From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 1868A158094 for ; Tue, 21 Jun 2022 18:20:12 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0CBB3E089A; Tue, 21 Jun 2022 18:20:08 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 5A8DAE0894 for ; Tue, 21 Jun 2022 18:20:07 +0000 (UTC) From: Kenton Groombridge To: gentoo-dev@lists.gentoo.org Subject: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing Date: Tue, 21 Jun 2022 14:19:59 -0400 Message-Id: <20220621181959.920941-1-concord@gentoo.org> X-Mailer: git-send-email 2.35.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Archives-Salt: fe84137f-d492-41be-8185-32793098259f X-Archives-Hash: 08f93e230ffc2fa06442c3c8d2a18d10 eee74b9fca1 adds support for module compression, but this breaks loading out of tree modules when module signing is enforced because modules must be signed before they are compressed. Additionally, the recommended Portage hook[1] no longer works with this change. Add module signing support in linux-mod.eclass which more or less does exactly what the aforementioned Portage hook does. If the kernel configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and keys from the kernel configuration and call the sign_file tool to sign the module before it is compressed. Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352 Signed-off-by: Kenton Groombridge --- eclass/linux-mod.eclass | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass index b7c13cbf7e7..fd40f6d7c6c 100644 --- a/eclass/linux-mod.eclass +++ b/eclass/linux-mod.eclass @@ -712,6 +712,22 @@ linux-mod_src_install() { cd "${objdir}" || die "${objdir} does not exist" insinto "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir} + # check here for CONFIG_MODULE_SIG_ALL and sign the module being built if enabled. + # modules must be signed before they are compressed. + + if linux_chkconfig_present MODULE_SIG_ALL; then + local module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)" + local module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)" + module_sig_key="${module_sig_key:-certs/signing_key.pem}" + if [[ "${module_sig_key#pkcs11:}" == "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}" ]]; then + local key_path="${KERNEL_DIR}/${module_sig_key}" + else + local key_path="${module_sig_key}" + fi + local cert_path="${KERNEL_DIR}/certs/signing_key.x509" + "${KERNEL_DIR}"/scripts/sign-file ${module_sig_hash//\"} ${key_path//\"} ${cert_path} ${modulename}.${KV_OBJ} + fi + # check here for CONFIG_MODULE_COMPRESS_ (NONE, GZIP, XZ, ZSTD) # and similarily compress the module being built if != NONE. -- 2.35.1