From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 5D0C41382C5 for ; Sun, 15 Apr 2018 18:13:47 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1B476E089A; Sun, 15 Apr 2018 18:13:40 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 6DC26E07ED; Sun, 15 Apr 2018 18:13:39 +0000 (UTC) Received: from [192.168.10.30] (ool-45742b8c.dyn.optonline.net [69.116.43.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: NP-Hardass) by smtp.gentoo.org (Postfix) with ESMTPSA id 92509335C7A; Sun, 15 Apr 2018 18:13:37 +0000 (UTC) Subject: Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing To: gentoo-dev@lists.gentoo.org, Georgy Yakovlev Cc: gentoo-kernel@lists.gentoo.org References: <1523741109.12403.28.camel@sysdump.net> From: NP-Hardass Openpgp: id=862040BE422755F27FDE13D5671C52F118F89C67; url=https://sks-keyservers.net/pks/lookup?op=get&search=0x671C52F118F89C67 Autocrypt: addr=NP-Hardass@gentoo.org; prefer-encrypt=mutual; keydata= xsFNBFTkWCYBEADjDSP3/MDba3hDgUjy/8w2PU/kzx+AWwWkXuA3zUhBnS7AVK2Zh5gajysZ OWAkmZ0VmrzSHICQzYosyhq+YVIdTg5LvIxsG1fj2rSEMbqk9mtjdNDsoUmzUkECOL/Txph1 u46vtnMy97Gs82imE3uCBIQkxc+aUesePXeQGOh6EDcxMvFcn8x1lhXE244lES5Spu72Wen4 cYRpPboRTbuUxXUwrOIAOzF2eX5BDipZVKmrV9i5SC3oQIG1MnJdHDLWhDm3XQjlEsvH5Rge 55bvXFVs6Hzdv3SUI330E6W15kLt0Ij94nJqOgWCPfKu+7Tb2UYlVlCkiIFujIWxLGaQRXU2 3wOu7TuGJ0NQzP1lwCImdydEF+BL61l6awFI1ixwgZQGkzaEvXMhc6PltM12y5poFvcQXK+P aLdztY0cLSlhg36HZb+E8bavNLLIw4tJ2LKx8YmMNFfoIVAN33wU2QZ08SyT5VTCi8svU0U+ 2n8e3TA23gx+OHyUvjwNdFm5NDi0sIpeYpgMfUSjTO7pq0JEAQLTY//9MjqmmicXpvMnqA2X NrZZXaxs19yApzxfbFQegg9tgNiSeYONtIXWQinznfv+h3GY7K6zKhyq5IL0ji/Gf2l/+1WD VB/h6OJGbKqydPZnBiQRC6mt/lpkE5/Z1qHzzrNlTT0RTdNDlQARAQABzSJOUC1IYXJkYXNz IDxOUC1IYXJkYXNzQGdlbnRvby5vcmc+wsGWBBMBCABAAhsDBwsJCAcDAgEGFQgCCQoLBBYC AwECHgECF4AWIQSGIEC+QidV8n/eE9VnHFLxGPicZwUCWi8lgwUJCQ00XQAKCRBnHFLxGPic Z7toD/9BlYZ9Lk7ejlvkenz+EPqySkZAHERwUS5hqBiOTarVJZtjm7uGCbzhCltInsWKHREN jIboWsCzHPdnqeQ7BiRjUCbLXctqsW9kWvxBxJaCKqy9XqG7WWqgm7gxqYxDp9EM4mV1JeU4 aSXkLJu/JlLaC0FWvQNFJZhhK7VQwcMmz1mmFZayXFce/lpKn2NWwqQc6gKRQlBvKaY+ohpP 0Ixt7SiU2FqgsfR8tsGxiMaZnq4ULbfzOtee3zSzIaPpF1EzoKmnNKzVdSW7QY94OJQKkFmt KWi0+yk2lYfMVPiYC+Ph8FXe0Cqk//nECA+OGtvLo5bc7mtgCdCqfQVo7ds0HQ9gdW8Hq55u evrVN+6TwoPr0n50wckJ3cQy9Yj1gKWJO/XNciLJoZ2fJ9jAsaP9LlITKeLI1yWqt2LaNMfP gVn4eS/jNstuMvyA0qgmELQ/VItDrC30ow7I8yarPlBpywIW8jpBZQeujujshDfmYJJatt72 ETT6Us5f/zDpb7V8g+feReUzo1bDsIlXxhSC/hrJIQUdsRj5kM2cHgMttdj5/+9mMhxLVXkK AlgJs2evnp3WmrOovYoLfN/pkVyxAbXKu0Y/c7L+NMPRHW+V3oUXGrphw+Uh/S+d3NHG3gGz 1Y0H6OyHHai9f8iXu4aTqhVatNZFmYlywlS3/Wz/Lc7BTQRU5FgmARAA4ThPsCyVb6QBhtRU 5vUuWMuzhXpdUr151ccXYqYBXn1h45hW9qoZo8Y7xQp6cGJSECSNmTkJU9FMN48Ewn3+YIxa uJOWar+eCvh++TvPVqjo/UQZqTK29NUBiL5aSC0pU49Z5Ve2TXYGhdcZT0OQM4A1MTlRfIaV tqlPfoqifsNGjiwpjRoo4AWYADIfhajvHCDJ5ITka+T07DBFOBSy98SaoKNfdaClb6tmLBs7 hroKpCCijfBe20UMeaKN6zQuhW8GR3VzpRC/G9HBEmH6GxiVmBkhEQjgX5aTS7T/jz2YZrI6 mS3zKZ7gEByjhxUOS83UON99aOqnMPUphXnjIPIPydBHYVlY4egLKPI91nFAZv5DYIzyERux KE2w2f9Xns7wyEOYhqddOTZ0lio4oQCc/sR040rKtL6qOciC1z3jDeYTrQE410eGF71SvuiN ceThbAty26zYQAFxvlimrgTTVkLOSsCz6+/SWoD42gwVYwQ4hRoCwYzuC/ILGmECoiJXFgtR A/gK/5g7c05depLSo9VH8/+b4Cxqt+U9+beqfxtr+9b5w9ut6AZcZLj25s40gc19nJQkEl49 S2XfJ7lkczuBj2K8T0ZZ82woPDu2W3UORYU0iW+0WuEZ5DIZsOy5g8YWYFoeWfzI9TPkHAAd ccZtE8r1h2IoQ7RBSr0AEQEAAcLBfAQYAQIAJgIbDBYhBIYgQL5CJ1Xyf94T1WccUvEY+Jxn BQJaLyVzBQkJDTRNAAoJEGccUvEY+Jxnf8YP+wQlCLyFetSuMHd3ZO36HE1ohU+Mvspa6Z1a 97K1ECG9xDNNodHtQ7j1qCTYqKH2N2RWgErowk9RT8y8ok+1fJHD/94qYpmb++R1g2m1XmEC tssGv40uHI0TxVdwu3xpfdGTW8roQOMngoTP0RW5BNWTqfAv7+LEMbD9kber1AbyLJzxYdgU sxwHnQ6pRdcyb75drG9Mo1br8s6knTvW2i+5JCKSud/oexvSC0w2SegPvlsrqPWJoWQ5Yo7g IAQQG6KjdYoVy3m/goNcXiIHnuFv5dWfnOyP+Th2sVgy2VX3M9jsejFvXABYwVyslkIXFudm UqofjSD7OAz9jMOrAgMKdI6ez40GJaK9/aCEynm1ckwzEBpjB9H3TtXuhxwsFB/HqIMxYRCw 7vrKh7of3kzc6nsmn07Nd8sPElx/4wTc6QXyM4OXqmIE5tSgKYt3ns2o6PALqBpWx8FaHafg 4zFRY3+tEx0/lw8/yYDYiRRFfqkuiaqItL6ugSfUXdB13um+606IexFZCiwla1CtnGUx3Byw NQnAYOdUKHkKeQ9mYXGnScl6P6OJBXV5xBmINNmzaRGQWQAXN1/f3AJ7ZLqWdzOT96yKR1RY Qtfcn5WlfuZfjQBVNEWzzTZb/8hAlrFJLMwPUDl9AWz+surEACrh46BT4W2voigsA7dibW6E Message-ID: <8f928672-d829-2252-6dd9-fec2b7db1947@gentoo.org> Date: Sun, 15 Apr 2018 14:13:34 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: <1523741109.12403.28.camel@sysdump.net> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="KZFZEBtDCZC72QKnAaXn9Ysk5AHxBfar7" X-Archives-Salt: 38f245ba-8fa1-4978-ac54-99b2978f2574 X-Archives-Hash: f84746b2295de0b30aed05a4aec18c75 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --KZFZEBtDCZC72QKnAaXn9Ysk5AHxBfar7 Content-Type: multipart/mixed; boundary="qZCG2y7EUiBJuVT5iMYtr6ASk6wUVtMAE"; protected-headers="v1" From: NP-Hardass To: gentoo-dev@lists.gentoo.org, Georgy Yakovlev Cc: gentoo-kernel@lists.gentoo.org Message-ID: <8f928672-d829-2252-6dd9-fec2b7db1947@gentoo.org> Subject: Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing References: <1523741109.12403.28.camel@sysdump.net> In-Reply-To: <1523741109.12403.28.camel@sysdump.net> --qZCG2y7EUiBJuVT5iMYtr6ASk6wUVtMAE Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 04/14/2018 05:25 PM, Georgy Yakovlev wrote: > Hi, >=20 > There is an old bug[1] to support > linux kernel module signing at install. >=20 > And here is my first attempt to modify an eclass. > Need proper input on it and a kick in the right direction. >=20 > Add 3 variables, settable by users if they keep keys somewhere safe. > Otherwise it just works with the auto-generated keys=20 > if CONFIG_MODULE_SIG=3Dy and vars are unset. >=20 > eclass will die if kernel requires a signed module, > but signing is not requested. >=20 >=20 > Known problems: >=20 > Packages that do not use linux-mod_src_install() will not sign=20 > the modules,=20 > But those packages will still inherit module-sign useflag. > It's misleading and I'm not sure how to fix that. > Examples : sys-kernel/spl, sys-fs/zfs-kmod >=20 > May need additional handling of KBUILD_SIGN_PIN variable[2], > which can be set to hold the passphrase to the key. But it may end up > in vdb environment files, not sure how to handle that or if it worth it= >=20 > not eapi-7 ready because of STRIP_MASK usage. > will need to cover this case as well, probably later. >=20 > older (<4.3.3) kernels use perl to sign modules, not sure if it's worth= > supporting old kernels, there is no gentoo-sources in the tree old > enough, except masked 4.1 > there are old vanilla-sources that will be affected by this. >=20 >=20 > [1] https://bugs.gentoo.org/447352 > [2] https://www.kernel.org/doc/html/v4.16/admin-guide/module-signing.ht= ml >=20 > diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass > index bf580cf4cfa9..211b0496f528 100644 > --- a/eclass/linux-mod.eclass > +++ b/eclass/linux-mod.eclass > @@ -14,7 +14,7 @@ > # required to install external modules against a kernel source > # tree. > =20 > -# A Couple of env vars are available to effect usage of this eclass > +# Several env vars are available to effect usage of this eclass > # These are as follows: > =20 > # @ECLASS-VARIABLE: MODULES_OPTIONAL_USE > @@ -132,6 +132,31 @@ > # @DESCRIPTION: > # It's a read-only variable. It contains the extension of the kernel m= odules. > =20 > +# @ECLASS-VARIABLE: KERNEL_MODULE_SIG_HASH > +# @DEFAULT_UNSET > +# @DESCRIPTION: > +# A string to control signing algorithm > +# Possible values: sha1:sha224:sha256:sha384:sha512 > +# Defaults to value extracted from .config > +# Can be set by user in make.conf, as it can differ from kernel's. > +# In case of overriding this it's users responsibility to make sure > +# that kernel supports desired hash algo > + > +# @ECLASS-VARIABLE: KERNEL_MODULE_SIG_PEM > +# @DEFAULT_UNSET > +# @DESCRIPTION: > +# A string, containing path to the private key filename or PKCS#11 URI= > +# Defaults to ${KV_DIR}/certs/signing_key.pem} if unset. > +# Can be set by user in make.conf > + > +# @ECLASS-VARIABLE: KERNEL_MODULE_SIG_X509 > +# @DEFAULT_UNSET > +# @DESCRIPTION: > +# A string, containing path to the public key filename > +# Defaults to ${KV_DIR}/certs/signing_key.x509} if unset. > +# Can be set by user in make.conf > + > + > inherit eutils linux-info multilib > EXPORT_FUNCTIONS pkg_setup pkg_preinst pkg_postinst src_install src_co= mpile pkg_postrm > =20 These KV_DIRs should be KV_OUT_DIRs, as they are objects only available after building the kernel and thus if KV_OUT_DIR !=3D KV_DIR, this will f= ail. Additionally, sig_pem and sig_x509 should be derived from MODULE_SIG_KEY by default. > @@ -144,12 +169,13 @@ esac > 0) die "EAPI=3D${EAPI} is not supported with MODULES_OPTIONAL_USE_IUS= E_DEFAULT due to lack of IUSE defaults" ;; > esac > =20 > -IUSE=3D"kernel_linux ${MODULES_OPTIONAL_USE:+${_modules_optional_use_i= use_default}}${MODULES_OPTIONAL_USE}" > +IUSE=3D"module-sign kernel_linux ${MODULES_OPTIONAL_USE:+${_modules_op= tional_use_iuse_default}}${MODULES_OPTIONAL_USE}" > SLOT=3D"0" > RDEPEND=3D"${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (} kernel_= linux? ( virtual/modutils ) ${MODULES_OPTIONAL_USE:+)}" > DEPEND=3D"${RDEPEND} > ${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (} > sys-apps/sed > + module-sign? ( || ( dev-libs/openssl dev-libs/libressl ) ) > kernel_linux? ( virtual/linux-sources ) > ${MODULES_OPTIONAL_USE:+)}" > =20 > @@ -196,6 +222,25 @@ check_vermagic() { > fi > } > =20 > +# @FUNCTION: check_sig_force > +# @INTERNAL > +# @DESCRIPTION: > +# Check if kernel requires module signing and die > +# if module is not going to be signed. > +check_sig_force() { > + debug-print-function ${FUNCNAME} $* > + > + if linux_chkconfig_present MODULE_SIG_FORCE; then > + if use !module-sign; then > + ewarn "" > + ewarn "Kernel requires all modules to be signed and verified" > + ewarn "please enable USE=3D\"module-sign\"" > + ewarn "otherwise loading the module will fail" > + die "signature required" > + fi > + fi > +} > + > # @FUNCTION: use_m > # @RETURN: true or false > # @DESCRIPTION: The documentation for linux_chkconfig_present states "If linux_config_exists returns false, the results of this are UNDEFINED. You MUST call linux_config_exists first." > @@ -352,6 +397,28 @@ get-KERNEL_CC() { > echo "${kernel_cc}" > } > =20 > +# @FUNCTION: sign_module > +# @DESCRIPTION: > +# Sign a kernel module if enabled and supported, or just silently igno= re the request and do nothing. > +# @USAGE: > +sign_module() { > + debug-print-function ${FUNCNAME} $* > + > + if use module-sign; then > + local sig_hash sig_pem sig_x509 modulename > + sig_hash=3D$(linux_chkconfig_string MODULE_SIG_HASH) > + sig_pem=3D"${KV_DIR}/certs/signing_key.pem" > + sig_x509=3D"${KV_DIR}/certs/signing_key.x509" > + modulename=3D$(basename "${1}") > + > + einfo "Signing ${modulename}" > + "${KV_DIR}"/scripts/sign-file \ > + "${KERNEL_MODULE_SIG_HASH:-${sig_hash//\"/}}" \ > + "${KERNEL_MODULE_SIG_PEM:-${sig_pem}}" \ > + "${KERNEL_MODULE_SIG_X509:-${sig_x509}}" \ > + "${1}" || die "Signing ${modulename} failed" > + fi > +} > # internal function > # > # FUNCTION: These KV_DIRs should be KV_OUT_DIRs, as they are objects only available after building the kernel and thus if KV_OUT_DIR !=3D KV_DIR, this will f= ail. The documentation for linux_chkconfig_string states "If linux_config_exists returns false, the results of this are UNDEFINED. You MUST call linux_config_exists first." Additionally, sig_pem and sig_x509 should be derived from MODULE_SIG_KEY.= > @@ -583,12 +650,17 @@ linux-mod_pkg_setup() { > # External modules use kernel symbols (bug #591832) > CONFIG_CHECK+=3D" !TRIM_UNUSED_KSYMS" > =20 > + # if signature is requested, check if kernel actually supports it > + use module-sign && CONFIG_CHECK+=3D" MODULE_SIG" > + > linux-info_pkg_setup; > require_configured_kernel > check_kernel_built; > strip_modulenames; > [[ -n ${MODULE_NAMES} ]] && check_modules_supported > set_kvobj; > + use module-sign && export STRIP_MASK=3D"*.${KV_OBJ}"; > + check_sig_force; > # Commented out with permission from johnm until a fixed version for = arches > # who intentionally use different kernel and userland compilers can b= e > # introduced - Jason Wever , 23 Oct 2005 > @@ -716,8 +788,9 @@ linux-mod_src_install() { > =20 > einfo "Installing ${modulename} module" > cd "${objdir}" || die "${objdir} does not exist" > - insinto /lib/modules/${KV_FULL}/${libdir} > - doins ${modulename}.${KV_OBJ} || die "doins ${modulename}.${KV_OBJ} = failed" > + sign_module "${modulename}.${KV_OBJ}" > + insinto /lib/modules/"${KV_FULL}/${libdir}" > + doins "${modulename}.${KV_OBJ}" || die "doins ${modulename}.${KV_OBJ= } failed" > cd "${OLDPWD}" > =20 > generate_modulesd "${objdir}/${modulename}" >=20 You can work around the STRIP_MASK issue by performing the steps in pkg_postinst after the stripped modules have been installed. You could probably save a list of installed modules a la gnome2_gconf_savelist and then pull that up in postinst and sign the desired modules there. --=20 NP-Hardass --qZCG2y7EUiBJuVT5iMYtr6ASk6wUVtMAE-- --KZFZEBtDCZC72QKnAaXn9Ysk5AHxBfar7 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEv526yLNI+t7RHfJZHNlBHbKvGPsFAlrTlk4ACgkQHNlBHbKv GPsAOxAAvOLE34WLJFWSKTQWVbrN6bYJSbuBvuHG3/OznvJ7aIIarHZAGFwf04MY TlTikrPirxDY7c/ECwgDijmMUIWD9wDufLpCc6CNdEqj7rRjrn+0/aE7CwTkv5/D 7If2tvox3HFhuYlWktegB122J9Di4AaSPgDlFFt/+vx86bzHk31u3Hx1p9sCtke7 mA10F1zux0ccuedhTBLlCIpJbpy7xUO/++0hjMxbc+k5Q+mq2BPmwaSlECQ8WjZt aFKfvaVDEY/fmZ1sTDFlj5z86BYxTr589NlrO8ShwEZSSgZ0JTYkTZpEcUK6HCzt d6yAEFZVDnCXw5l7n50nz1wen2Dh6H9E4eTopRuz02X3jC0fm/R2h+kMY7QB8c2N oQmfJp/WTZXyAl/IHuE9AU6h9/tVJ1baeuTYA4Qc/61AmuWchTLQYbXAJ/cMW/Gr JGIXXaJlx7gtfwiwGlx1tedes2ojm2EseJiZ7qfH9Omt4Zvajv4lia9t8Jhl21pB 0spqqSzS4U+F3rC+Tb9qnUz5BGfJ9zllMqhBB0Y78j94/pUM28CajgG3JmJKVqqL dek1oabOH0r/mwAhklISbJfazPt5U8jcKAlA9GdOQav3ltyggDh1LQhJudnpg5xI lUrm1uEhu2o3Lmj0GDVsRv1TdEssIPv+NCvOjmjXoI1P+8afK4o= =ShE5 -----END PGP SIGNATURE----- --KZFZEBtDCZC72QKnAaXn9Ysk5AHxBfar7--