From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-100827-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id E1BF8158013
	for <garchives@archives.gentoo.org>; Mon, 11 Dec 2023 08:00:24 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id AB4E32BC06B;
	Mon, 11 Dec 2023 08:00:20 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 5ED512BC068
	for <gentoo-dev@lists.gentoo.org>; Mon, 11 Dec 2023 08:00:20 +0000 (UTC)
Message-ID: <8f848f1b-7f70-49df-8840-54df6ee35b66@gentoo.org>
Date: Mon, 11 Dec 2023 09:00:16 +0100
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [gentoo-dev] [PATCH v3] kernel-build.eclass: work around
 permissions issue with module signing
Content-Language: en-US, nl-NL
To: gentoo-dev@lists.gentoo.org
References: <20231127171224.15172-1-vimproved@inventati.org>
 <6b3aea364b6c4fd0cc9622216aa5add0b1c342ba.camel@gentoo.org>
Cc: =?UTF-8?B?TWljaGHFgiBHw7Nybnk=?= <mgorny@gentoo.org>,
 vimproved@inventati.org
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Autocrypt: addr=andrewammerlaan@gentoo.org; keydata=
 xsBNBF3n3cUBCAC6uoDZ0XzaO29l8AzUblXQ5rxZI7nbGEnfFqjEQCK3oEXxsDa9Ez1myx3M
 ir53Vyx64Iz1Bq/TOS/PttgguPpiLggCpTTD2vavp5SwFmg272+P8bUJVJF2mMRm0OR/YPiA
 B5dNfcoLqKIj+ZMOtrZ72B7agkUn+iDt8lB2fZ7XhfZMyQBXICYSe+EiJJmTuvIhHhOn7GCT
 VjpwGYCCSw3F/j2VPmJPUftz6Nb4oWaiaJ6ZwroS2ECYqZKeo+dXCsmB/LZWYqIFSSPILTLZ
 f1Hh/TklnQqkNVO+nY/B/o9RVYAhWJbl/F4VaKlRXemE+pDZIALlK8kt0IFU6liUOHHlABEB
 AAHNLUFuZHJldyBBbW1lcmxhYW4gPGFuZHJld2FtbWVybGFhbkBnZW50b28ub3JnPsLAlwQT
 AQgAQQIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAIZARYhBAb/U0G9gF2wvH0HpqGfY2zU
 7bzRBQJlNiYEBQkJL3u/AAoJEKGfY2zU7bzRUeYH/33eX3sOyo3++xcqR/KrTNodkgWAknPe
 Jl8BiYdIn7zEgif5Fz6Uu8IzjfDpPd8uR82sbV2uQWarrpNmnPrAACKuAuYN9vnuLZ+9UWz6
 ybGqMm545+qsFtUTTzdveMPEWr2nr+payfxthK6OdgZU5ZseLxDS9KYmBeAC7RVnIWMVDn9n
 opmuFK5iGxIUvIbYIl/xrk2HPAIsh1ScLBy4z7r8PFmWT1XGC0Na6PJyEG2KiQXwjKxwsljQ
 6mKEAkKOkbifD0CSO8eg56ccf8WYo0s/+SiYjBjI9SEhbgZbiUbpTSw3eT/g4V2SKX1CYs1z
 717XjlMKzqBNaw+AzWgrk0TOwE0EXefdxQEIAJtT7965MCxOTic3mISWSI6Z3mFFYmUkxQt8
 gBVsTAezOrkd6xEt/HnFPZqeGnbSiV8gMFPKv4RkaXxWfQYKm+9/12qJNEFdVop1rpe77lU2
 h0elVXuWiWsNmwqEhQcs1mq/awzO81Lyob9Miai2qNQ9MBikmFAp9c4n8C42kPLVrTKPmemI
 95gZ1Y830W+udYg1jNqLF2ucMDUX1M1U2EfazWI0pNCwPoKnOqAJS+VQbyxtJ1IlE3+9sk+6
 hjlTTF+RDYGv5hUoWkmcXDM2X/Cl0XB4XYOWr17Wa6+WXC+80/iLxxolMqM4KfuIR5OizbqK
 2CRAJY7la7TSv1lTD1cAEQEAAcLAfAQYAQgAJgIbDBYhBAb/U0G9gF2wvH0HpqGfY2zU7bzR
 BQJlNiHABQkJL3d7AAoJEKGfY2zU7bzRjDwH/1fp/87km2YYVgrfP1aWLjAA/TwcEVycRJQQ
 S9Q6xuzgD5AYhjzBSONoN46cwf+gla6xndY0lCawsZN7whtJ/DhqSZEfL0HgHkJ6T8FCXexf
 n1s6XmIAxqIrMmfsuOkAPLJIHzAAGzQX8DXcRSj1cIDUpa1Uy7ncVvI4EzJBRtJVJXIbl+53
 NGauXU8ZuprPYkMSPuW3eHATFc0F5DhmlFUXh+HYYK+2QTO73TENMhngkrYcw63je5bRp/+f
 72XFKlf1gXHK1ivg8nYueyUfrxZTBGKagusOiQeOao2I1uYcHoFhPYJrQWePMyZiYyB6PR0K
 DR4B/Ulo3v0eBXaaYzo=
Organization: Gentoo Linux
In-Reply-To: <6b3aea364b6c4fd0cc9622216aa5add0b1c342ba.camel@gentoo.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Archives-Salt: d555e18e-38f6-4b4d-bd03-3229d9990678
X-Archives-Hash: 4697fc3248e373a965e550ef78d6a6cb

v3:

 From dbf92605437b4a457bad2da92f69baab23fcfa44 Mon Sep 17 00:00:00 2001
From: Violet Purcell <vimproved@inventati.org>
Date: Mon, 27 Nov 2023 12:12:09 -0500
Subject: [PATCH] kernel-build.eclass: work around permissions issue with
  module signing

Currently, using a custom path for MODULES_SIGN_KEY requires the key to
be readable by portage:portage. This is not ideal for security, since
the file has to be either owned by portage:portage or readable by all
users in this case. Instead, export the contents of MODULES_SIGN_KEY to
a variable in pkg_setup, and then create a temporary file with it in
src_configure to ensure that the temporary key is readable by the user
that the kernel is being built as. The variable is then unset so it does
not end up in the final environment file.

Co-authored-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Signed-off-by: Violet Purcell <vimproved@inventati.org>
---
  eclass/kernel-build.eclass | 18 ++++++++++++------
  1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index f5529c319f9fc..94b499f82fc1e 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -114,6 +114,13 @@ kernel-build_pkg_setup() {
  	python-any-r1_pkg_setup
  	if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
  		secureboot_pkg_setup
+		if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then
+			if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} != 
${MODULES_SIGN_KEY} ]]; then
+				MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}" 
"${MODULES_SIGN_KEY}" || die)"
+			else
+				MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_KEY}" || die)"
+			fi
+		fi
  	fi
  }

@@ -422,12 +429,11 @@ kernel-build_merge_configs() {
  				CONFIG_MODULE_SIG_FORCE=y
  				CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
  			EOF
-			if [[ -e ${MODULES_SIGN_KEY} && -e ${MODULES_SIGN_CERT} &&
-				${MODULES_SIGN_KEY} != ${MODULES_SIGN_CERT} &&
-				${MODULES_SIGN_KEY} != pkcs11:* ]]
-			then
-				cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" > 
"${T}/kernel_key.pem" || die
-				MODULES_SIGN_KEY="${T}/kernel_key.pem"
+			if [[ -n "${MODULES_SIGN_KEY_CONTENTS}" ]]; then
+				(umask 066; touch "${T}/kernel_key.pem" || die)
+				echo "${MODULES_SIGN_KEY_CONTENTS}" > "${T}/kernel_key.pem" || die
+				unset MODULES_SIGN_KEY_CONTENTS
+				export MODULES_SIGN_KEY="${T}/kernel_key.pem"
  			fi
  			if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -r ${MODULES_SIGN_KEY} ]]; 
then
  				echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \


On 27/11/2023 18:50, Michał Górny wrote:
> On Mon, 2023-11-27 at 12:12 -0500, Violet Purcell wrote:
>> Currently, using a custom path for MODULES_SIGN_KEY requires the key to
>> be readable by portage:portage. This is not ideal for security, since
>> the file has to be either owned by portage:portage or readable by all
>> users in this case. Instead, export the contents of MODULES_SIGN_KEY to
>> a variable in pkg_setup, and then create a temporary file with it in
>> src_configure to ensure that the temporary key is readable by the user
>> that the kernel is being built as. The variable is then unset so it does
>> not end up in the final environment file.
>>
>> Signed-off-by: Violet Purcell <vimproved@inventati.org>
>> ---
>>   eclass/kernel-build.eclass | 19 +++++++++++++------
>>   1 file changed, 13 insertions(+), 6 deletions(-)
>>
>> diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
>> index 4f7e4d047739..cf958c86ff29 100644
>> --- a/eclass/kernel-build.eclass
>> +++ b/eclass/kernel-build.eclass
>> @@ -114,6 +114,13 @@ kernel-build_pkg_setup() {
>>   	python-any-r1_pkg_setup
>>   	if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
>>   		secureboot_pkg_setup
>> +		if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then
>> +			if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} != ${MODULES_SIGN_KEY} ]]; then
>> +				export MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}")"
>> +			else
>> +				export MODULES_SIGN_KEY_CONTENTS="$(< "${MODULES_SIGN_KEY}")"
> 
> You don't need to export it.  Unexported variables are also preserved.
> 
>> +			fi
>> +		fi
>>   	fi
>>   }
>>   
>> @@ -427,12 +434,12 @@ kernel-build_merge_configs() {
>>   				CONFIG_MODULE_SIG_FORCE=y
>>   				CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
>>   			EOF
>> -			if [[ -e ${MODULES_SIGN_KEY} && -e ${MODULES_SIGN_CERT} &&
>> -				${MODULES_SIGN_KEY} != ${MODULES_SIGN_CERT} &&
>> -				${MODULES_SIGN_KEY} != pkcs11:* ]]
>> -			then
>> -				cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" > "${T}/kernel_key.pem" || die
>> -				MODULES_SIGN_KEY="${T}/kernel_key.pem"
>> +			if [[ -n "${MODULES_SIGN_KEY_CONTENTS}" ]]; then
>> +				touch "${T}/kernel_key.pem" || die
>> +				chmod 0600 "${T}/kernel_key.pem" || die
> 
> This creates a race condition whereupon the file can be opened between
> the call to touch and chmod.  It's better to use a subshell and set
> umask.
> 
>> +				echo "${MODULES_SIGN_KEY_CONTENTS}" > "${T}/kernel_key.pem" || die
>> +				unset MODULES_SIGN_KEY_CONTENTS
>> +				export MODULES_SIGN_KEY="${T}/kernel_key.pem"
>>   			fi
>>   			if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -r ${MODULES_SIGN_KEY} ]]; then
>>   				echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
>