[gentoo-dev] [PATCH 0/2] kernel-build.eclass: fix signing and compressing of kernel modules

public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-dev] [PATCH 0/2] kernel-build.eclass: fix signing and compressing of kernel modules
@ 2023-06-15  9:50 Andrew Ammerlaan
  0 siblings, 0 replies; only message in thread
From: Andrew Ammerlaan @ 2023-06-15  9:50 UTC (permalink / raw
  To: gentoo-dev

Hi all,

This first patch reworks the stripping of kernel modules, mirroring the 
changes from linux-mod.eclass to linux-mod-r1.eclass, and fixing Bug 
814344 and Bug 881651.

Before this change enabling the CONFIG_MODULE_SIG=y and 
CONFIG_MODULE_SIG_ALL=y kernel options would cause the kernel build 
system to sign the kernel modules (as it should) but then portage would 
strip this signature again during install. Additionally, any keys 
generated during the build process were not installed, making it 
impossible to sign additional external kernel modules.

Similarly enabling the CONFIG_MODULE_COMPRESS_*=y options would cause 
the kernel build system to compress the modules (as it should). But then 
portage can no longer strip the modules. Resulting in modules that, 
while compressed, still contain the debug symbols.

The solution is to introduce 'IUSE="+strip"' (like in 
linux-mod-r1.eclass) and have the kernel build system itself take care 
of stripping. This way modules are stripped, if the flag is enabled, 
*before* they are signed and/or compressed.

Additionally the eclass now also installs any signing keys that may have 
been generated during the build process.

The second patch does not fix any bugs but does add convenience. This 
patch makes gentoo-kernel-x.y.z.ebuild respect the variables already 
introduced by linux-mod-r1.eclass. And adds a warning if we are letting 
the kernel build system generate the keys (CONFIG_MODULE_SIG=y but 
CONFIG_MODULE_SIG_KEY set to default). Because these generated keys will 
end up in any binary packages which might be undesirable. From a 
security point of view it is better to use an external key (i.e. define 
MODULES_SIGN_KEY="").

The end result of both patches is that users who do not wish to 
configure the kernel, but still would like signed kernel modules can 
simply set 'USE="dist-kernel modules-sign"' and optionally 
'MODULES_SIGN_HASH=""' and 'MODULES_SIGN_KEY=""', portage will take care 
of the rest.

Special thanks to Ionen Wolkens for his feedback on the initial draft.

Let me know what you think,

Best regards,
Andrew

See Also: https://github.com/gentoo/gentoo/pull/31358

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2023-06-15  9:50 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-06-15  9:50 [gentoo-dev] [PATCH 0/2] kernel-build.eclass: fix signing and compressing of kernel modules Andrew Ammerlaan

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox