From: Kenton Groombridge <concord@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing
Date: Tue, 21 Jun 2022 14:19:59 -0400 [thread overview]
Message-ID: <20220621181959.920941-1-concord@gentoo.org> (raw)
eee74b9fca1 adds support for module compression, but this breaks loading
out of tree modules when module signing is enforced because modules must
be signed before they are compressed. Additionally, the recommended
Portage hook[1] no longer works with this change.
Add module signing support in linux-mod.eclass which more or less does
exactly what the aforementioned Portage hook does. If the kernel
configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and keys
from the kernel configuration and call the sign_file tool to sign the
module before it is compressed.
Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
eclass/linux-mod.eclass | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
index b7c13cbf7e7..fd40f6d7c6c 100644
--- a/eclass/linux-mod.eclass
+++ b/eclass/linux-mod.eclass
@@ -712,6 +712,22 @@ linux-mod_src_install() {
cd "${objdir}" || die "${objdir} does not exist"
insinto "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir}
+ # check here for CONFIG_MODULE_SIG_ALL and sign the module being built if enabled.
+ # modules must be signed before they are compressed.
+
+ if linux_chkconfig_present MODULE_SIG_ALL; then
+ local module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)"
+ local module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)"
+ module_sig_key="${module_sig_key:-certs/signing_key.pem}"
+ if [[ "${module_sig_key#pkcs11:}" == "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}" ]]; then
+ local key_path="${KERNEL_DIR}/${module_sig_key}"
+ else
+ local key_path="${module_sig_key}"
+ fi
+ local cert_path="${KERNEL_DIR}/certs/signing_key.x509"
+ "${KERNEL_DIR}"/scripts/sign-file ${module_sig_hash//\"} ${key_path//\"} ${cert_path} ${modulename}.${KV_OBJ}
+ fi
+
# check here for CONFIG_MODULE_COMPRESS_<compression option> (NONE, GZIP, XZ, ZSTD)
# and similarily compress the module being built if != NONE.
--
2.35.1
next reply other threads:[~2022-06-21 18:20 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-21 18:19 Kenton Groombridge [this message]
2022-06-21 18:21 ` [gentoo-dev] [PATCH] linux-mod.eclass: support module signing Kenton Groombridge
2022-06-23 12:51 ` Mike Pagano
2022-06-23 14:30 ` Kenton Groombridge
2022-06-26 10:52 ` Georgy Yakovlev
2022-06-26 11:15 ` Georgy Yakovlev
2022-06-27 18:35 ` Kenton Groombridge
2022-06-27 18:56 ` Mike Gilbert
2022-06-27 19:18 ` Kenton Groombridge
2022-06-27 19:42 ` Georgy Yakovlev
2022-06-27 19:49 ` Mike Gilbert
2022-06-27 21:11 ` Georgy Yakovlev
2022-06-27 21:50 ` Mike Gilbert
2022-06-27 23:42 ` Georgy Yakovlev
2022-07-05 19:02 ` Georgy Yakovlev
2022-07-05 19:55 ` Kenton Groombridge
2022-07-05 20:11 ` Mike Gilbert
2022-06-27 19:46 ` Georgy Yakovlev
2022-06-27 20:02 ` Kenton Groombridge
2022-06-27 21:25 ` Georgy Yakovlev
-- strict thread matches above, loose matches on Subject: below --
2018-04-14 21:25 Georgy Yakovlev
2018-04-15 18:13 ` NP-Hardass
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220621181959.920941-1-concord@gentoo.org \
--to=concord@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox