From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-97542-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id F338D158094
	for <garchives@archives.gentoo.org>; Thu, 23 Jun 2022 14:30:13 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 434A2E086F;
	Thu, 23 Jun 2022 14:30:08 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id E82DAE086A
	for <gentoo-dev@lists.gentoo.org>; Thu, 23 Jun 2022 14:30:07 +0000 (UTC)
Date: Thu, 23 Jun 2022 10:30:00 -0400
From: Kenton Groombridge <concord@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing
Message-ID: <20220623143000.2fq6cjjsvmr2mqrx@fuuko>
References: <20220621181959.920941-1-concord@gentoo.org>
 <20220621182158.qo57sqqn6gcgdzry@fuuko>
 <2de980d1-688f-c90b-c178-0b3a58f04099@gentoo.org>
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="4ddmvsllp2fw6lxu"
Content-Disposition: inline
In-Reply-To: <2de980d1-688f-c90b-c178-0b3a58f04099@gentoo.org>
X-Archives-Salt: 3d474a87-50b3-484e-bc0b-f8702ce35103
X-Archives-Hash: 80353dd40ceaca7f5354185d35ceb1d9


--4ddmvsllp2fw6lxu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 22/06/23 08:51AM, Mike Pagano wrote:
> On 6/21/22 14:21, Kenton Groombridge wrote:
> > On 22/06/21 02:19PM, Kenton Groombridge wrote:
> > > eee74b9fca1 adds support for module compression, but this breaks load=
ing
> > > out of tree modules when module signing is enforced because modules m=
ust
> > > be signed before they are compressed. Additionally, the recommended
> > > Portage hook[1] no longer works with this change.
> > >=20
> >=20
> > Forgot to include this reference:
> >=20
> > [1] https://wiki.gentoo.org/wiki/Signed_kernel_module_support#Automatic=
ally_signing_kernel_modules_.28Portage.29
> >=20
> > > Add module signing support in linux-mod.eclass which more or less does
> > > exactly what the aforementioned Portage hook does. If the kernel
> > > configuration has CONFIG_MODULE_SIG_ALL=3Dy, then read the hash and k=
eys
> > > from the kernel configuration and call the sign_file tool to sign the
> > > module before it is compressed.
> > >=20
> > > Bug: https://bugs.gentoo.org/show_bug.cgi?id=3D447352
> > > Signed-off-by: Kenton Groombridge <concord@gentoo.org>
> > > ---
> > >   eclass/linux-mod.eclass | 16 ++++++++++++++++
> > >   1 file changed, 16 insertions(+)
> > >=20
> > > diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
> > > index b7c13cbf7e7..fd40f6d7c6c 100644
> > > --- a/eclass/linux-mod.eclass
> > > +++ b/eclass/linux-mod.eclass
> > > @@ -712,6 +712,22 @@ linux-mod_src_install() {
> > >   		cd "${objdir}" || die "${objdir} does not exist"
> > >   		insinto "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir}
> > > +		# check here for CONFIG_MODULE_SIG_ALL and sign the module being b=
uilt if enabled.
> > > +		# modules must be signed before they are compressed.
> > > +
> > > +		if linux_chkconfig_present MODULE_SIG_ALL; then
> > > +			local module_sig_hash=3D"$(linux_chkconfig_string MODULE_SIG_HASH=
)"
> > > +			local module_sig_key=3D"$(linux_chkconfig_string MODULE_SIG_KEY)"
> > > +			module_sig_key=3D"${module_sig_key:-certs/signing_key.pem}"
> > > +			if [[ "${module_sig_key#pkcs11:}" =3D=3D "${module_sig_key}" && "=
${module_sig_key#/}" =3D=3D "${module_sig_key}" ]]; then
> > > +				local key_path=3D"${KERNEL_DIR}/${module_sig_key}"
> > > +			else
> > > +				local key_path=3D"${module_sig_key}"
> > > +			fi
> > > +			local cert_path=3D"${KERNEL_DIR}/certs/signing_key.x509"
> > > +			"${KERNEL_DIR}"/scripts/sign-file ${module_sig_hash//\"} ${key_pa=
th//\"} ${cert_path} ${modulename}.${KV_OBJ}
> > > +		fi
> > > +
> > >   		# check here for CONFIG_MODULE_COMPRESS_<compression option> (NON=
E, GZIP, XZ, ZSTD)
> > >   		# and similarily compress the module being built if !=3D NONE.
> > > --=20
> > > 2.35.1
> > >=20
> > >=20
>=20
>=20
> First of all, thank-you for your work !
> I appreciate any assistance with enhancement or clean-up of these eclasse=
s.
>=20
> I tested your patch, are you signing the files in 'work' after they are i=
nstalled in 'image' ?
>=20
>=20
> /usr/src/linux/scripts/extract-module-sig.pl -s ./work/kernel/nvidia.ko >=
 /tmp/sig
> Read 47802433 bytes from module file
> Found magic number at 47802433
> Found PKCS#7/CMS encapsulation
> Found 681 bytes of signature [308202a506092a864886f70d010702a0]
>=20
> /usr/src/linux/scripts/extract-module-sig.pl -s ./image/lib/modules/5.18.=
6-gentoo/video/nvidia.ko > /tmp/sig
> Read 47227784 bytes from module file
> Magic number not found at 47227784
>=20

Thanks for testing!

That's odd. In my environment they are signed in 'work' before
installing to 'image' as they should be.

# unzstd /lib/modules/5.15.48-gentoo/misc/p_lkrg.ko.zst
/lib/modules/5.15.48-gentoo/misc/p_lkrg.ko.zst: 436681 bytes
# /usr/src/linux/scripts/extract-module-sig.pl -s /lib/modules/5.15.48-gent=
oo/misc/p_lkrg.ko >sig
Read 436681 bytes from module file
Found magic number at 436681
Found PKCS#7/CMS encapsulation
Found 681 bytes of signature [308202a506092a864886f70d010702a0]

The installation of modules in linux-mod_src_install happens after
signing and compression, so unless I am missing something that shouldn't
be happening.

--4ddmvsllp2fw6lxu
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQKTBAABCgB9FiEEP+u3AkfbrORB/inCFt7v5V9Ft54FAmK0eONfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNG
RUJCNzAyNDdEQkFDRTQ0MUZFMjlDMjE2REVFRkU1NUY0NUI3OUUACgkQFt7v5V9F
t56o0BAAtQ2HoSTTCL0y2WkGTnDIkv14Ydm5oF5pU21YM9MYVF262Mf6yj8n5CvD
bMgn+M74WIFT4PIP7u6BXF62JaO+5zGrlWqAlt9o7ilYoGPqjtYCDrD4b2XROzIR
yMBBIseFQQpaud9ElUn8rxhsAwY0iivtq4RG4Et7Do12wOQByXDPWmK0+OKfBKi+
tG976EaW2fGKNHCeMrH1mw1DcoLsM0GpMhUjTU10FLEsEuYcyzyPF0luXX2qqogo
txZW242tLrvdKN+5zGc+PXG6yEY9XPXzUqArfs1FF0rneGbp+Zq1iYD9zdP1/vTA
+ElxDxELLUtBd19K2CThKJXpH5MDPXJ0XPiOqwY3RWqtqyLehNnRnwfSPv8Cz+G7
KieLe7PbG9KtQ/96heSAAzSWrOh5tsaaojq36CiQOyyAsC+LQIuYXFnAVOoXqO6t
5W0txfOEvy33hGRsTmGXmji1skUY6FMlw05i0LZfogLSc8GH5smnnmGuUGcSQk9U
mDED930mr+BvyNSAKRUZpaEmN/gqFlEnomHdKRAwLIzcwnvnJQ2k6A6KntqcUQWK
qOdpVW8gcH1kSVootzEbRD4zclNdbsY1UEQe/XKlH63EmYMSW9zJjQkoisFfSDl8
TP9yAiN93QENXXAjYBKqUNrTo7lJfvGSXvaTSWNjAQtYyn0Q578=
=G7Gj
-----END PGP SIGNATURE-----

--4ddmvsllp2fw6lxu--