[gentoo-dev] [PATCH] linux-mod.eclass: support module signing

[gentoo-dev] [PATCH] linux-mod.eclass: support module signing

[Georgy Yakovlev]

Hi,

There is an old bug[1] to support
linux kernel module signing at install.

And here is my first attempt to modify an eclass.
Need proper input on it and a kick in the right direction.

Add 3 variables, settable by users if they keep keys somewhere safe.
Otherwise it just works with the auto-generated keys 
if CONFIG_MODULE_SIG=y and vars are unset.

eclass will die if kernel requires a signed module,
but signing is not requested.


Known problems:

Packages that do not use linux-mod_src_install() will not sign 
the modules, 
But those packages will still inherit module-sign useflag.
It's misleading and I'm not sure how to fix that.
Examples : sys-kernel/spl, sys-fs/zfs-kmod

May need additional handling of KBUILD_SIGN_PIN variable[2],
which can be set to hold the passphrase to the key. But it may end up
in vdb environment files, not sure how to handle that or if it worth it

not eapi-7 ready because of STRIP_MASK usage.
will need to cover this case as well, probably later.

older (<4.3.3) kernels use perl to sign modules, not sure if it's worth
supporting old kernels, there is no gentoo-sources in the tree old
enough, except masked 4.1
there are old vanilla-sources that will be affected by this.


[1] https://bugs.gentoo.org/447352
[2] https://www.kernel.org/doc/html/v4.16/admin-guide/module-signing.html

diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
index bf580cf4cfa9..211b0496f528 100644
--- a/eclass/linux-mod.eclass
+++ b/eclass/linux-mod.eclass
@@ -14,7 +14,7 @@
 # required to install external modules against a kernel source
 # tree.
 
-# A Couple of env vars are available to effect usage of this eclass
+# Several env vars are available to effect usage of this eclass
 # These are as follows:
 
 # @ECLASS-VARIABLE: MODULES_OPTIONAL_USE
@@ -132,6 +132,31 @@
 # @DESCRIPTION:
 # It's a read-only variable. It contains the extension of the kernel modules.
 
+# @ECLASS-VARIABLE: KERNEL_MODULE_SIG_HASH
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# A string to control signing algorithm
+# Possible values: sha1:sha224:sha256:sha384:sha512
+# Defaults to value extracted from .config
+# Can be set by user in make.conf, as it can differ from kernel's.
+# In case of overriding this it's users responsibility to make sure
+# that kernel supports desired hash algo
+
+# @ECLASS-VARIABLE: KERNEL_MODULE_SIG_PEM
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# A string, containing path to the private key filename or PKCS#11 URI
+# Defaults to ${KV_DIR}/certs/signing_key.pem} if unset.
+# Can be set by user in make.conf
+
+# @ECLASS-VARIABLE: KERNEL_MODULE_SIG_X509
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# A string, containing path to the public key filename
+# Defaults to ${KV_DIR}/certs/signing_key.x509} if unset.
+# Can be set by user in make.conf
+
+
 inherit eutils linux-info multilib
 EXPORT_FUNCTIONS pkg_setup pkg_preinst pkg_postinst src_install src_compile pkg_postrm
 
@@ -144,12 +169,13 @@ esac
 	0) die "EAPI=${EAPI} is not supported with MODULES_OPTIONAL_USE_IUSE_DEFAULT due to lack of IUSE defaults" ;;
 esac
 
-IUSE="kernel_linux ${MODULES_OPTIONAL_USE:+${_modules_optional_use_iuse_default}}${MODULES_OPTIONAL_USE}"
+IUSE="module-sign kernel_linux ${MODULES_OPTIONAL_USE:+${_modules_optional_use_iuse_default}}${MODULES_OPTIONAL_USE}"
 SLOT="0"
 RDEPEND="${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (} kernel_linux? ( virtual/modutils ) ${MODULES_OPTIONAL_USE:+)}"
 DEPEND="${RDEPEND}
     ${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (}
 	sys-apps/sed
+	module-sign? ( || ( dev-libs/openssl dev-libs/libressl ) )
 	kernel_linux? ( virtual/linux-sources )
 	${MODULES_OPTIONAL_USE:+)}"
 
@@ -196,6 +222,25 @@ check_vermagic() {
 	fi
 }
 
+# @FUNCTION: check_sig_force
+# @INTERNAL
+# @DESCRIPTION:
+# Check if kernel requires module signing and die
+# if module is not going to be signed.
+check_sig_force() {
+	debug-print-function ${FUNCNAME} $*
+
+	if linux_chkconfig_present MODULE_SIG_FORCE; then
+		if use !module-sign; then
+			ewarn ""
+			ewarn "Kernel requires all modules to be signed and verified"
+			ewarn "please enable USE=\"module-sign\""
+			ewarn "otherwise loading the module will fail"
+			die "signature required"
+		fi
+	fi
+}
+
 # @FUNCTION: use_m
 # @RETURN: true or false
 # @DESCRIPTION:
@@ -352,6 +397,28 @@ get-KERNEL_CC() {
 	echo "${kernel_cc}"
 }
 
+# @FUNCTION: sign_module
+# @DESCRIPTION:
+# Sign a kernel module if enabled and supported, or just silently ignore the request and do nothing.
+# @USAGE: <filename>
+sign_module() {
+	debug-print-function ${FUNCNAME} $*
+
+	if use module-sign; then
+		local sig_hash sig_pem sig_x509 modulename
+		sig_hash=$(linux_chkconfig_string MODULE_SIG_HASH)
+		sig_pem="${KV_DIR}/certs/signing_key.pem"
+		sig_x509="${KV_DIR}/certs/signing_key.x509"
+		modulename=$(basename "${1}")
+
+		einfo "Signing ${modulename}"
+		"${KV_DIR}"/scripts/sign-file \
+		"${KERNEL_MODULE_SIG_HASH:-${sig_hash//\"/}}" \
+		"${KERNEL_MODULE_SIG_PEM:-${sig_pem}}" \
+		"${KERNEL_MODULE_SIG_X509:-${sig_x509}}" \
+		"${1}" || die "Signing ${modulename} failed"
+	fi
+}
 # internal function
 #
 # FUNCTION:
@@ -583,12 +650,17 @@ linux-mod_pkg_setup() {
 	# External modules use kernel symbols (bug #591832)
 	CONFIG_CHECK+=" !TRIM_UNUSED_KSYMS"
 
+	# if signature is requested, check if kernel actually supports it
+	use module-sign && CONFIG_CHECK+=" MODULE_SIG"
+
 	linux-info_pkg_setup;
 	require_configured_kernel
 	check_kernel_built;
 	strip_modulenames;
 	[[ -n ${MODULE_NAMES} ]] && check_modules_supported
 	set_kvobj;
+	use module-sign && export STRIP_MASK="*.${KV_OBJ}";
+	check_sig_force;
 	# Commented out with permission from johnm until a fixed version for arches
 	# who intentionally use different kernel and userland compilers can be
 	# introduced - Jason Wever <weeve@gentoo.org>, 23 Oct 2005
@@ -716,8 +788,9 @@ linux-mod_src_install() {
 
 		einfo "Installing ${modulename} module"
 		cd "${objdir}" || die "${objdir} does not exist"
-		insinto /lib/modules/${KV_FULL}/${libdir}
-		doins ${modulename}.${KV_OBJ} || die "doins ${modulename}.${KV_OBJ} failed"
+		sign_module "${modulename}.${KV_OBJ}"
+		insinto /lib/modules/"${KV_FULL}/${libdir}"
+		doins "${modulename}.${KV_OBJ}" || die "doins ${modulename}.${KV_OBJ} failed"
 		cd "${OLDPWD}"
 
 		generate_modulesd "${objdir}/${modulename}"

Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing

[NP-Hardass]

[-- Attachment #1.1: Type: text/plain, Size: 8065 bytes --]

On 04/14/2018 05:25 PM, Georgy Yakovlev wrote:
> Hi,
> 
> There is an old bug[1] to support
> linux kernel module signing at install.
> 
> And here is my first attempt to modify an eclass.
> Need proper input on it and a kick in the right direction.
> 
> Add 3 variables, settable by users if they keep keys somewhere safe.
> Otherwise it just works with the auto-generated keys 
> if CONFIG_MODULE_SIG=y and vars are unset.
> 
> eclass will die if kernel requires a signed module,
> but signing is not requested.
> 
> 
> Known problems:
> 
> Packages that do not use linux-mod_src_install() will not sign 
> the modules, 
> But those packages will still inherit module-sign useflag.
> It's misleading and I'm not sure how to fix that.
> Examples : sys-kernel/spl, sys-fs/zfs-kmod
> 
> May need additional handling of KBUILD_SIGN_PIN variable[2],
> which can be set to hold the passphrase to the key. But it may end up
> in vdb environment files, not sure how to handle that or if it worth it
> 
> not eapi-7 ready because of STRIP_MASK usage.
> will need to cover this case as well, probably later.
> 
> older (<4.3.3) kernels use perl to sign modules, not sure if it's worth
> supporting old kernels, there is no gentoo-sources in the tree old
> enough, except masked 4.1
> there are old vanilla-sources that will be affected by this.
> 
> 
> [1] https://bugs.gentoo.org/447352
> [2] https://www.kernel.org/doc/html/v4.16/admin-guide/module-signing.html
> 
> diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
> index bf580cf4cfa9..211b0496f528 100644
> --- a/eclass/linux-mod.eclass
> +++ b/eclass/linux-mod.eclass
> @@ -14,7 +14,7 @@
>  # required to install external modules against a kernel source
>  # tree.
>  
> -# A Couple of env vars are available to effect usage of this eclass
> +# Several env vars are available to effect usage of this eclass
>  # These are as follows:
>  
>  # @ECLASS-VARIABLE: MODULES_OPTIONAL_USE
> @@ -132,6 +132,31 @@
>  # @DESCRIPTION:
>  # It's a read-only variable. It contains the extension of the kernel modules.
>  
> +# @ECLASS-VARIABLE: KERNEL_MODULE_SIG_HASH
> +# @DEFAULT_UNSET
> +# @DESCRIPTION:
> +# A string to control signing algorithm
> +# Possible values: sha1:sha224:sha256:sha384:sha512
> +# Defaults to value extracted from .config
> +# Can be set by user in make.conf, as it can differ from kernel's.
> +# In case of overriding this it's users responsibility to make sure
> +# that kernel supports desired hash algo
> +
> +# @ECLASS-VARIABLE: KERNEL_MODULE_SIG_PEM
> +# @DEFAULT_UNSET
> +# @DESCRIPTION:
> +# A string, containing path to the private key filename or PKCS#11 URI
> +# Defaults to ${KV_DIR}/certs/signing_key.pem} if unset.
> +# Can be set by user in make.conf
> +
> +# @ECLASS-VARIABLE: KERNEL_MODULE_SIG_X509
> +# @DEFAULT_UNSET
> +# @DESCRIPTION:
> +# A string, containing path to the public key filename
> +# Defaults to ${KV_DIR}/certs/signing_key.x509} if unset.
> +# Can be set by user in make.conf
> +
> +
>  inherit eutils linux-info multilib
>  EXPORT_FUNCTIONS pkg_setup pkg_preinst pkg_postinst src_install src_compile pkg_postrm
>  

These KV_DIRs should be KV_OUT_DIRs, as they are objects only available
after building the kernel and thus if KV_OUT_DIR != KV_DIR, this will fail.

Additionally, sig_pem and sig_x509 should be derived from MODULE_SIG_KEY
by default.
> @@ -144,12 +169,13 @@ esac
>  	0) die "EAPI=${EAPI} is not supported with MODULES_OPTIONAL_USE_IUSE_DEFAULT due to lack of IUSE defaults" ;;
>  esac
>  
> -IUSE="kernel_linux ${MODULES_OPTIONAL_USE:+${_modules_optional_use_iuse_default}}${MODULES_OPTIONAL_USE}"
> +IUSE="module-sign kernel_linux ${MODULES_OPTIONAL_USE:+${_modules_optional_use_iuse_default}}${MODULES_OPTIONAL_USE}"
>  SLOT="0"
>  RDEPEND="${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (} kernel_linux? ( virtual/modutils ) ${MODULES_OPTIONAL_USE:+)}"
>  DEPEND="${RDEPEND}
>      ${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (}
>  	sys-apps/sed
> +	module-sign? ( || ( dev-libs/openssl dev-libs/libressl ) )
>  	kernel_linux? ( virtual/linux-sources )
>  	${MODULES_OPTIONAL_USE:+)}"
>  
> @@ -196,6 +222,25 @@ check_vermagic() {
>  	fi
>  }
>  
> +# @FUNCTION: check_sig_force
> +# @INTERNAL
> +# @DESCRIPTION:
> +# Check if kernel requires module signing and die
> +# if module is not going to be signed.
> +check_sig_force() {
> +	debug-print-function ${FUNCNAME} $*
> +
> +	if linux_chkconfig_present MODULE_SIG_FORCE; then
> +		if use !module-sign; then
> +			ewarn ""
> +			ewarn "Kernel requires all modules to be signed and verified"
> +			ewarn "please enable USE=\"module-sign\""
> +			ewarn "otherwise loading the module will fail"
> +			die "signature required"
> +		fi
> +	fi
> +}
> +
>  # @FUNCTION: use_m
>  # @RETURN: true or false
>  # @DESCRIPTION:


The documentation for linux_chkconfig_present states "If
linux_config_exists returns false, the results of this are UNDEFINED.
You MUST call linux_config_exists first."
> @@ -352,6 +397,28 @@ get-KERNEL_CC() {
>  	echo "${kernel_cc}"
>  }
>  
> +# @FUNCTION: sign_module
> +# @DESCRIPTION:
> +# Sign a kernel module if enabled and supported, or just silently ignore the request and do nothing.
> +# @USAGE: <filename>
> +sign_module() {
> +	debug-print-function ${FUNCNAME} $*
> +
> +	if use module-sign; then
> +		local sig_hash sig_pem sig_x509 modulename
> +		sig_hash=$(linux_chkconfig_string MODULE_SIG_HASH)
> +		sig_pem="${KV_DIR}/certs/signing_key.pem"
> +		sig_x509="${KV_DIR}/certs/signing_key.x509"
> +		modulename=$(basename "${1}")
> +
> +		einfo "Signing ${modulename}"
> +		"${KV_DIR}"/scripts/sign-file \
> +		"${KERNEL_MODULE_SIG_HASH:-${sig_hash//\"/}}" \
> +		"${KERNEL_MODULE_SIG_PEM:-${sig_pem}}" \
> +		"${KERNEL_MODULE_SIG_X509:-${sig_x509}}" \
> +		"${1}" || die "Signing ${modulename} failed"
> +	fi
> +}
>  # internal function
>  #
>  # FUNCTION:

These KV_DIRs should be KV_OUT_DIRs, as they are objects only available
after building the kernel and thus if KV_OUT_DIR != KV_DIR, this will fail.

The documentation for linux_chkconfig_string states "If
linux_config_exists returns false, the results of this are UNDEFINED.
You MUST call linux_config_exists first."

Additionally, sig_pem and sig_x509 should be derived from MODULE_SIG_KEY.

> @@ -583,12 +650,17 @@ linux-mod_pkg_setup() {
>  	# External modules use kernel symbols (bug #591832)
>  	CONFIG_CHECK+=" !TRIM_UNUSED_KSYMS"
>  
> +	# if signature is requested, check if kernel actually supports it
> +	use module-sign && CONFIG_CHECK+=" MODULE_SIG"
> +
>  	linux-info_pkg_setup;
>  	require_configured_kernel
>  	check_kernel_built;
>  	strip_modulenames;
>  	[[ -n ${MODULE_NAMES} ]] && check_modules_supported
>  	set_kvobj;
> +	use module-sign && export STRIP_MASK="*.${KV_OBJ}";
> +	check_sig_force;
>  	# Commented out with permission from johnm until a fixed version for arches
>  	# who intentionally use different kernel and userland compilers can be
>  	# introduced - Jason Wever <weeve@gentoo.org>, 23 Oct 2005
> @@ -716,8 +788,9 @@ linux-mod_src_install() {
>  
>  		einfo "Installing ${modulename} module"
>  		cd "${objdir}" || die "${objdir} does not exist"
> -		insinto /lib/modules/${KV_FULL}/${libdir}
> -		doins ${modulename}.${KV_OBJ} || die "doins ${modulename}.${KV_OBJ} failed"
> +		sign_module "${modulename}.${KV_OBJ}"
> +		insinto /lib/modules/"${KV_FULL}/${libdir}"
> +		doins "${modulename}.${KV_OBJ}" || die "doins ${modulename}.${KV_OBJ} failed"
>  		cd "${OLDPWD}"
>  
>  		generate_modulesd "${objdir}/${modulename}"
> 


You can work around the STRIP_MASK issue by performing the steps in
pkg_postinst after the stripped modules have been installed. You could
probably save a list of installed modules a la
gnome2_gconf_savelist and then pull that up in postinst and sign the
desired modules there.

-- 
NP-Hardass


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[gentoo-dev] Re: [PATCH] linux-mod.eclass: support module signing

[Georgy Yakovlev]

On Sat, 2018-04-14 at 14:25 -0700, Georgy Yakovlev wrote:

Second version, with safety checks and simplified logic.
Fixed most issues of the first patch.

Now only use single optional make.conf variable with the path to the
key.
Rest of parameters are magically extracted from .config or derived from
the key itself. So generally it just works.

got rid of STRIP_MASK, all signing happens in pkg_preinst, that way the
checksum of installed file is calculated with signature appended.
now works for packages that do not use linux-mod_src_install (zfs & co)


Thanks to NP-Hardass for initial review and suggestions.


> Hi,
> 
> There is an old bug[1] to support
> linux kernel module signing at install.
> 
> And here is my first attempt to modify an eclass.
> Need proper input on it and a kick in the right direction.
> 
> Add 3 variables, settable by users if they keep keys somewhere safe.
> Otherwise it just works with the auto-generated keys 
> if CONFIG_MODULE_SIG=y and vars are unset.
> 
> eclass will die if kernel requires a signed module,
> but signing is not requested.
> 
> 
> Known problems:
> 
> Packages that do not use linux-mod_src_install() will not sign 
> the modules, 
> But those packages will still inherit module-sign useflag.
> It's misleading and I'm not sure how to fix that.
> Examples : sys-kernel/spl, sys-fs/zfs-kmod
> 
> May need additional handling of KBUILD_SIGN_PIN variable[2],
> which can be set to hold the passphrase to the key. But it may end up
> in vdb environment files, not sure how to handle that or if it worth
> it
> 
> not eapi-7 ready because of STRIP_MASK usage.
> will need to cover this case as well, probably later.
> 
> older (<4.3.3) kernels use perl to sign modules, not sure if it's
> worth
> supporting old kernels, there is no gentoo-sources in the tree old
> enough, except masked 4.1
> there are old vanilla-sources that will be affected by this.
> 
> 
> [1] https://bugs.gentoo.org/447352
> [2] https://www.kernel.org/doc/html/v4.16/admin-guide/module-signing.html

diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
index bf580cf4cfa9..8197654081cc 100644
--- a/eclass/linux-mod.eclass
+++ b/eclass/linux-mod.eclass
@@ -132,6 +132,16 @@
 # @DESCRIPTION:
 # It's a read-only variable. It contains the extension of the kernel modules.
 
+# @ECLASS-VARIABLE: KERNEL_MODULE_SIG_KEY
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# A string, containing absolute path to the private key file.
+# Defaults to value of CONFIG_MODULE_SIG_KEY extracted from .config
+# Can be set by user in make.conf
+# Example:
+# KERNEL_MODULE_SIG_KEY="/secure/location/keys/kernel.pem"
+# Assumes that "/secure/location/keys/kernel.x509" is a matching pubkey.
+
 inherit eutils linux-info multilib
 EXPORT_FUNCTIONS pkg_setup pkg_preinst pkg_postinst src_install src_compile pkg_postrm
 
@@ -144,12 +154,13 @@ esac
 	0) die "EAPI=${EAPI} is not supported with MODULES_OPTIONAL_USE_IUSE_DEFAULT due to lack of IUSE defaults" ;;
 esac
 
-IUSE="kernel_linux ${MODULES_OPTIONAL_USE:+${_modules_optional_use_iuse_default}}${MODULES_OPTIONAL_USE}"
+IUSE="module-sign kernel_linux ${MODULES_OPTIONAL_USE:+${_modules_optional_use_iuse_default}}${MODULES_OPTIONAL_USE}"
 SLOT="0"
 RDEPEND="${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (} kernel_linux? ( virtual/modutils ) ${MODULES_OPTIONAL_USE:+)}"
 DEPEND="${RDEPEND}
     ${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (}
 	sys-apps/sed
+	module-sign? ( || ( dev-libs/openssl dev-libs/libressl ) )
 	kernel_linux? ( virtual/linux-sources )
 	${MODULES_OPTIONAL_USE:+)}"
 
@@ -352,6 +363,93 @@ get-KERNEL_CC() {
 	echo "${kernel_cc}"
 }
 
+# @FUNCTION: check_sig_force
+# @INTERNAL
+# @DESCRIPTION:
+# Check if kernel requires module signing and die
+# if module is not going to be signed.
+check_sig_force() {
+	debug-print-function ${FUNCNAME} $*
+
+	if linux_chkconfig_present MODULE_SIG_FORCE; then
+		if use !module-sign; then
+			ewarn "kernel .config has MODULE_SIG_FORCE=y option set"
+			ewarn "This means that kernel requires all modules"
+			ewarn "to be signed and verified before loading"
+			ewarn "please enable USE=\"module-sign\" or reconfigure your kernel"
+			ewarn "otherwise loading the module will fail"
+			die "signature required"
+		fi
+	fi
+}
+
+# @FUNCTION: sign_module
+# @INTERNAL
+# @DESCRIPTION:
+# Sign a kernel module
+# @USAGE: <filename>
+sign_module() {
+	debug-print-function ${FUNCNAME} $*
+
+	local dotconfig_sig_hash dotconfig_sig_key
+	local sign_binary_path sig_key_path sig_x509_path
+	local module
+
+	# extract values from kernel .config
+	# extracted key path is not full, e.g. "certs/signing_key.pem"
+	dotconfig_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)"
+	dotconfig_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)"
+
+	# strip out double quotes, sign-file binary chokes on them
+	dotconfig_sig_hash=${dotconfig_sig_hash//\"/}
+	dotconfig_sig_key=${dotconfig_sig_key//\"/}
+
+	sign_binary_path="${KV_OUT_DIR}/scripts/sign-file"
+	sig_key_path="${KERNEL_MODULE_SIG_KEY:-${KV_OUT_DIR}/${dotconfig_sig_key}}"
+	sig_x509_path="${sig_key_path/.pem/.x509}"
+
+	module=$(basename "${1%.${KV_OBJ}}")
+
+	# some checks, because sign-file is dumb and produces cryptic errors
+	[ -w "${1}" ] || die "${1} not found or not writable"
+	grep -qFL '~Module signature appended~' "${1}" && die "${module} already signed"
+	[ -x "${sign_binary_path}" ] || die "${sign_binary_path} not found or not executable"
+	[ -e "${sig_key_path}" ] || die "Private key ${sig_key_path} not found or not readable"
+	[ -e "${sig_x509_path}" ] || die "Public key ${sig_x509_path} not found or not readable"
+
+	einfo "Signing ${module} using ${sig_key_path}:${dotconfig_sig_hash}"
+	"${sign_binary_path}" \
+		"${dotconfig_sig_hash}" "${sig_key_path}" "${sig_x509_path}" \
+		"${1}" || die "Signing ${module} failed"
+}
+
+# @FUNCTION: sign_all_modules
+# @INTERNAL
+# @DESCRIPTION:
+# Signs all unsigned modules
+# Must be called in pkg_preinst.
+sign_all_modules() {
+	debug-print-function ${FUNCNAME} $*
+
+	[ -z "${KV_OBJ}" ] && set_kvobj;
+	require_configured_kernel;
+	check_kernel_built;
+
+	local module
+	local modules
+
+	pushd "${ED}" > /dev/null || die
+	modules=$(find "lib/modules/${KV_FULL}" -name "*.${KV_OBJ}" 2>/dev/null)
+	if [[ -n ${modules} ]]; then
+		for module in ${modules}; do
+			sign_module "${module}"
+		done
+	else
+		ewarn 'QA: list of modules to sign is empty, pease report a bug'
+	fi
+	popd > /dev/null || die
+}
+
 # internal function
 #
 # FUNCTION:
@@ -583,12 +681,16 @@ linux-mod_pkg_setup() {
 	# External modules use kernel symbols (bug #591832)
 	CONFIG_CHECK+=" !TRIM_UNUSED_KSYMS"
 
+	# if signature is requested, check if kernel actually supports it
+	use module-sign && CONFIG_CHECK+=" MODULE_SIG"
+
 	linux-info_pkg_setup;
 	require_configured_kernel
 	check_kernel_built;
 	strip_modulenames;
 	[[ -n ${MODULE_NAMES} ]] && check_modules_supported
 	set_kvobj;
+	check_sig_force;
 	# Commented out with permission from johnm until a fixed version for arches
 	# who intentionally use different kernel and userland compilers can be
 	# introduced - Jason Wever <weeve@gentoo.org>, 23 Oct 2005
@@ -716,8 +818,8 @@ linux-mod_src_install() {
 
 		einfo "Installing ${modulename} module"
 		cd "${objdir}" || die "${objdir} does not exist"
-		insinto /lib/modules/${KV_FULL}/${libdir}
-		doins ${modulename}.${KV_OBJ} || die "doins ${modulename}.${KV_OBJ} failed"
+		insinto /lib/modules/"${KV_FULL}/${libdir}"
+		doins "${modulename}.${KV_OBJ}" || die "doins ${modulename}.${KV_OBJ} failed"
 		cd "${OLDPWD}"
 
 		generate_modulesd "${objdir}/${modulename}"
@@ -733,6 +835,8 @@ linux-mod_pkg_preinst() {
 
 	[ -d "${D}lib/modules" ] && UPDATE_DEPMOD=true || UPDATE_DEPMOD=false
 	[ -d "${D}lib/modules" ] && UPDATE_MODULEDB=true || UPDATE_MODULEDB=false
+	check_sig_force
+	use module-sign && sign_all_modules
 }
 
 # @FUNCTION: linux-mod_pkg_postinst

Re: [gentoo-dev] Re: [PATCH] linux-mod.eclass: support module signing

[Michał Górny]

W dniu czw, 19.04.2018 o godzinie 22∶42 -0700, użytkownik Georgy
Yakovlev napisał:
> On Sat, 2018-04-14 at 14:25 -0700, Georgy Yakovlev wrote:
> 
> Second version, with safety checks and simplified logic.
> Fixed most issues of the first patch.
> 
> Now only use single optional make.conf variable with the path to the
> key.
> Rest of parameters are magically extracted from .config or derived from
> the key itself. So generally it just works.
> 
> got rid of STRIP_MASK, all signing happens in pkg_preinst, that way the
> checksum of installed file is calculated with signature appended.
> now works for packages that do not use linux-mod_src_install (zfs & co)
> 
> 
> Thanks to NP-Hardass for initial review and suggestions.
> 
> 
> > Hi,
> > 
> > There is an old bug[1] to support
> > linux kernel module signing at install.
> > 
> > And here is my first attempt to modify an eclass.
> > Need proper input on it and a kick in the right direction.
> > 
> > Add 3 variables, settable by users if they keep keys somewhere safe.
> > Otherwise it just works with the auto-generated keys 
> > if CONFIG_MODULE_SIG=y and vars are unset.
> > 
> > eclass will die if kernel requires a signed module,
> > but signing is not requested.
> > 
> > 
> > Known problems:
> > 
> > Packages that do not use linux-mod_src_install() will not sign 
> > the modules, 
> > But those packages will still inherit module-sign useflag.
> > It's misleading and I'm not sure how to fix that.
> > Examples : sys-kernel/spl, sys-fs/zfs-kmod
> > 
> > May need additional handling of KBUILD_SIGN_PIN variable[2],
> > which can be set to hold the passphrase to the key. But it may end up
> > in vdb environment files, not sure how to handle that or if it worth
> > it
> > 
> > not eapi-7 ready because of STRIP_MASK usage.
> > will need to cover this case as well, probably later.
> > 
> > older (<4.3.3) kernels use perl to sign modules, not sure if it's
> > worth
> > supporting old kernels, there is no gentoo-sources in the tree old
> > enough, except masked 4.1
> > there are old vanilla-sources that will be affected by this.
> > 
> > 
> > [1] https://bugs.gentoo.org/447352
> > [2] https://www.kernel.org/doc/html/v4.16/admin-guide/module-signing.html
> 
> diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
> index bf580cf4cfa9..8197654081cc 100644
> --- a/eclass/linux-mod.eclass
> +++ b/eclass/linux-mod.eclass
> @@ -132,6 +132,16 @@
>  # @DESCRIPTION:
>  # It's a read-only variable. It contains the extension of the kernel modules.
>  
> +# @ECLASS-VARIABLE: KERNEL_MODULE_SIG_KEY

Also @USER_VARIABLE since it's supposed to be set in make.conf.

> +# @DEFAULT_UNSET
> +# @DESCRIPTION:
> +# A string, containing absolute path to the private key file.
> +# Defaults to value of CONFIG_MODULE_SIG_KEY extracted from .config
> +# Can be set by user in make.conf
> +# Example:
> +# KERNEL_MODULE_SIG_KEY="/secure/location/keys/kernel.pem"
> +# Assumes that "/secure/location/keys/kernel.x509" is a matching pubkey.
> +
>  inherit eutils linux-info multilib
>  EXPORT_FUNCTIONS pkg_setup pkg_preinst pkg_postinst src_install src_compile pkg_postrm
>  
> @@ -144,12 +154,13 @@ esac
>  	0) die "EAPI=${EAPI} is not supported with MODULES_OPTIONAL_USE_IUSE_DEFAULT due to lack of IUSE defaults" ;;
>  esac
>  
> -IUSE="kernel_linux ${MODULES_OPTIONAL_USE:+${_modules_optional_use_iuse_default}}${MODULES_OPTIONAL_USE}"
> +IUSE="module-sign kernel_linux ${MODULES_OPTIONAL_USE:+${_modules_optional_use_iuse_default}}${MODULES_OPTIONAL_USE}"
>  SLOT="0"
>  RDEPEND="${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (} kernel_linux? ( virtual/modutils ) ${MODULES_OPTIONAL_USE:+)}"
>  DEPEND="${RDEPEND}
>      ${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (}
>  	sys-apps/sed
> +	module-sign? ( || ( dev-libs/openssl dev-libs/libressl ) )
>  	kernel_linux? ( virtual/linux-sources )
>  	${MODULES_OPTIONAL_USE:+)}"
>  
> @@ -352,6 +363,93 @@ get-KERNEL_CC() {
>  	echo "${kernel_cc}"
>  }
>  
> +# @FUNCTION: check_sig_force

Namespace pollution.  Please prefix it.

> +# @INTERNAL
> +# @DESCRIPTION:
> +# Check if kernel requires module signing and die
> +# if module is not going to be signed.
> +check_sig_force() {
> +	debug-print-function ${FUNCNAME} $*

"${@}"

> +
> +	if linux_chkconfig_present MODULE_SIG_FORCE; then
> +		if use !module-sign; then
> +			ewarn "kernel .config has MODULE_SIG_FORCE=y option set"
> +			ewarn "This means that kernel requires all modules"
> +			ewarn "to be signed and verified before loading"
> +			ewarn "please enable USE=\"module-sign\" or reconfigure your kernel"
> +			ewarn "otherwise loading the module will fail"

Why ewarn if you die?  eerror would be more appropriate.

> +			die "signature required"
> +		fi
> +	fi
> +}
> +
> +# @FUNCTION: sign_module

Likewise.

> +# @INTERNAL
> +# @DESCRIPTION:
> +# Sign a kernel module
> +# @USAGE: <filename>

@USAGE goes earlier.

> +sign_module() {
> +	debug-print-function ${FUNCNAME} $*
> +
> +	local dotconfig_sig_hash dotconfig_sig_key
> +	local sign_binary_path sig_key_path sig_x509_path
> +	local module
> +
> +	# extract values from kernel .config
> +	# extracted key path is not full, e.g. "certs/signing_key.pem"
> +	dotconfig_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)"
> +	dotconfig_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)"
> +
> +	# strip out double quotes, sign-file binary chokes on them
> +	dotconfig_sig_hash=${dotconfig_sig_hash//\"/}
> +	dotconfig_sig_key=${dotconfig_sig_key//\"/}
> +
> +	sign_binary_path="${KV_OUT_DIR}/scripts/sign-file"
> +	sig_key_path="${KERNEL_MODULE_SIG_KEY:-${KV_OUT_DIR}/${dotconfig_sig_key}}"
> +	sig_x509_path="${sig_key_path/.pem/.x509}"
> +
> +	module=$(basename "${1%.${KV_OBJ}}")

Don't call external programs when you can do the same in trivial pure
bash, i.e. ${foo##*/}.

> +
> +	# some checks, because sign-file is dumb and produces cryptic errors
> +	[ -w "${1}" ] || die "${1} not found or not writable"

Use [[ ... ]], always.

> +	grep -qFL '~Module signature appended~' "${1}" && die "${module} already signed"
> +	[ -x "${sign_binary_path}" ] || die "${sign_binary_path} not found or not executable"
> +	[ -e "${sig_key_path}" ] || die "Private key ${sig_key_path} not found or not readable"

-e does not test for being readable.  Are you looking for -r?

> +	[ -e "${sig_x509_path}" ] || die "Public key ${sig_x509_path} not found or not readable"
> +
> +	einfo "Signing ${module} using ${sig_key_path}:${dotconfig_sig_hash}"
> +	"${sign_binary_path}" \
> +		"${dotconfig_sig_hash}" "${sig_key_path}" "${sig_x509_path}" \
> +		"${1}" || die "Signing ${module} failed"
> +}
> +
> +# @FUNCTION: sign_all_modules
> +# @INTERNAL
> +# @DESCRIPTION:
> +# Signs all unsigned modules
> +# Must be called in pkg_preinst.
> +sign_all_modules() {
> +	debug-print-function ${FUNCNAME} $*
> +
> +	[ -z "${KV_OBJ}" ] && set_kvobj;

[[ ... ]].  Those semicolons are meaningless here.

> +	require_configured_kernel;
> +	check_kernel_built;
> +
> +	local module
> +	local modules
> +
> +	pushd "${ED}" > /dev/null || die

Why change the directory when you can just pass "${ED}" to find?

> +	modules=$(find "lib/modules/${KV_FULL}" -name "*.${KV_OBJ}" 2>/dev/null)

Use the 'while read -d '' -r ... < <(find ... -print0)' loop to be
on the safe side.  Always.

> +	if [[ -n ${modules} ]]; then
> +		for module in ${modules}; do
> +			sign_module "${module}"
> +		done
> +	else
> +		ewarn 'QA: list of modules to sign is empty, pease report a bug'
> +	fi
> +	popd > /dev/null || die
> +}
> +
>  # internal function
>  #
>  # FUNCTION:
> @@ -583,12 +681,16 @@ linux-mod_pkg_setup() {
>  	# External modules use kernel symbols (bug #591832)
>  	CONFIG_CHECK+=" !TRIM_UNUSED_KSYMS"
>  
> +	# if signature is requested, check if kernel actually supports it
> +	use module-sign && CONFIG_CHECK+=" MODULE_SIG"
> +
>  	linux-info_pkg_setup;
>  	require_configured_kernel
>  	check_kernel_built;
>  	strip_modulenames;
>  	[[ -n ${MODULE_NAMES} ]] && check_modules_supported
>  	set_kvobj;
> +	check_sig_force;

Meaningless semicolon.

>  	# Commented out with permission from johnm until a fixed version for arches
>  	# who intentionally use different kernel and userland compilers can be
>  	# introduced - Jason Wever <weeve@gentoo.org>, 23 Oct 2005
> @@ -716,8 +818,8 @@ linux-mod_src_install() {
>  
>  		einfo "Installing ${modulename} module"
>  		cd "${objdir}" || die "${objdir} does not exist"
> -		insinto /lib/modules/${KV_FULL}/${libdir}
> -		doins ${modulename}.${KV_OBJ} || die "doins ${modulename}.${KV_OBJ} failed"
> +		insinto /lib/modules/"${KV_FULL}/${libdir}"
> +		doins "${modulename}.${KV_OBJ}" || die "doins ${modulename}.${KV_OBJ} failed"
>  		cd "${OLDPWD}"
>  
>  		generate_modulesd "${objdir}/${modulename}"
> @@ -733,6 +835,8 @@ linux-mod_pkg_preinst() {
>  
>  	[ -d "${D}lib/modules" ] && UPDATE_DEPMOD=true || UPDATE_DEPMOD=false
>  	[ -d "${D}lib/modules" ] && UPDATE_MODULEDB=true || UPDATE_MODULEDB=false
> +	check_sig_force
> +	use module-sign && sign_all_modules
>  }
>  
>  # @FUNCTION: linux-mod_pkg_postinst
> 
> 

-- 
Best regards,
Michał Górny

Re: [gentoo-dev] Re: [PATCH] linux-mod.eclass: support module signing

[Georgy Yakovlev]

Version 3 with fixes as requested by mgorny, thanks for review!

Overall I think eclass needs some love, as and uses semicolons, single
square brackets, quoting and eclass descriptions are a bit
inconsistent, but that's out of scope of this patch right now.
I think all the new code I've added follows up-to-date standards now
and no longer uses old syntax.



diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
index bf580cf4cfa9..5df15561b9e6 100644
--- a/eclass/linux-mod.eclass
+++ b/eclass/linux-mod.eclass
@@ -132,6 +132,16 @@
 # @DESCRIPTION:
 # It's a read-only variable. It contains the extension of the kernel modules.
 
+# @ECLASS-VARIABLE: KERNEL_MODULE_SIG_KEY
+# @USER_VARIABLE
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# A string, containing absolute path to the private key file.
+# Defaults to value of CONFIG_MODULE_SIG_KEY extracted from .config
+# Example:
+# KERNEL_MODULE_SIG_KEY="/secure/location/keys/kernel.pem"
+# Assumes that "/secure/location/keys/kernel.x509" is a matching pubkey.
+
 inherit eutils linux-info multilib
 EXPORT_FUNCTIONS pkg_setup pkg_preinst pkg_postinst src_install src_compile pkg_postrm
 
@@ -144,12 +154,13 @@ esac
 	0) die "EAPI=${EAPI} is not supported with MODULES_OPTIONAL_USE_IUSE_DEFAULT due to lack of IUSE defaults" ;;
 esac
 
-IUSE="kernel_linux ${MODULES_OPTIONAL_USE:+${_modules_optional_use_iuse_default}}${MODULES_OPTIONAL_USE}"
+IUSE="module-sign kernel_linux ${MODULES_OPTIONAL_USE:+${_modules_optional_use_iuse_default}}${MODULES_OPTIONAL_USE}"
 SLOT="0"
 RDEPEND="${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (} kernel_linux? ( virtual/modutils ) ${MODULES_OPTIONAL_USE:+)}"
 DEPEND="${RDEPEND}
     ${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (}
 	sys-apps/sed
+	module-sign? ( || ( dev-libs/openssl dev-libs/libressl ) )
 	kernel_linux? ( virtual/linux-sources )
 	${MODULES_OPTIONAL_USE:+)}"
 
@@ -352,6 +363,84 @@ get-KERNEL_CC() {
 	echo "${kernel_cc}"
 }
 
+# @FUNCTION: _check_sig_force
+# @INTERNAL
+# @DESCRIPTION:
+# Check if kernel requires module signing and die
+# if module is not going to be signed.
+_check_sig_force() {
+	debug-print-function ${FUNCNAME} "${@}"
+
+	if linux_chkconfig_present MODULE_SIG_FORCE; then
+		if use !module-sign; then
+			eerror "kernel .config has MODULE_SIG_FORCE=y option set"
+			eerror "This means that kernel requires all modules"
+			eerror "to be signed and verified before loading"
+			eerror "please enable USE=\"module-sign\" or reconfigure your kernel"
+			eerror "otherwise loading the module will fail"
+			die "signature required"
+		fi
+	fi
+}
+
+# @FUNCTION: _sign_module
+# @INTERNAL
+# @USAGE: <filename>
+# @DESCRIPTION:
+# Sign a kernel module
+_sign_module() {
+	debug-print-function ${FUNCNAME} "${@}"
+
+	local dotconfig_sig_hash dotconfig_sig_key
+	local sign_binary_path sig_key_path sig_x509_path
+	local module
+
+	# extract values from kernel .config
+	# extracted key path is not full, e.g. "certs/signing_key.pem"
+	dotconfig_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)"
+	dotconfig_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)"
+
+	# strip out double quotes, sign-file binary chokes on them
+	dotconfig_sig_hash=${dotconfig_sig_hash//\"/}
+	dotconfig_sig_key=${dotconfig_sig_key//\"/}
+
+	sign_binary_path="${KV_OUT_DIR}/scripts/sign-file"
+	sig_key_path="${KERNEL_MODULE_SIG_KEY:-${KV_OUT_DIR}/${dotconfig_sig_key}}"
+	sig_x509_path="${sig_key_path/.pem/.x509}"
+
+	module=${1##*/}
+
+	# some checks, because sign-file is dumb and produces cryptic errors
+	[[ -w "${1}" ]] || die "${1} not found or not writable"
+	grep -qFL '~Module signature appended~' "${1}" && die "${module} already signed"
+	[[ -x "${sign_binary_path}" ]] || die "${sign_binary_path} not found or not executable"
+	[[ -r "${sig_key_path}" ]] || die "Private key ${sig_key_path} not found or not readable"
+	[[ -r "${sig_x509_path}" ]] || die "Public key ${sig_x509_path} not found or not readable"
+
+	einfo "Signing ${module} using ${sig_key_path}:${dotconfig_sig_hash}"
+	"${sign_binary_path}" \
+		"${dotconfig_sig_hash}" "${sig_key_path}" "${sig_x509_path}" \
+		"${1}" || die "Signing ${module} failed"
+}
+
+# @FUNCTION: _sign_all_modules
+# @INTERNAL
+# @DESCRIPTION:
+# Signs all unsigned modules
+# Must be called in pkg_preinst.
+_sign_all_modules() {
+	debug-print-function ${FUNCNAME} "${@}"
+
+	[[ -z "${KV_OBJ}" ]] && set_kvobj
+	require_configured_kernel
+	check_kernel_built
+
+	local module
+	while read -rd '' module; do
+		_sign_module "${module}"
+	done < <(find "${ED}/lib/modules/${KV_FULL}" -name "*.${KV_OBJ}" -print0)
+}
+
 # internal function
 #
 # FUNCTION:
@@ -583,12 +672,16 @@ linux-mod_pkg_setup() {
 	# External modules use kernel symbols (bug #591832)
 	CONFIG_CHECK+=" !TRIM_UNUSED_KSYMS"
 
+	# if signature is requested, check if kernel actually supports it
+	use module-sign && CONFIG_CHECK+=" MODULE_SIG"
+
 	linux-info_pkg_setup;
 	require_configured_kernel
 	check_kernel_built;
 	strip_modulenames;
 	[[ -n ${MODULE_NAMES} ]] && check_modules_supported
 	set_kvobj;
+	_check_sig_force
 	# Commented out with permission from johnm until a fixed version for arches
 	# who intentionally use different kernel and userland compilers can be
 	# introduced - Jason Wever <weeve@gentoo.org>, 23 Oct 2005
@@ -716,8 +809,8 @@ linux-mod_src_install() {
 
 		einfo "Installing ${modulename} module"
 		cd "${objdir}" || die "${objdir} does not exist"
-		insinto /lib/modules/${KV_FULL}/${libdir}
-		doins ${modulename}.${KV_OBJ} || die "doins ${modulename}.${KV_OBJ} failed"
+		insinto /lib/modules/"${KV_FULL}/${libdir}"
+		doins "${modulename}.${KV_OBJ}" || die "doins ${modulename}.${KV_OBJ} failed"
 		cd "${OLDPWD}"
 
 		generate_modulesd "${objdir}/${modulename}"
@@ -733,6 +826,8 @@ linux-mod_pkg_preinst() {
 
 	[ -d "${D}lib/modules" ] && UPDATE_DEPMOD=true || UPDATE_DEPMOD=false
 	[ -d "${D}lib/modules" ] && UPDATE_MODULEDB=true || UPDATE_MODULEDB=false
+	_check_sig_force
+	use module-sign && _sign_all_modules
 }
 
 # @FUNCTION: linux-mod_pkg_postinst

Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing

[Mike Gilbert]

On Tue, Jul 5, 2022 at 3:02 PM Georgy Yakovlev <gyakovlev@gentoo.org> wrote:
>
> ...snip
> >
> > > In that case, I think the only viable way to make this work is to
> > > disable automatic stripping and handle stripping via custom code in
> > > the ebuild/eclass.
> > >
> > might work indeed if we do something like (pseudo-bash)
> >
> > if [[ module_sign == yes ]]; then
> >     dostrip -x /lib/modules # to stop portage stripping .ko objects
> >     manual-strip-respecting-features-nostrip -r /lib/modules
> >     sign-all-modules -r /lib/modules
> > fi
> > [[ compress_modules == yes ]] && compress-modules -r /lib/modules
> >
> >
> > this will equire eapi-bumping couple of packages
> > https://qa-reports.gentoo.org/output/eapi-per-eclass/linux-mod.eclass/6.txt
> > and restricting linux-mod.eclass to eapi7 or later.
> >
> >
> >
> started playing with my old code and got blocked right away:
>
> looks like dostrip just creates a list of files/directories to strip
> and processed at the very end of install phase.
>
> so skipping strip and doing manual one might be problematic.
> internally portage uses estrip
> https://github.com/gentoo/portage/blob/master/bin/estrip
> which contains quite a lot of logic and code and I don't think
> partially re-implementing this in eclass code is appropriate.
>

Looking at the kernel build system, it looks like modules don't get
stripped by default anyway: you have to explicitly pass
INSTALL_MOD_STRIP=1 to make modules_install.

I don't think it would be a major problem to just disable stripping
entirely for out-of-tree modules when module signing is enabled.

Alternatively, forget about trying to reimplement estrip and just
strip the files by calling ${STRIP} --strip-debug, as is done in
scripts/Makefile.modinst in the kernel sources. That will conflict
with FEATURES=splitdebug, but I doubt that's very useful for kernel
developers anyway.

Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing

[Kenton Groombridge]

On 22/07/05 12:02PM, Georgy Yakovlev wrote:
> started playing with my old code and got blocked right away:
> 
> looks like dostrip just creates a list of files/directories to strip
> and processed at the very end of install phase.
> 
> so skipping strip and doing manual one might be problematic.
> internally portage uses estrip
> https://github.com/gentoo/portage/blob/master/bin/estrip
> which contains quite a lot of logic and code and I don't think
> partially re-implementing this in eclass code is appropriate.
> 

I agree I don't think it's appropriate. Would it make sense to be able
to provide an extra argument to dostrip in order to strip an object
*now* using the existing logic (and skip later stripping)? i.e.:

dostrip --now my_module.ko

Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing

[Georgy Yakovlev]

...snip
> 
> > In that case, I think the only viable way to make this work is to
> > disable automatic stripping and handle stripping via custom code in
> > the ebuild/eclass.
> > 
> might work indeed if we do something like (pseudo-bash)
> 
> if [[ module_sign == yes ]]; then
>     dostrip -x /lib/modules # to stop portage stripping .ko objects
>     manual-strip-respecting-features-nostrip -r /lib/modules
>     sign-all-modules -r /lib/modules
> fi
> [[ compress_modules == yes ]] && compress-modules -r /lib/modules
> 
> 
> this will equire eapi-bumping couple of packages
> https://qa-reports.gentoo.org/output/eapi-per-eclass/linux-mod.eclass/6.txt
> and restricting linux-mod.eclass to eapi7 or later.
> 
> 
> 
started playing with my old code and got blocked right away:

looks like dostrip just creates a list of files/directories to strip
and processed at the very end of install phase.

so skipping strip and doing manual one might be problematic.
internally portage uses estrip
https://github.com/gentoo/portage/blob/master/bin/estrip
which contains quite a lot of logic and code and I don't think
partially re-implementing this in eclass code is appropriate.

Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing

[Georgy Yakovlev]

On Mon, 2022-06-27 at 17:50 -0400, Mike Gilbert wrote:
> On Mon, Jun 27, 2022 at 5:11 PM Georgy Yakovlev
> <gyakovlev@gentoo.org> wrote:
> > 
> > On Mon, 2022-06-27 at 15:49 -0400, Mike Gilbert wrote:
> > > On Mon, Jun 27, 2022 at 3:42 PM Georgy Yakovlev
> > > <gyakovlev@gentoo.org> wrote:
> > > > 
> > > > On Mon, 2022-06-27 at 14:56 -0400, Mike Gilbert wrote:
> > > > > On Mon, Jun 27, 2022 at 2:35 PM Kenton Groombridge
> > > > > <concord@gentoo.org> wrote:
> > > > > > > so looks like we need to combine both methods and do the
> > > > > > > following:
> > > > > > >  - if signing requested without compression - sign in
> > > > > > > pkg_preinst.
> > > > > > >  - if signing requested with compression - sign in
> > > > > > > src_install
> > > > > > > 
> > > > > > 
> > > > > > Why can't we do both in pkg_preinst? I am thinking it would
> > > > > > be
> > > > > > best
> > > > > > if
> > > > > > we drop the current compression implementation and rework
> > > > > > your
> > > > > > old
> > > > > > code
> > > > > > to handle both compression and signing since the signing
> > > > > > code
> > > > > > is
> > > > > > more or
> > > > > > less already complete.
> > > > > 
> > > > > Signing modules in pkg_preinst seems like a bad idea to me.
> > > > > That
> > > > > means
> > > > > you need to copy your private keys around to every host where
> > > > > the
> > > > > package might be installed.
> > > > > 
> > > > > If you sign in src_compile or src_install, you only need
> > > > > private
> > > > > keys
> > > > > on the system building your binpkg.
> > > > > 
> > > > 
> > > > unfortunately portage will unconditionally strip .ko objects,
> > > > rendering
> > > > modules unloadable by stripping signature,  unless we do
> > > > dostrip -x
> > > > (requires EAPI7+, which should not be a problem nowadays, but
> > > > was a
> > > > problem back in 2018), which can be quite unfortunate on debug
> > > > enabled
> > > > kernels.
> > > 
> > > Sounds like something to fix/change in Portage. It could probably
> > > be
> > > updated to not strip the signature. However, I would guess the
> > > signature needs to be updated after the binary is modified in any
> > > case.
> > > 
> > > Or as a workaround you could disable automatic striping via
> > > dostrip -
> > > x
> > > and run the proper commands to strip the modules in src_install
> > > as
> > > well.
> > > 
> > I think even strip itself does not have proper options not to break
> > module. Several years back it was the case, basically one has to
> > strip
> > first, sign second, otherwise module will be unloadable.
> > 
> > "Signed modules are BRITTLE as the signature is outside of the
> > defined
> > ELF container. Thus they MAY NOT be stripped once the signature is
> > computed and attached. Note the entire module is the signed
> > payload,
> > including any and all debug information present at the time of
> > signing."
> > 
> > https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html#signed-modules-and-stripping
> > 
> 
> In that case, I think the only viable way to make this work is to
> disable automatic stripping and handle stripping via custom code in
> the ebuild/eclass.
> 
might work indeed if we do something like (pseudo-bash)

if [[ module_sign == yes ]]; then
    dostrip -x /lib/modules # to stop portage stripping .ko objects
    manual-strip-respecting-features-nostrip -r /lib/modules
    sign-all-modules -r /lib/modules
fi
[[ compress_modules == yes ]] && compress-modules -r /lib/modules


this will equire eapi-bumping couple of packages
https://qa-reports.gentoo.org/output/eapi-per-eclass/linux-mod.eclass/6.txt
and restricting linux-mod.eclass to eapi7 or later.

Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing

[Mike Gilbert]

On Mon, Jun 27, 2022 at 5:11 PM Georgy Yakovlev <gyakovlev@gentoo.org> wrote:
>
> On Mon, 2022-06-27 at 15:49 -0400, Mike Gilbert wrote:
> > On Mon, Jun 27, 2022 at 3:42 PM Georgy Yakovlev
> > <gyakovlev@gentoo.org> wrote:
> > >
> > > On Mon, 2022-06-27 at 14:56 -0400, Mike Gilbert wrote:
> > > > On Mon, Jun 27, 2022 at 2:35 PM Kenton Groombridge
> > > > <concord@gentoo.org> wrote:
> > > > > > so looks like we need to combine both methods and do the
> > > > > > following:
> > > > > >  - if signing requested without compression - sign in
> > > > > > pkg_preinst.
> > > > > >  - if signing requested with compression - sign in
> > > > > > src_install
> > > > > >
> > > > >
> > > > > Why can't we do both in pkg_preinst? I am thinking it would be
> > > > > best
> > > > > if
> > > > > we drop the current compression implementation and rework your
> > > > > old
> > > > > code
> > > > > to handle both compression and signing since the signing code
> > > > > is
> > > > > more or
> > > > > less already complete.
> > > >
> > > > Signing modules in pkg_preinst seems like a bad idea to me. That
> > > > means
> > > > you need to copy your private keys around to every host where the
> > > > package might be installed.
> > > >
> > > > If you sign in src_compile or src_install, you only need private
> > > > keys
> > > > on the system building your binpkg.
> > > >
> > >
> > > unfortunately portage will unconditionally strip .ko objects,
> > > rendering
> > > modules unloadable by stripping signature,  unless we do dostrip -x
> > > (requires EAPI7+, which should not be a problem nowadays, but was a
> > > problem back in 2018), which can be quite unfortunate on debug
> > > enabled
> > > kernels.
> >
> > Sounds like something to fix/change in Portage. It could probably be
> > updated to not strip the signature. However, I would guess the
> > signature needs to be updated after the binary is modified in any
> > case.
> >
> > Or as a workaround you could disable automatic striping via dostrip -
> > x
> > and run the proper commands to strip the modules in src_install as
> > well.
> >
> I think even strip itself does not have proper options not to break
> module. Several years back it was the case, basically one has to strip
> first, sign second, otherwise module will be unloadable.
>
> "Signed modules are BRITTLE as the signature is outside of the defined
> ELF container. Thus they MAY NOT be stripped once the signature is
> computed and attached. Note the entire module is the signed payload,
> including any and all debug information present at the time of
> signing."
>
> https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html#signed-modules-and-stripping
>

In that case, I think the only viable way to make this work is to
disable automatic stripping and handle stripping via custom code in
the ebuild/eclass.

Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing

[Georgy Yakovlev]

On Mon, 2022-06-27 at 16:02 -0400, Kenton Groombridge wrote:
> > > Why can't we do both in pkg_preinst? I am thinking it would be
> > > best
> > > if
> > > we drop the current compression implementation and rework your
> > > old
> > > code
> > > to handle both compression and signing since the signing code is
> > > more
> > > or
> > > less already complete.
> > 
> > i'm not sure if sign-file can sign compressed modules.
> 
> sign-file will not error when signing a compressed module, but the
> kernel will not be able to load it.

so we pretty much HAVE to strip->sign->compress, strictly in this
order. nothing else will work.

> 
> > if we let kernel build handle compression - we have to sign prior
> > to
> > compression.
> > if we compress modules ourselves then yes, we could sign first
> > indeed.
> > 
> > but preinst has it's own issues, you've already seen floppym's
> > remark.
> > 

Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing

[Georgy Yakovlev]

On Mon, 2022-06-27 at 15:49 -0400, Mike Gilbert wrote:
> On Mon, Jun 27, 2022 at 3:42 PM Georgy Yakovlev
> <gyakovlev@gentoo.org> wrote:
> > 
> > On Mon, 2022-06-27 at 14:56 -0400, Mike Gilbert wrote:
> > > On Mon, Jun 27, 2022 at 2:35 PM Kenton Groombridge
> > > <concord@gentoo.org> wrote:
> > > > > so looks like we need to combine both methods and do the
> > > > > following:
> > > > >  - if signing requested without compression - sign in
> > > > > pkg_preinst.
> > > > >  - if signing requested with compression - sign in
> > > > > src_install
> > > > > 
> > > > 
> > > > Why can't we do both in pkg_preinst? I am thinking it would be
> > > > best
> > > > if
> > > > we drop the current compression implementation and rework your
> > > > old
> > > > code
> > > > to handle both compression and signing since the signing code
> > > > is
> > > > more or
> > > > less already complete.
> > > 
> > > Signing modules in pkg_preinst seems like a bad idea to me. That
> > > means
> > > you need to copy your private keys around to every host where the
> > > package might be installed.
> > > 
> > > If you sign in src_compile or src_install, you only need private
> > > keys
> > > on the system building your binpkg.
> > > 
> > 
> > unfortunately portage will unconditionally strip .ko objects,
> > rendering
> > modules unloadable by stripping signature,  unless we do dostrip -x
> > (requires EAPI7+, which should not be a problem nowadays, but was a
> > problem back in 2018), which can be quite unfortunate on debug
> > enabled
> > kernels.
> 
> Sounds like something to fix/change in Portage. It could probably be
> updated to not strip the signature. However, I would guess the
> signature needs to be updated after the binary is modified in any
> case.
> 
> Or as a workaround you could disable automatic striping via dostrip -
> x
> and run the proper commands to strip the modules in src_install as
> well.
> 
I think even strip itself does not have proper options not to break
module. Several years back it was the case, basically one has to strip
first, sign second, otherwise module will be unloadable.

"Signed modules are BRITTLE as the signature is outside of the defined
ELF container. Thus they MAY NOT be stripped once the signature is
computed and attached. Note the entire module is the signed payload,
including any and all debug information present at the time of
signing."

https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html#signed-modules-and-stripping

Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing

[Kenton Groombridge]

[-- Attachment #1: Type: text/plain, Size: 689 bytes --]

> > Why can't we do both in pkg_preinst? I am thinking it would be best
> > if
> > we drop the current compression implementation and rework your old
> > code
> > to handle both compression and signing since the signing code is more
> > or
> > less already complete.
> 
> i'm not sure if sign-file can sign compressed modules.

sign-file will not error when signing a compressed module, but the
kernel will not be able to load it.

> if we let kernel build handle compression - we have to sign prior to
> compression.
> if we compress modules ourselves then yes, we could sign first indeed.
> 
> but preinst has it's own issues, you've already seen floppym's remark.
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 963 bytes --]

Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing

[Mike Gilbert]

On Mon, Jun 27, 2022 at 3:42 PM Georgy Yakovlev <gyakovlev@gentoo.org> wrote:
>
> On Mon, 2022-06-27 at 14:56 -0400, Mike Gilbert wrote:
> > On Mon, Jun 27, 2022 at 2:35 PM Kenton Groombridge
> > <concord@gentoo.org> wrote:
> > > > so looks like we need to combine both methods and do the
> > > > following:
> > > >  - if signing requested without compression - sign in
> > > > pkg_preinst.
> > > >  - if signing requested with compression - sign in src_install
> > > >
> > >
> > > Why can't we do both in pkg_preinst? I am thinking it would be best
> > > if
> > > we drop the current compression implementation and rework your old
> > > code
> > > to handle both compression and signing since the signing code is
> > > more or
> > > less already complete.
> >
> > Signing modules in pkg_preinst seems like a bad idea to me. That
> > means
> > you need to copy your private keys around to every host where the
> > package might be installed.
> >
> > If you sign in src_compile or src_install, you only need private keys
> > on the system building your binpkg.
> >
>
> unfortunately portage will unconditionally strip .ko objects, rendering
> modules unloadable by stripping signature,  unless we do dostrip -x
> (requires EAPI7+, which should not be a problem nowadays, but was a
> problem back in 2018), which can be quite unfortunate on debug enabled
> kernels.

Sounds like something to fix/change in Portage. It could probably be
updated to not strip the signature. However, I would guess the
signature needs to be updated after the binary is modified in any
case.

Or as a workaround you could disable automatic striping via dostrip -x
and run the proper commands to strip the modules in src_install as
well.

Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing

[Georgy Yakovlev]

On Mon, 2022-06-27 at 14:35 -0400, Kenton Groombridge wrote:
> On 22/06/26 04:15AM, Georgy Yakovlev wrote:
> > On Sun, 2022-06-26 at 03:52 -0700, Georgy Yakovlev wrote:
> > > On Tue, 2022-06-21 at 14:19 -0400, Kenton Groombridge wrote:
> > > > eee74b9fca1 adds support for module compression, but this
> > > > breaks
> > > > loading
> > > > out of tree modules when module signing is enforced because
> > > > modules
> > > > must
> > > > be signed before they are compressed. Additionally, the
> > > > recommended
> > > > Portage hook[1] no longer works with this change.
> > > > 
> > > > Add module signing support in linux-mod.eclass which more or
> > > > less
> > > > does
> > > > exactly what the aforementioned Portage hook does. If the
> > > > kernel
> > > > configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash
> > > > and
> > > > keys
> > > > from the kernel configuration and call the sign_file tool to
> > > > sign
> > > > the
> > > > module before it is compressed.
> > > > 
> > > > Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352
> > > > Signed-off-by: Kenton Groombridge <concord@gentoo.org>
> > > > ---
> > > >  eclass/linux-mod.eclass | 16 ++++++++++++++++
> > > >  1 file changed, 16 insertions(+)
> > > > 
> > > > diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
> > > > index b7c13cbf7e7..fd40f6d7c6c 100644
> > > > --- a/eclass/linux-mod.eclass
> > > > +++ b/eclass/linux-mod.eclass
> > > > @@ -712,6 +712,22 @@ linux-mod_src_install() {
> > > >                 cd "${objdir}" || die "${objdir} does not
> > > > exist"
> > > >                 insinto
> > > > "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir}
> > > >  
> > > > +               # check here for CONFIG_MODULE_SIG_ALL and sign
> > > > the
> > > > module being built if enabled.
> > > > +               # modules must be signed before they are
> > > > compressed.
> > > > +
> > > > +               if linux_chkconfig_present MODULE_SIG_ALL; then
> > > > +                       local
> > > > module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)"
> > > > +                       local
> > > > module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)"
> > > > +                       module_sig_key="${module_sig_key:-
> > > > certs/signing_key.pem}"
> > > > +                       if [[ "${module_sig_key#pkcs11:}" ==
> > > > "${module_sig_key}" && "${module_sig_key#/}" ==
> > > > "${module_sig_key}"
> > > > ]]; then
> > > > +                               local
> > > > key_path="${KERNEL_DIR}/${module_sig_key}"
> > > > +                       else
> > > > +                               local
> > > > key_path="${module_sig_key}"
> > > > +                       fi
> > > > +                       local
> > > > cert_path="${KERNEL_DIR}/certs/signing_key.x509"
> > > > +                       "${KERNEL_DIR}"/scripts/sign-file
> > > > ${module_sig_hash//\"} ${key_path//\"} ${cert_path}
> > > > ${modulename}.${KV_OBJ}
> > > > +               fi
> > > > +
> > > >                 # check here for
> > > > CONFIG_MODULE_COMPRESS_<compression
> > > > option> (NONE, GZIP, XZ, ZSTD) 
> > > >                 # and similarily compress the module being
> > > > built if
> > > > != NONE.
> > > >  
> > > 
> > > 
> > > Hi,
> > > 
> > > I've spent some time in the past ( circa 2018 ) to get this in,
> > > but 
> > > gave up due to various reasons, I was not a gentoo dev yet at the
> > > time.
> > > 
> > > I can't see how posted implementation will work tbh.
> > > portage will strip signature out of the module, unless you
> > > prevent
> > > stripping completely or package uses EAPI>=7, and omits stripping
> > > modules via dostrip -x on the ko object.
> > > kernel will NOT load module with stripped signature.
> > > 
> > > so either you have to sign in pkg_postinst phase, or prevent
> > > stripping.
> > > signing in postinst is not ideal, because if breaks recorded file
> > > checksums in vdb.
> > > 
> > > here's old fork of eclass I made, maybe you can find some helpful
> > > code
> > > in there
> > > 
> > > https://github.com/gyakovlev/linux-mod.eclass/blob/master/linux-mod.eclass
> > > 
> > > old ML discussion we had:
> > > https://archives.gentoo.org/gentoo-dev/message/4b15b1c851f379a1f802e2f2895cdfa8
> > > 
> > > You will also need a dependency on openssl, since sign-file uses
> > > it.
> > > 
> > > lmk if you need more info, I might remember more details, but for
> > > now
> > > that's all I have. I'll try to help get it done, but my
> > > availability
> > > is
> > > spotty due to limited time.
> > 
> > after reading my old code again and thinking more I think I know
> > what's
> > going on.
> >  1. I've actually solved checksum/strip problem by signing in pkg-
> > preinst
> >  2. my method will likely fail with compressed modules.
> >  3. your method likely works only if modules are compressed -
> > because
> > portage does not strip those I think.
> > 
> 
> This is exactly what I was thinking. I'm pretty sure I wasn't seeing
> the
> problematic signature stripping behavior because I have module
> compression enabled.
> 
> Also good point about the OpenSSL dependency. That's something I
> didn't
> consider.
> 
> > so looks like we need to combine both methods and do the following:
> >  - if signing requested without compression - sign in pkg_preinst.
> >  - if signing requested with compression - sign in src_install
> > 
> 
> Why can't we do both in pkg_preinst? I am thinking it would be best
> if
> we drop the current compression implementation and rework your old
> code
> to handle both compression and signing since the signing code is more
> or
> less already complete.

i'm not sure if sign-file can sign compressed modules.
if we let kernel build handle compression - we have to sign prior to
compression.
if we compress modules ourselves then yes, we could sign first indeed.

but preinst has it's own issues, you've already seen floppym's remark.

> 
> > Do I make sense? I still haven't tested it, just guessing as I read
> > my
> > old bash code.
> > 

Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing

[Georgy Yakovlev]

On Mon, 2022-06-27 at 14:56 -0400, Mike Gilbert wrote:
> On Mon, Jun 27, 2022 at 2:35 PM Kenton Groombridge
> <concord@gentoo.org> wrote:
> > > so looks like we need to combine both methods and do the
> > > following:
> > >  - if signing requested without compression - sign in
> > > pkg_preinst.
> > >  - if signing requested with compression - sign in src_install
> > > 
> > 
> > Why can't we do both in pkg_preinst? I am thinking it would be best
> > if
> > we drop the current compression implementation and rework your old
> > code
> > to handle both compression and signing since the signing code is
> > more or
> > less already complete.
> 
> Signing modules in pkg_preinst seems like a bad idea to me. That
> means
> you need to copy your private keys around to every host where the
> package might be installed.
> 
> If you sign in src_compile or src_install, you only need private keys
> on the system building your binpkg.
> 

unfortunately portage will unconditionally strip .ko objects, rendering
modules unloadable by stripping signature,  unless we do dostrip -x
(requires EAPI7+, which should not be a problem nowadays, but was a
problem back in 2018), which can be quite unfortunate on debug enabled
kernels.

Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing

[Kenton Groombridge]

[-- Attachment #1: Type: text/plain, Size: 1300 bytes --]

On 22/06/27 02:56PM, Mike Gilbert wrote:
> On Mon, Jun 27, 2022 at 2:35 PM Kenton Groombridge <concord@gentoo.org> wrote:
> > > so looks like we need to combine both methods and do the following:
> > >  - if signing requested without compression - sign in pkg_preinst.
> > >  - if signing requested with compression - sign in src_install
> > >
> >
> > Why can't we do both in pkg_preinst? I am thinking it would be best if
> > we drop the current compression implementation and rework your old code
> > to handle both compression and signing since the signing code is more or
> > less already complete.
> 
> Signing modules in pkg_preinst seems like a bad idea to me. That means
> you need to copy your private keys around to every host where the
> package might be installed.
> 
> If you sign in src_compile or src_install, you only need private keys
> on the system building your binpkg.
> 

Ah that makes sense. I think the question then is whether or not
building binpkgs for kernel modules where the target system has its own
signing keys is something we want to support.

With that in mind I realize that doing compression in pkg_preinst means
that target systems can use different compression methods (or no
compression at all) if desired without much complication.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 963 bytes --]

Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing

[Mike Gilbert]

On Mon, Jun 27, 2022 at 2:35 PM Kenton Groombridge <concord@gentoo.org> wrote:
> > so looks like we need to combine both methods and do the following:
> >  - if signing requested without compression - sign in pkg_preinst.
> >  - if signing requested with compression - sign in src_install
> >
>
> Why can't we do both in pkg_preinst? I am thinking it would be best if
> we drop the current compression implementation and rework your old code
> to handle both compression and signing since the signing code is more or
> less already complete.

Signing modules in pkg_preinst seems like a bad idea to me. That means
you need to copy your private keys around to every host where the
package might be installed.

If you sign in src_compile or src_install, you only need private keys
on the system building your binpkg.

Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing

[Kenton Groombridge]

[-- Attachment #1: Type: text/plain, Size: 5782 bytes --]

On 22/06/26 04:15AM, Georgy Yakovlev wrote:
> On Sun, 2022-06-26 at 03:52 -0700, Georgy Yakovlev wrote:
> > On Tue, 2022-06-21 at 14:19 -0400, Kenton Groombridge wrote:
> > > eee74b9fca1 adds support for module compression, but this breaks
> > > loading
> > > out of tree modules when module signing is enforced because modules
> > > must
> > > be signed before they are compressed. Additionally, the recommended
> > > Portage hook[1] no longer works with this change.
> > > 
> > > Add module signing support in linux-mod.eclass which more or less
> > > does
> > > exactly what the aforementioned Portage hook does. If the kernel
> > > configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and
> > > keys
> > > from the kernel configuration and call the sign_file tool to sign
> > > the
> > > module before it is compressed.
> > > 
> > > Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352
> > > Signed-off-by: Kenton Groombridge <concord@gentoo.org>
> > > ---
> > >  eclass/linux-mod.eclass | 16 ++++++++++++++++
> > >  1 file changed, 16 insertions(+)
> > > 
> > > diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
> > > index b7c13cbf7e7..fd40f6d7c6c 100644
> > > --- a/eclass/linux-mod.eclass
> > > +++ b/eclass/linux-mod.eclass
> > > @@ -712,6 +712,22 @@ linux-mod_src_install() {
> > >                 cd "${objdir}" || die "${objdir} does not exist"
> > >                 insinto
> > > "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir}
> > >  
> > > +               # check here for CONFIG_MODULE_SIG_ALL and sign the
> > > module being built if enabled.
> > > +               # modules must be signed before they are
> > > compressed.
> > > +
> > > +               if linux_chkconfig_present MODULE_SIG_ALL; then
> > > +                       local
> > > module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)"
> > > +                       local
> > > module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)"
> > > +                       module_sig_key="${module_sig_key:-
> > > certs/signing_key.pem}"
> > > +                       if [[ "${module_sig_key#pkcs11:}" ==
> > > "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}"
> > > ]]; then
> > > +                               local
> > > key_path="${KERNEL_DIR}/${module_sig_key}"
> > > +                       else
> > > +                               local key_path="${module_sig_key}"
> > > +                       fi
> > > +                       local
> > > cert_path="${KERNEL_DIR}/certs/signing_key.x509"
> > > +                       "${KERNEL_DIR}"/scripts/sign-file
> > > ${module_sig_hash//\"} ${key_path//\"} ${cert_path}
> > > ${modulename}.${KV_OBJ}
> > > +               fi
> > > +
> > >                 # check here for
> > > CONFIG_MODULE_COMPRESS_<compression
> > > option> (NONE, GZIP, XZ, ZSTD) 
> > >                 # and similarily compress the module being built if
> > > != NONE.
> > >  
> > 
> > 
> > Hi,
> > 
> > I've spent some time in the past ( circa 2018 ) to get this in, but 
> > gave up due to various reasons, I was not a gentoo dev yet at the
> > time.
> > 
> > I can't see how posted implementation will work tbh.
> > portage will strip signature out of the module, unless you prevent
> > stripping completely or package uses EAPI>=7, and omits stripping
> > modules via dostrip -x on the ko object.
> > kernel will NOT load module with stripped signature.
> > 
> > so either you have to sign in pkg_postinst phase, or prevent
> > stripping.
> > signing in postinst is not ideal, because if breaks recorded file
> > checksums in vdb.
> > 
> > here's old fork of eclass I made, maybe you can find some helpful
> > code
> > in there
> > 
> > https://github.com/gyakovlev/linux-mod.eclass/blob/master/linux-mod.eclass
> > 
> > old ML discussion we had:
> > https://archives.gentoo.org/gentoo-dev/message/4b15b1c851f379a1f802e2f2895cdfa8
> > 
> > You will also need a dependency on openssl, since sign-file uses it.
> > 
> > lmk if you need more info, I might remember more details, but for now
> > that's all I have. I'll try to help get it done, but my availability
> > is
> > spotty due to limited time.
> 
> after reading my old code again and thinking more I think I know what's
> going on.
>  1. I've actually solved checksum/strip problem by signing in pkg-
> preinst
>  2. my method will likely fail with compressed modules.
>  3. your method likely works only if modules are compressed - because
> portage does not strip those I think.
> 

This is exactly what I was thinking. I'm pretty sure I wasn't seeing the
problematic signature stripping behavior because I have module
compression enabled.

Also good point about the OpenSSL dependency. That's something I didn't
consider.

> so looks like we need to combine both methods and do the following:
>  - if signing requested without compression - sign in pkg_preinst.
>  - if signing requested with compression - sign in src_install
> 

Why can't we do both in pkg_preinst? I am thinking it would be best if
we drop the current compression implementation and rework your old code
to handle both compression and signing since the signing code is more or
less already complete.

> Do I make sense? I still haven't tested it, just guessing as I read my
> old bash code.
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 963 bytes --]

Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing

[Georgy Yakovlev]

On Sun, 2022-06-26 at 03:52 -0700, Georgy Yakovlev wrote:
> On Tue, 2022-06-21 at 14:19 -0400, Kenton Groombridge wrote:
> > eee74b9fca1 adds support for module compression, but this breaks
> > loading
> > out of tree modules when module signing is enforced because modules
> > must
> > be signed before they are compressed. Additionally, the recommended
> > Portage hook[1] no longer works with this change.
> > 
> > Add module signing support in linux-mod.eclass which more or less
> > does
> > exactly what the aforementioned Portage hook does. If the kernel
> > configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and
> > keys
> > from the kernel configuration and call the sign_file tool to sign
> > the
> > module before it is compressed.
> > 
> > Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352
> > Signed-off-by: Kenton Groombridge <concord@gentoo.org>
> > ---
> >  eclass/linux-mod.eclass | 16 ++++++++++++++++
> >  1 file changed, 16 insertions(+)
> > 
> > diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
> > index b7c13cbf7e7..fd40f6d7c6c 100644
> > --- a/eclass/linux-mod.eclass
> > +++ b/eclass/linux-mod.eclass
> > @@ -712,6 +712,22 @@ linux-mod_src_install() {
> >                 cd "${objdir}" || die "${objdir} does not exist"
> >                 insinto
> > "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir}
> >  
> > +               # check here for CONFIG_MODULE_SIG_ALL and sign the
> > module being built if enabled.
> > +               # modules must be signed before they are
> > compressed.
> > +
> > +               if linux_chkconfig_present MODULE_SIG_ALL; then
> > +                       local
> > module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)"
> > +                       local
> > module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)"
> > +                       module_sig_key="${module_sig_key:-
> > certs/signing_key.pem}"
> > +                       if [[ "${module_sig_key#pkcs11:}" ==
> > "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}"
> > ]]; then
> > +                               local
> > key_path="${KERNEL_DIR}/${module_sig_key}"
> > +                       else
> > +                               local key_path="${module_sig_key}"
> > +                       fi
> > +                       local
> > cert_path="${KERNEL_DIR}/certs/signing_key.x509"
> > +                       "${KERNEL_DIR}"/scripts/sign-file
> > ${module_sig_hash//\"} ${key_path//\"} ${cert_path}
> > ${modulename}.${KV_OBJ}
> > +               fi
> > +
> >                 # check here for
> > CONFIG_MODULE_COMPRESS_<compression
> > option> (NONE, GZIP, XZ, ZSTD) 
> >                 # and similarily compress the module being built if
> > != NONE.
> >  
> 
> 
> Hi,
> 
> I've spent some time in the past ( circa 2018 ) to get this in, but 
> gave up due to various reasons, I was not a gentoo dev yet at the
> time.
> 
> I can't see how posted implementation will work tbh.
> portage will strip signature out of the module, unless you prevent
> stripping completely or package uses EAPI>=7, and omits stripping
> modules via dostrip -x on the ko object.
> kernel will NOT load module with stripped signature.
> 
> so either you have to sign in pkg_postinst phase, or prevent
> stripping.
> signing in postinst is not ideal, because if breaks recorded file
> checksums in vdb.
> 
> here's old fork of eclass I made, maybe you can find some helpful
> code
> in there
> 
> https://github.com/gyakovlev/linux-mod.eclass/blob/master/linux-mod.eclass
> 
> old ML discussion we had:
> https://archives.gentoo.org/gentoo-dev/message/4b15b1c851f379a1f802e2f2895cdfa8
> 
> You will also need a dependency on openssl, since sign-file uses it.
> 
> lmk if you need more info, I might remember more details, but for now
> that's all I have. I'll try to help get it done, but my availability
> is
> spotty due to limited time.

after reading my old code again and thinking more I think I know what's
going on.
 1. I've actually solved checksum/strip problem by signing in pkg-
preinst
 2. my method will likely fail with compressed modules.
 3. your method likely works only if modules are compressed - because
portage does not strip those I think.

so looks like we need to combine both methods and do the following:
 - if signing requested without compression - sign in pkg_preinst.
 - if signing requested with compression - sign in src_install

Do I make sense? I still haven't tested it, just guessing as I read my
old bash code.

Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing

[Georgy Yakovlev]

On Tue, 2022-06-21 at 14:19 -0400, Kenton Groombridge wrote:
> eee74b9fca1 adds support for module compression, but this breaks
> loading
> out of tree modules when module signing is enforced because modules
> must
> be signed before they are compressed. Additionally, the recommended
> Portage hook[1] no longer works with this change.
> 
> Add module signing support in linux-mod.eclass which more or less
> does
> exactly what the aforementioned Portage hook does. If the kernel
> configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and
> keys
> from the kernel configuration and call the sign_file tool to sign the
> module before it is compressed.
> 
> Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352
> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
> ---
>  eclass/linux-mod.eclass | 16 ++++++++++++++++
>  1 file changed, 16 insertions(+)
> 
> diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
> index b7c13cbf7e7..fd40f6d7c6c 100644
> --- a/eclass/linux-mod.eclass
> +++ b/eclass/linux-mod.eclass
> @@ -712,6 +712,22 @@ linux-mod_src_install() {
>                 cd "${objdir}" || die "${objdir} does not exist"
>                 insinto
> "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir}
>  
> +               # check here for CONFIG_MODULE_SIG_ALL and sign the
> module being built if enabled.
> +               # modules must be signed before they are compressed.
> +
> +               if linux_chkconfig_present MODULE_SIG_ALL; then
> +                       local
> module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)"
> +                       local
> module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)"
> +                       module_sig_key="${module_sig_key:-
> certs/signing_key.pem}"
> +                       if [[ "${module_sig_key#pkcs11:}" ==
> "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}"
> ]]; then
> +                               local
> key_path="${KERNEL_DIR}/${module_sig_key}"
> +                       else
> +                               local key_path="${module_sig_key}"
> +                       fi
> +                       local
> cert_path="${KERNEL_DIR}/certs/signing_key.x509"
> +                       "${KERNEL_DIR}"/scripts/sign-file
> ${module_sig_hash//\"} ${key_path//\"} ${cert_path}
> ${modulename}.${KV_OBJ}
> +               fi
> +
>                 # check here for CONFIG_MODULE_COMPRESS_<compression
> option> (NONE, GZIP, XZ, ZSTD) 
>                 # and similarily compress the module being built if
> != NONE.
>  


Hi,

I've spent some time in the past ( circa 2018 ) to get this in, but 
gave up due to various reasons, I was not a gentoo dev yet at the time.

I can't see how posted implementation will work tbh.
portage will strip signature out of the module, unless you prevent
stripping completely or package uses EAPI>=7, and omits stripping
modules via dostrip -x on the ko object.
kernel will NOT load module with stripped signature.

so either you have to sign in pkg_postinst phase, or prevent stripping.
signing in postinst is not ideal, because if breaks recorded file
checksums in vdb.

here's old fork of eclass I made, maybe you can find some helpful code
in there

https://github.com/gyakovlev/linux-mod.eclass/blob/master/linux-mod.eclass

old ML discussion we had:
https://archives.gentoo.org/gentoo-dev/message/4b15b1c851f379a1f802e2f2895cdfa8

You will also need a dependency on openssl, since sign-file uses it.

lmk if you need more info, I might remember more details, but for now
that's all I have. I'll try to help get it done, but my availability is
spotty due to limited time.

Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing

[Kenton Groombridge]

[-- Attachment #1: Type: text/plain, Size: 4077 bytes --]

On 22/06/23 08:51AM, Mike Pagano wrote:
> On 6/21/22 14:21, Kenton Groombridge wrote:
> > On 22/06/21 02:19PM, Kenton Groombridge wrote:
> > > eee74b9fca1 adds support for module compression, but this breaks loading
> > > out of tree modules when module signing is enforced because modules must
> > > be signed before they are compressed. Additionally, the recommended
> > > Portage hook[1] no longer works with this change.
> > > 
> > 
> > Forgot to include this reference:
> > 
> > [1] https://wiki.gentoo.org/wiki/Signed_kernel_module_support#Automatically_signing_kernel_modules_.28Portage.29
> > 
> > > Add module signing support in linux-mod.eclass which more or less does
> > > exactly what the aforementioned Portage hook does. If the kernel
> > > configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and keys
> > > from the kernel configuration and call the sign_file tool to sign the
> > > module before it is compressed.
> > > 
> > > Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352
> > > Signed-off-by: Kenton Groombridge <concord@gentoo.org>
> > > ---
> > >   eclass/linux-mod.eclass | 16 ++++++++++++++++
> > >   1 file changed, 16 insertions(+)
> > > 
> > > diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
> > > index b7c13cbf7e7..fd40f6d7c6c 100644
> > > --- a/eclass/linux-mod.eclass
> > > +++ b/eclass/linux-mod.eclass
> > > @@ -712,6 +712,22 @@ linux-mod_src_install() {
> > >   		cd "${objdir}" || die "${objdir} does not exist"
> > >   		insinto "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir}
> > > +		# check here for CONFIG_MODULE_SIG_ALL and sign the module being built if enabled.
> > > +		# modules must be signed before they are compressed.
> > > +
> > > +		if linux_chkconfig_present MODULE_SIG_ALL; then
> > > +			local module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)"
> > > +			local module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)"
> > > +			module_sig_key="${module_sig_key:-certs/signing_key.pem}"
> > > +			if [[ "${module_sig_key#pkcs11:}" == "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}" ]]; then
> > > +				local key_path="${KERNEL_DIR}/${module_sig_key}"
> > > +			else
> > > +				local key_path="${module_sig_key}"
> > > +			fi
> > > +			local cert_path="${KERNEL_DIR}/certs/signing_key.x509"
> > > +			"${KERNEL_DIR}"/scripts/sign-file ${module_sig_hash//\"} ${key_path//\"} ${cert_path} ${modulename}.${KV_OBJ}
> > > +		fi
> > > +
> > >   		# check here for CONFIG_MODULE_COMPRESS_<compression option> (NONE, GZIP, XZ, ZSTD)
> > >   		# and similarily compress the module being built if != NONE.
> > > -- 
> > > 2.35.1
> > > 
> > > 
> 
> 
> First of all, thank-you for your work !
> I appreciate any assistance with enhancement or clean-up of these eclasses.
> 
> I tested your patch, are you signing the files in 'work' after they are installed in 'image' ?
> 
> 
> /usr/src/linux/scripts/extract-module-sig.pl -s ./work/kernel/nvidia.ko > /tmp/sig
> Read 47802433 bytes from module file
> Found magic number at 47802433
> Found PKCS#7/CMS encapsulation
> Found 681 bytes of signature [308202a506092a864886f70d010702a0]
> 
> /usr/src/linux/scripts/extract-module-sig.pl -s ./image/lib/modules/5.18.6-gentoo/video/nvidia.ko > /tmp/sig
> Read 47227784 bytes from module file
> Magic number not found at 47227784
> 

Thanks for testing!

That's odd. In my environment they are signed in 'work' before
installing to 'image' as they should be.

# unzstd /lib/modules/5.15.48-gentoo/misc/p_lkrg.ko.zst
/lib/modules/5.15.48-gentoo/misc/p_lkrg.ko.zst: 436681 bytes
# /usr/src/linux/scripts/extract-module-sig.pl -s /lib/modules/5.15.48-gentoo/misc/p_lkrg.ko >sig
Read 436681 bytes from module file
Found magic number at 436681
Found PKCS#7/CMS encapsulation
Found 681 bytes of signature [308202a506092a864886f70d010702a0]

The installation of modules in linux-mod_src_install happens after
signing and compression, so unless I am missing something that shouldn't
be happening.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 963 bytes --]

Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing

[Mike Pagano]

On 6/21/22 14:21, Kenton Groombridge wrote:
> On 22/06/21 02:19PM, Kenton Groombridge wrote:
>> eee74b9fca1 adds support for module compression, but this breaks loading
>> out of tree modules when module signing is enforced because modules must
>> be signed before they are compressed. Additionally, the recommended
>> Portage hook[1] no longer works with this change.
>>
> 
> Forgot to include this reference:
> 
> [1] https://wiki.gentoo.org/wiki/Signed_kernel_module_support#Automatically_signing_kernel_modules_.28Portage.29
> 
>> Add module signing support in linux-mod.eclass which more or less does
>> exactly what the aforementioned Portage hook does. If the kernel
>> configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and keys
>> from the kernel configuration and call the sign_file tool to sign the
>> module before it is compressed.
>>
>> Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352
>> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
>> ---
>>   eclass/linux-mod.eclass | 16 ++++++++++++++++
>>   1 file changed, 16 insertions(+)
>>
>> diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
>> index b7c13cbf7e7..fd40f6d7c6c 100644
>> --- a/eclass/linux-mod.eclass
>> +++ b/eclass/linux-mod.eclass
>> @@ -712,6 +712,22 @@ linux-mod_src_install() {
>>   		cd "${objdir}" || die "${objdir} does not exist"
>>   		insinto "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir}
>>   
>> +		# check here for CONFIG_MODULE_SIG_ALL and sign the module being built if enabled.
>> +		# modules must be signed before they are compressed.
>> +
>> +		if linux_chkconfig_present MODULE_SIG_ALL; then
>> +			local module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)"
>> +			local module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)"
>> +			module_sig_key="${module_sig_key:-certs/signing_key.pem}"
>> +			if [[ "${module_sig_key#pkcs11:}" == "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}" ]]; then
>> +				local key_path="${KERNEL_DIR}/${module_sig_key}"
>> +			else
>> +				local key_path="${module_sig_key}"
>> +			fi
>> +			local cert_path="${KERNEL_DIR}/certs/signing_key.x509"
>> +			"${KERNEL_DIR}"/scripts/sign-file ${module_sig_hash//\"} ${key_path//\"} ${cert_path} ${modulename}.${KV_OBJ}
>> +		fi
>> +
>>   		# check here for CONFIG_MODULE_COMPRESS_<compression option> (NONE, GZIP, XZ, ZSTD)
>>   		# and similarily compress the module being built if != NONE.
>>   
>> -- 
>> 2.35.1
>>
>>


First of all, thank-you for your work !
I appreciate any assistance with enhancement or clean-up of these eclasses.

I tested your patch, are you signing the files in 'work' after they are installed in 'image' ?


/usr/src/linux/scripts/extract-module-sig.pl -s ./work/kernel/nvidia.ko > /tmp/sig
Read 47802433 bytes from module file
Found magic number at 47802433
Found PKCS#7/CMS encapsulation
Found 681 bytes of signature [308202a506092a864886f70d010702a0]

/usr/src/linux/scripts/extract-module-sig.pl -s ./image/lib/modules/5.18.6-gentoo/video/nvidia.ko > /tmp/sig
Read 47227784 bytes from module file
Magic number not found at 47227784



Mike




-- 
Mike Pagano
Gentoo Developer - Kernel Project
Gentoo Sources - Lead
E-Mail     : mpagano@gentoo.org
GnuPG FP   : 52CC A0B0 F631 0B17 0142 F83F 92A6 DBEC 81F2 B137
Public Key : http://http://pgp.mit.edu/pks/lookup?search=0x92A6DBEC81F2B137&op=index

Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing

[Kenton Groombridge]

[-- Attachment #1: Type: text/plain, Size: 2414 bytes --]

On 22/06/21 02:19PM, Kenton Groombridge wrote:
> eee74b9fca1 adds support for module compression, but this breaks loading
> out of tree modules when module signing is enforced because modules must
> be signed before they are compressed. Additionally, the recommended
> Portage hook[1] no longer works with this change.
> 

Forgot to include this reference:

[1] https://wiki.gentoo.org/wiki/Signed_kernel_module_support#Automatically_signing_kernel_modules_.28Portage.29

> Add module signing support in linux-mod.eclass which more or less does
> exactly what the aforementioned Portage hook does. If the kernel
> configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and keys
> from the kernel configuration and call the sign_file tool to sign the
> module before it is compressed.
> 
> Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352
> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
> ---
>  eclass/linux-mod.eclass | 16 ++++++++++++++++
>  1 file changed, 16 insertions(+)
> 
> diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
> index b7c13cbf7e7..fd40f6d7c6c 100644
> --- a/eclass/linux-mod.eclass
> +++ b/eclass/linux-mod.eclass
> @@ -712,6 +712,22 @@ linux-mod_src_install() {
>  		cd "${objdir}" || die "${objdir} does not exist"
>  		insinto "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir}
>  
> +		# check here for CONFIG_MODULE_SIG_ALL and sign the module being built if enabled.
> +		# modules must be signed before they are compressed.
> +
> +		if linux_chkconfig_present MODULE_SIG_ALL; then
> +			local module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)"
> +			local module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)"
> +			module_sig_key="${module_sig_key:-certs/signing_key.pem}"
> +			if [[ "${module_sig_key#pkcs11:}" == "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}" ]]; then
> +				local key_path="${KERNEL_DIR}/${module_sig_key}"
> +			else
> +				local key_path="${module_sig_key}"
> +			fi
> +			local cert_path="${KERNEL_DIR}/certs/signing_key.x509"
> +			"${KERNEL_DIR}"/scripts/sign-file ${module_sig_hash//\"} ${key_path//\"} ${cert_path} ${modulename}.${KV_OBJ}
> +		fi
> +
>  		# check here for CONFIG_MODULE_COMPRESS_<compression option> (NONE, GZIP, XZ, ZSTD) 
>  		# and similarily compress the module being built if != NONE.
>  
> -- 
> 2.35.1
> 
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 963 bytes --]

[gentoo-dev] [PATCH] linux-mod.eclass: support module signing

[Kenton Groombridge]

eee74b9fca1 adds support for module compression, but this breaks loading
out of tree modules when module signing is enforced because modules must
be signed before they are compressed. Additionally, the recommended
Portage hook[1] no longer works with this change.

Add module signing support in linux-mod.eclass which more or less does
exactly what the aforementioned Portage hook does. If the kernel
configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and keys
from the kernel configuration and call the sign_file tool to sign the
module before it is compressed.

Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
 eclass/linux-mod.eclass | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
index b7c13cbf7e7..fd40f6d7c6c 100644
--- a/eclass/linux-mod.eclass
+++ b/eclass/linux-mod.eclass
@@ -712,6 +712,22 @@ linux-mod_src_install() {
 		cd "${objdir}" || die "${objdir} does not exist"
 		insinto "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir}
 
+		# check here for CONFIG_MODULE_SIG_ALL and sign the module being built if enabled.
+		# modules must be signed before they are compressed.
+
+		if linux_chkconfig_present MODULE_SIG_ALL; then
+			local module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)"
+			local module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)"
+			module_sig_key="${module_sig_key:-certs/signing_key.pem}"
+			if [[ "${module_sig_key#pkcs11:}" == "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}" ]]; then
+				local key_path="${KERNEL_DIR}/${module_sig_key}"
+			else
+				local key_path="${module_sig_key}"
+			fi
+			local cert_path="${KERNEL_DIR}/certs/signing_key.x509"
+			"${KERNEL_DIR}"/scripts/sign-file ${module_sig_hash//\"} ${key_path//\"} ${cert_path} ${modulename}.${KV_OBJ}
+		fi
+
 		# check here for CONFIG_MODULE_COMPRESS_<compression option> (NONE, GZIP, XZ, ZSTD) 
 		# and similarily compress the module being built if != NONE.
 
-- 
2.35.1