From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 59F35138334 for ; Fri, 21 Sep 2018 12:58:09 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E70F7E07AE; Fri, 21 Sep 2018 12:58:03 +0000 (UTC) Received: from puleglot.ru (puleglot.ru [IPv6:2a01:4f8:1c0c:58e8::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 8E960E077C for ; Fri, 21 Sep 2018 12:58:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tsoy.me; s=mymail; h=Sender:Content-Transfer-Encoding:Mime-Version:Content-Type: References:In-Reply-To:Date:To:From:Subject:Message-ID:Reply-To:Cc:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe :List-Post:List-Owner:List-Archive; bh=6b22U6Lu+CaWgi7HWvmsfBncpY8wQiDWzjaGCQA2sYo=; b=WF8r6xsMoC0uvcxRzIbCp8+6Ku oKG6CIwxWUxQGu0W6tN3G0woknACJiyGqqus62jQLXKc2yXT7klTsrF9I3rtX942itQEz8LpyjrtR xDbdPw7hr7Qgkbj982u9GlNznxb2f603LRZBbDv+10buAm1oDPUxagc6wcilNajAhEJs=; Received: from [195.54.195.66] (helo=work) by puleglot.ru with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from ) id 1g3L0T-0003aw-17 for gentoo-dev@lists.gentoo.org; Fri, 21 Sep 2018 15:58:01 +0300 Message-ID: <1537534680.1635.11.camel@tsoy.me> Subject: Re: [gentoo-dev] [PATCH] eclass/linux-mod.eclass: add module signing support From: Alexander Tsoy To: gentoo-dev@lists.gentoo.org Date: Fri, 21 Sep 2018 15:58:00 +0300 In-Reply-To: <20180921051304.115704-1-gyakovlev@gentoo.org> References: <20180921051304.115704-1-gyakovlev@gentoo.org> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.24.6 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: puleglot@puleglot.ru X-Archives-Salt: 3befb318-d682-4b59-b75b-14e7a818ca27 X-Archives-Hash: 1b894df602fbbf766aa34c5f5686a458 В Чт, 20/09/2018 в 22:13 -0700, Georgy Yakovlev пишет: > ----------------->%------------------- > @@ -144,13 +158,16 @@ esac > 0) die "EAPI=${EAPI} is not supported with > MODULES_OPTIONAL_USE_IUSE_DEFAULT due to lack of IUSE defaults" ;; > esac > > -IUSE="kernel_linux > ${MODULES_OPTIONAL_USE:+${_modules_optional_use_iuse_default}}${MODUL > ES_OPTIONAL_USE}" > +IUSE="module-sign kernel_linux > ${MODULES_OPTIONAL_USE:+${_modules_optional_use_iuse_default}}${MODUL > ES_OPTIONAL_USE}" > SLOT="0" > RDEPEND="${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (} > kernel_linux? ( virtual/modutils ) ${MODULES_OPTIONAL_USE:+)}" > DEPEND="${RDEPEND} > ${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (} > sys-apps/sed > - kernel_linux? ( virtual/linux-sources virtual/libelf ) > + kernel_linux? ( > + virtual/linux-sources virtual/libelf > + module-sign? ( || ( dev-libs/openssl dev- > libs/libressl ) ) > + ) It should depend on the proper openssl slot: dev-libs/openssl:0 > ${MODULES_OPTIONAL_USE:+)}" > > # eclass utilities > @@ -352,6 +369,84 @@ get-KERNEL_CC() { > echo "${kernel_cc}" > } > > +# @FUNCTION: _check_sig_force > +# @INTERNAL > +# @DESCRIPTION: > +# Check if kernel requires module signing and die > +# if modules are not going to be signed. > +_check_sig_force() { > + debug-print-function ${FUNCNAME} "${@}" > + > + if linux_chkconfig_present MODULE_SIG_FORCE; then > + if use !module-sign; then > + eerror "kernel .config has > MODULE_SIG_FORCE=y option set" > + eerror "This means that kernel requires all > modules" > + eerror "to be signed and verified before > loading" > + eerror "please enable USE=\"module-sign\" or > reconfigure your kernel" > + eerror "otherwise loading the module will > fail" > + die "signature required" > + fi > + fi > +} > + > +# @FUNCTION: _sign_module > +# @INTERNAL > +# @USAGE: > +# @DESCRIPTION: > +# Sign a kernel module > +_sign_module() { > + debug-print-function ${FUNCNAME} "${@}" > + > + local dotconfig_sig_hash dotconfig_sig_key > + local sign_binary_path sig_key_path sig_x509_path > + local module > + > + # extract values from kernel .config > + # extracted key path is not full, e.g. > "certs/signing_key.pem" > + dotconfig_sig_hash="$(linux_chkconfig_string > MODULE_SIG_HASH)" > + dotconfig_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)" > + > + # sign-file binary chokes on double quotes > + dotconfig_sig_hash=${dotconfig_sig_hash//\"/} > + dotconfig_sig_key=${dotconfig_sig_key//\"/} > + > + sign_binary_path="${KV_OUT_DIR}/scripts/sign-file" Yet another way to screw up modules building. It relies on some binary in the kernel build dir that may break after openssl update (e.g. soname change).