* [gentoo-dev] [PATCH 0/2] kernel-build.eclass: fix signing and compressing of kernel modules
@ 2023-06-15 9:50 Andrew Ammerlaan
0 siblings, 0 replies; only message in thread
From: Andrew Ammerlaan @ 2023-06-15 9:50 UTC (permalink / raw
To: gentoo-dev
Hi all,
This first patch reworks the stripping of kernel modules, mirroring the
changes from linux-mod.eclass to linux-mod-r1.eclass, and fixing Bug
814344 and Bug 881651.
Before this change enabling the CONFIG_MODULE_SIG=y and
CONFIG_MODULE_SIG_ALL=y kernel options would cause the kernel build
system to sign the kernel modules (as it should) but then portage would
strip this signature again during install. Additionally, any keys
generated during the build process were not installed, making it
impossible to sign additional external kernel modules.
Similarly enabling the CONFIG_MODULE_COMPRESS_*=y options would cause
the kernel build system to compress the modules (as it should). But then
portage can no longer strip the modules. Resulting in modules that,
while compressed, still contain the debug symbols.
The solution is to introduce 'IUSE="+strip"' (like in
linux-mod-r1.eclass) and have the kernel build system itself take care
of stripping. This way modules are stripped, if the flag is enabled,
*before* they are signed and/or compressed.
Additionally the eclass now also installs any signing keys that may have
been generated during the build process.
The second patch does not fix any bugs but does add convenience. This
patch makes gentoo-kernel-x.y.z.ebuild respect the variables already
introduced by linux-mod-r1.eclass. And adds a warning if we are letting
the kernel build system generate the keys (CONFIG_MODULE_SIG=y but
CONFIG_MODULE_SIG_KEY set to default). Because these generated keys will
end up in any binary packages which might be undesirable. From a
security point of view it is better to use an external key (i.e. define
MODULES_SIGN_KEY="").
The end result of both patches is that users who do not wish to
configure the kernel, but still would like signed kernel modules can
simply set 'USE="dist-kernel modules-sign"' and optionally
'MODULES_SIGN_HASH=""' and 'MODULES_SIGN_KEY=""', portage will take care
of the rest.
Special thanks to Ionen Wolkens for his feedback on the initial draft.
Let me know what you think,
Best regards,
Andrew
See Also: https://github.com/gentoo/gentoo/pull/31358
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2023-06-15 9:50 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-06-15 9:50 [gentoo-dev] [PATCH 0/2] kernel-build.eclass: fix signing and compressing of kernel modules Andrew Ammerlaan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox