig_force() { + debug-print-function ${FUNCNAME} $* + + if linux_chkconfig_present MODULE_SIG_FORCE; then + if use !module-sign; then + ewarn "" + ewarn "Kernel requires all modules to be signed and verified" + ewarn "please enable USE=\"module-sign\"" + ewarn "otherwise loading the module will fail" + die "signature required" + fi + fi +} + # @FUNCTION: use_m # @RETURN: true or false # @DESCRIPTION: @@ -352,6 +397,28 @@ get-KERNEL_CC() { echo "${kernel_cc}" } +# @FUNCTION: sign_module +# @DESCRIPTION: +# Sign a kernel module if enabled and supported, or just silently ignore the request and do nothing. +# @USAGE: +sign_module() { + debug-print-function ${FUNCNAME} $* + + if use module-sign; then + local sig_hash sig_pem sig_x509 modulename + sig_hash=$(linux_chkconfig_string MODULE_SIG_HASH) + sig_pem="${KV_DIR}/certs/signing_key.pem" + sig_x509="${KV_DIR}/certs/signing_key.x509" + modulename=$(basename "${1}") + + einfo "Signing ${modulename}" + "${KV_DIR}"/scripts/sign-file \ + "${KERNEL_MODULE_SIG_HASH:-${sig_hash//\"/}}" \ + "${KERNEL_MODULE_SIG_PEM:-${sig_pem}}" \ + "${KERNEL_MODULE_SIG_X509:-${sig_x509}}" \ + "${1}" || die "Signing ${modulename} failed" + fi +} # internal function # # FUNCTION: @@ -583,12 +650,17 @@ linux-mod_pkg_setup() { # External modules use kernel symbols (bug #591832) CONFIG_CHECK+=" !TRIM_UNUSED_KSYMS" + # if signature is requested, check if kernel actually supports it + use module-sign && CONFIG_CHECK+=" MODULE_SIG" + linux-info_pkg_setup; require_configured_kernel check_kernel_built; strip_modulenames; [[ -n ${MODULE_NAMES} ]] && check_modules_supported set_kvobj; + use module-sign && export STRIP_MASK="*.${KV_OBJ}"; + check_sig_force; # Commented out with permission from johnm until a fixed version for arches # who intentionally use different kernel and userland compilers can be # introduced - Jason Wever , 23 Oct 2005 @@ -716,8 +788,9 @@ linux-mod_src_install() { einfo "Installing ${modulename} module" cd "${objdir}" || die "${objdir} does not exist" - insinto /lib/modules/${KV_FULL}/${libdir} - doins ${modulename}.${KV_OBJ} || die "doins ${modulename}.${KV_OBJ} failed" + sign_module "${modulename}.${KV_OBJ}" + insinto /lib/modules/"${KV_FULL}/${libdir}" + doins "${modulename}.${KV_OBJ}" || die "doins ${modulename}.${KV_OBJ} failed" cd "${OLDPWD}" generate_modulesd "${objdir}/${modulename}"