From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 5F6C4158099 for ; Mon, 27 Nov 2023 17:50:31 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0999F2BC066; Mon, 27 Nov 2023 17:50:27 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 334282BC02A for ; Mon, 27 Nov 2023 17:50:26 +0000 (UTC) Message-ID: <6b3aea364b6c4fd0cc9622216aa5add0b1c342ba.camel@gentoo.org> Subject: Re: [gentoo-dev] [PATCH] kernel-build.eclass: work around permissions issue with module signing From: =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?= To: gentoo-dev@lists.gentoo.org Cc: Violet Purcell Date: Mon, 27 Nov 2023 18:50:20 +0100 In-Reply-To: <20231127171224.15172-1-vimproved@inventati.org> References: <20231127171224.15172-1-vimproved@inventati.org> Organization: Gentoo Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-ahil01+2HA4d2ZHfT1to" User-Agent: Evolution 3.50.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 X-Archives-Salt: 9e7b66fc-6946-46c9-baec-db710a343ee2 X-Archives-Hash: 93604058bc1b4c72a586281331f71365 --=-ahil01+2HA4d2ZHfT1to Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, 2023-11-27 at 12:12 -0500, Violet Purcell wrote: > Currently, using a custom path for MODULES_SIGN_KEY requires the key to > be readable by portage:portage. This is not ideal for security, since > the file has to be either owned by portage:portage or readable by all > users in this case. Instead, export the contents of MODULES_SIGN_KEY to > a variable in pkg_setup, and then create a temporary file with it in > src_configure to ensure that the temporary key is readable by the user > that the kernel is being built as. The variable is then unset so it does > not end up in the final environment file. >=20 > Signed-off-by: Violet Purcell > --- > eclass/kernel-build.eclass | 19 +++++++++++++------ > 1 file changed, 13 insertions(+), 6 deletions(-) >=20 > diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass > index 4f7e4d047739..cf958c86ff29 100644 > --- a/eclass/kernel-build.eclass > +++ b/eclass/kernel-build.eclass > @@ -114,6 +114,13 @@ kernel-build_pkg_setup() { > python-any-r1_pkg_setup > if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then > secureboot_pkg_setup > + if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} !=3D pkcs11:* ]]; = then > + if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} !=3D ${MODULES_= SIGN_KEY} ]]; then > + export MODULES_SIGN_KEY_CONTENTS=3D"$(cat "${MODULES_SIGN_CERT}" "${= MODULES_SIGN_KEY}")" > + else > + export MODULES_SIGN_KEY_CONTENTS=3D"$(< "${MODULES_SIGN_KEY}")" You don't need to export it. Unexported variables are also preserved. > + fi > + fi > fi > } > =20 > @@ -427,12 +434,12 @@ kernel-build_merge_configs() { > CONFIG_MODULE_SIG_FORCE=3Dy > CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=3Dy > EOF > - if [[ -e ${MODULES_SIGN_KEY} && -e ${MODULES_SIGN_CERT} && > - ${MODULES_SIGN_KEY} !=3D ${MODULES_SIGN_CERT} && > - ${MODULES_SIGN_KEY} !=3D pkcs11:* ]] > - then > - cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" > "${T}/kernel_key.= pem" || die > - MODULES_SIGN_KEY=3D"${T}/kernel_key.pem" > + if [[ -n "${MODULES_SIGN_KEY_CONTENTS}" ]]; then > + touch "${T}/kernel_key.pem" || die > + chmod 0600 "${T}/kernel_key.pem" || die This creates a race condition whereupon the file can be opened between the call to touch and chmod. It's better to use a subshell and set umask. > + echo "${MODULES_SIGN_KEY_CONTENTS}" > "${T}/kernel_key.pem" || die > + unset MODULES_SIGN_KEY_CONTENTS > + export MODULES_SIGN_KEY=3D"${T}/kernel_key.pem" > fi > if [[ ${MODULES_SIGN_KEY} =3D=3D pkcs11:* || -r ${MODULES_SIGN_KEY} ]= ]; then > echo "CONFIG_MODULE_SIG_KEY=3D\"${MODULES_SIGN_KEY}\"" \ --=20 Best regards, Micha=C5=82 G=C3=B3rny --=-ahil01+2HA4d2ZHfT1to Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- iQFGBAABCgAwFiEEx2qEUJQJjSjMiybFY5ra4jKeJA4FAmVk1t0SHG1nb3JueUBn ZW50b28ub3JnAAoJEGOa2uIyniQOMxEIANCqB2AL0QH+cMERACJf34SfUlLOTyjq 8ykPtsxuGEq+mAD3dIyRnh49ExjJlAJ+eG0LHPso8KQ319bWRQ5aUGn12VdPeLlj nCV/0txf7EaDJSmqgk/6V3qHeQz/UzKbVwf0KriEtGIMB+XJDAdeOigKGhTzuQNL rADAnHIcnRXKmisMWjH9zoBRobVHFMVTsEeiHRkMypgrCyR9yf7HK5P3rWXbP8j/ g0pFdEEaH3swP4z2wQWK25pt52Q6lvCMWT1vIGlHJ++a3ANT3wXPCOf9AIUT7A7G PbB/8ZpJn4mZsndqo4053SknYQ2ifma9GnkJPzGhi5se3MpAa7EwrGE= =Ivyv -----END PGP SIGNATURE----- --=-ahil01+2HA4d2ZHfT1to--