[gentoo-dev] [RFC] patch linux-mod.eclass to add support for module signing V2

[gentoo-dev] [RFC] patch linux-mod.eclass to add support for module signing V2

[Carlos Silva]

[-- Attachment #1: Type: text/plain, Size: 3469 bytes --]

This is the same patch posted earlier but with the feedback from Steven J.
Long from the last post on the previous thread. (Thanks!)



Signed kernel modules require that the kernel is compiled with
CONFIG_MODULE_SIG=y so that during compilation, the public key hash is
stored in the kernel so that it can be verified later when insmod'ing an
external module. There is no problem with in-tree modules, this are sign
correctly and loaded, the problem is with out-of-the-tree modules installed
by portage; this ones are not "signing ware".

So this patch adds a new USE flag to the linux-mod.eclass named
"module-signing". We enabled, it will check if the user has selected all
the correct config options in the kernel, and optionally, where are the
private and public parts of the key so that the module is signed and
install time. If any of this fails, the installation of the module is
aborted.

From the end user perspective, if he wants to add support for this, all he
has to do is enable CONFIG_MODULE_SIG in the kernel. If no keys are found
during the build, it will be generated one. If one wants to create a key
himself, it's also possible to use this key, he just has to name it
signing_key.priv and siging_key.x509 and put it under /usr/src/linux.
After the kernel is compiled, this keys can be moved elsewhere and the path
to them specified in make.conf under the vars KERNEL_MODSECKEY and
KERNEL_MODPUBKEY.

Patch below for review, discussion and testing.
Thanks,
Carlos Silva



--- linux-mod.eclass 2012-09-15 16:31:15.000000000 +0000
+++ linux-mod.eclass 2013-03-11 18:58:34.075561064 -0100
@@ -125,9 +125,10 @@
 inherit eutils linux-info multilib
 EXPORT_FUNCTIONS pkg_setup pkg_preinst pkg_postinst src_install
src_compile pkg_postrm

-IUSE="kernel_linux"
+IUSE="module-signing kernel_linux"
 SLOT="0"
-RDEPEND="kernel_linux? ( virtual/modutils )"
+RDEPEND="kernel_linux? ( virtual/modutils )
+ module-signing? ( app-crypt/gnupg ) "
 DEPEND="${RDEPEND}
  sys-apps/sed
  kernel_linux? ( virtual/linux-sources )"
@@ -208,6 +209,32 @@
  fi
 }

+
+# internal function
+#
+# FUNCTION: check_module_signing
+# DESCRIPTION:
+# Checks for KERNEL_MODSECKEY, KERNEL_MODPUBKEY and verifies the files
exists
+check_module_signing() {
+ use module-signing || return 1
+
+ # Check that the configuration is correct
+ KERNEL_MODSECKEY=${KERNEL_MODSECKEY:-${KV_DIR}/signing_key.priv}
+ KERNEL_MODPUBKEY=${KERNEL_MODPUBKEY:-${KV_DIR}/signing_key.x509}
+ if [[ -s ${KERNEL_MODSECKEY} ]]; then
+ eerror "KERNEL_MODSECKEY points to a missing or empty file:"
+ eerror "${KERNEL_MODSECKEY}"
+ die "Invalid KERNEL_MODSECKEY"
+ fi
+ if [[ -s ${KERNEL_MODPUBKEY} ]]; then
+ eerror "KERNEL_MODPUBKEY points to a missing or empty file:"
+ eerror "${KERNEL_MODPUBKEY}"
+ die "Invalid KERNEL_MODPUBKEY"
+ fi
+
+ return 0
+}
+
 # internal function
 #
 # FUNCTION: update_depmod
@@ -581,6 +608,10 @@
  return
  fi

+ if use module-signing; then
+ CONFIG_CHECK+="${CONFIG_CHECK} MODULE_SIG"
+ fi
+
  linux-info_pkg_setup;
  require_configured_kernel
  check_kernel_built;
@@ -710,6 +741,12 @@
  srcdir=${srcdir:-${S}}
  objdir=${objdir:-${srcdir}}

+ if check_module_signing; then
+ ebegin "Signing module ${modulename}"
+ ${KV_DIR}/scripts/sign-file "${KERNEL_MODSECKEY}" "${KERNEL_MODPUBKEY}"
"${objdir}/${modulename}.${KV_OBJ}"
+ eend $?
+ fi
+
  einfo "Installing ${modulename} module"
  cd "${objdir}" || die "${objdir} does not exist"
  insinto /lib/modules/${KV_FULL}/${libdir}

[-- Attachment #2: Type: text/html, Size: 10396 bytes --]