* Re: [gentoo-dev] [PATCH 1/2 v2] kernel-build.eclass: add IUSE="+strip modules-sign", install generated keys
2023-06-15 9:50 [gentoo-dev] [PATCH 1/2] kernel-build.eclass: add IUSE="strip", install generated keys Andrew Ammerlaan
@ 2023-06-15 13:06 ` Andrew Ammerlaan
2023-06-15 13:46 ` Mike Gilbert
2023-06-17 18:12 ` [gentoo-dev] [PATCH 1/2 v3] kernel-build.eclass: add IUSE="strip", " Andrew Ammerlaan
1 sibling, 1 reply; 5+ messages in thread
From: Andrew Ammerlaan @ 2023-06-15 13:06 UTC (permalink / raw
To: gentoo-dev
Version 2 moves all of the logic into the eclass, reducing code
duplication at the cost of potentially having to adjust the
CONFIG_MODULE_SIG_* logic at some later stage if this changes upstream.
We now also unset KBUILD_SIGN_PIN, as is done in linux-mod-r1.eclass as
well.
From b0e42a34469c3799b2c2c636d794a95040549133 Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Date: Thu, 15 Jun 2023 11:50:10 +0200
Subject: [PATCH] kernel-build.eclass: add IUSE="+strip modules-sign",
install
generated keys
- Let the kernel build system handle stripping of the modules.
This is necessary for successfully signing and compressing modules.
Inspired by linux-mod-r1.eclass.
- If the build system has generated keys or certificates, install them.
This is required to successfully sign external kernel modules.
- Enable module signing configure options if requested by the user.
- Define the user variables MODULES_SIGN_HASH and MODULES_SIGN_KEY.
For controlling the used hashing algorithm and allowing the use of
external keys. These variables are the same as in linux-mod-r1.eclass
- Warn the user if we are letting the kernel build system generate the
signing
key. This key will end up binary packages. Plus external modules will
have to
be resigned if gentoo-kernel is re-emerged (i.e. a new key was generated).
Closes: https://bugs.gentoo.org/814344
Closes: https://bugs.gentoo.org/881651
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
eclass/kernel-build.eclass | 115 +++++++++++++++++++++++++++++++++++--
1 file changed, 111 insertions(+), 4 deletions(-)
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index da215a055a467..7634a4445350f 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -1,4 +1,4 @@
-# Copyright 2020-2022 Gentoo Authors
+# Copyright 2020-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
# @ECLASS: kernel-build.eclass
@@ -41,6 +41,50 @@ BDEPEND="
app-alternatives/yacc
"
+IUSE="+strip"
+
+# @ECLASS_VARIABLE: ALLOW_MODULES_SIGN
+# @PRE_INHERIT
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# If set to a non-null value, adds IUSE=modules-sign and required
+# logic to manipulate the kernel config while respecting the
+# MODULES_SIGN_HASH and MODULES_SIGN_KEY user variables.
+
+# @ECLASS_VARIABLE: MODULES_SIGN_HASH
+# @USER_VARIABLE
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# Used with USE=modules-sign. Can be set to hash algorithm to use
+# during signature generation (CONFIG_MODULE_SIG_SHA256).
+#
+# Valid values: sha512,sha384,sha256,sha224,sha1
+#
+# Default if unset: sha512
+
+# @ECLASS_VARIABLE: MODULES_SIGN_KEY
+# @USER_VARIABLE
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# Used with USE=modules-sign. Can be set to the path of the private
+# key in PEM format to use, or a PKCS#11 URI (CONFIG_MODULE_SIG_KEY).
+#
+# If path is relative (e.g. "certs/name.pem"), it is assumed to be
+# relative to the kernel build directory being used.
+#
+# If the key requires a passphrase or PIN, the used kernel sign-file
+# utility recognizes the KBUILD_SIGN_PIN environment variable. Be
+# warned that the package manager may store this value in binary
+# packages, database files, temporary files, and possibly logs. This
+# eclass unsets the variable after use to mitigate the issue (notably
+# for shared binary packages), but use this with care.
+#
+# Default if unset: certs/signing_key.pem
+
+if [[ -n "${ALLOW_MODULES_SIGN}" ]]; then
+ IUSE+=" modules-sign"
+fi
+
# @FUNCTION: kernel-build_src_configure
# @DESCRIPTION:
# Prepare the toolchain for building the kernel, get the default .config
@@ -83,7 +127,7 @@ kernel-build_src_configure() {
LD="${LD}"
AR="$(tc-getAR)"
NM="$(tc-getNM)"
- STRIP=":"
+ STRIP="$(tc-getSTRIP)"
OBJCOPY="$(tc-getOBJCOPY)"
OBJDUMP="$(tc-getOBJDUMP)"
@@ -176,8 +220,18 @@ kernel-build_src_install() {
targets+=( dtbs_install )
fi
+ # Use the kernel build system to strip, this ensures the modules
+ # are stripped *before* they are signed or compressed.
+ local strip_args
+ if use strip; then
+ strip_args="--strip-unneeded"
+ fi
+ # Modules were already stripped by the kernel build system
+ dostrip -x /lib/modules
+
emake O="${WORKDIR}"/build "${MAKEARGS[@]}" \
- INSTALL_MOD_PATH="${ED}" INSTALL_PATH="${ED}/boot" "${targets[@]}"
+ INSTALL_MOD_PATH="${ED}" INSTALL_MOD_STRIP="${strip_args}" \
+ INSTALL_PATH="${ED}/boot" "${targets[@]}"
# note: we're using mv rather than doins to save space and time
# install main and arch-specific headers first, and scripts
@@ -217,6 +271,14 @@ kernel-build_src_install() {
local image_path=$(dist-kernel_get_image_path)
cp -p "build/${image_path}" "${ED}${kernel_dir}/${image_path}" || die
+ # If a key was generated, copy it so external modules can be signed
+ local suffix
+ for suffix in pem x509; do
+ if [[ -f "build/certs/signing_key.${suffix}" ]]; then
+ cp -p "build/certs/signing_key.${suffix}" "${ED}${kernel_dir}/certs"
|| die
+ fi
+ done
+
# building modules fails with 'vmlinux has no symtab?' if stripped
use ppc64 && dostrip -x "${kernel_dir}/${image_path}"
@@ -239,6 +301,9 @@ kernel-build_src_install() {
dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/build"
dosym "../../../${kernel_dir}" "/lib/modules/${module_ver}/source"
+ # unset to at least be out of the environment file in, e.g. shared binpkgs
+ unset KBUILD_SIGN_PIN
+
save_config build/.config
}
@@ -248,6 +313,25 @@ kernel-build_src_install() {
kernel-build_pkg_postinst() {
kernel-install_pkg_postinst
savedconfig_pkg_postinst
+ if [[ -n "${ALLOW_MODULES_SIGN}" ]]; then
+ if use modules-sign && [[ -z "${MODULES_SIGN_KEY}" ]]; then
+ ewarn
+ ewarn "MODULES_SIGN_KEY was not set, this means the kernel build system"
+ ewarn "automatically generated the signing key. This key was installed"
+ ewarn "in ${EROOT}/usr/src/linux-${PV}${KV_LOCALVERSION}/certs"
+ ewarn "and will also be included in any binary packages."
+ ewarn "Please take appropriate action to protect the key!"
+ ewarn
+ ewarn "Recompiling this package causes a new key to be generated. As"
+ ewarn "a result any external kernel modules will need to be resigned."
+ ewarn "Use emerge @module-rebuild, or manually sign the modules as"
+ ewarn "described on the wiki [1]"
+ ewarn
+ ewarn "Consider using the MODULES_SIGN_KEY variable to use an
external key."
+ ewarn
+ ewarn "[1]: https://wiki.gentoo.org/wiki/Signed_kernel_module_support"
+ fi
+ fi
}
# @FUNCTION: kernel-build_merge_configs
@@ -270,16 +354,39 @@ kernel-build_merge_configs() {
local user_configs=( "${BROOT}"/etc/kernel/config.d/*.config )
shopt -u nullglob
+ local merge_configs=( "${@}" )
+
+ if [[ -n "${ALLOW_MODULES_SIGN}" ]]; then
+ if use modules-sign; then
+ : "${MODULES_SIGN_HASH:=sha512}"
+ cat <<-EOF > "${WORKDIR}/modules-sign.config" || die
+ ## Enable module signing
+ CONFIG_MODULE_SIG=y
+ CONFIG_MODULE_SIG_ALL=y
+ CONFIG_MODULE_SIG_FORCE=y
+ CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
+ EOF
+ if [[ -e "${MODULES_SIGN_KEY}" ]]; then
+ echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
+ >> "${WORKDIR}/modules-sign.config"
+ elif [[ -n "${MODULES_SIGN_KEY}" ]]; then
+ die "MODULES_SIGN_KEY=${MODULES_SIGN_KEY} not found!"
+ fi
+ merge_configs+=( "${WORKDIR}/modules-sign.config" )
+ fi
+ fi
+
if [[ ${#user_configs[@]} -gt 0 ]]; then
elog "User config files are being applied:"
local x
for x in "${user_configs[@]}"; do
elog "- ${x}"
done
+ merge_configs+=( "${user_configs[@]}" )
fi
./scripts/kconfig/merge_config.sh -m -r \
- .config "${@}" "${user_configs[@]}" || die
+ .config "${merge_configs[@]}" || die
}
fi
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [gentoo-dev] [PATCH 1/2 v3] kernel-build.eclass: add IUSE="strip", install generated keys
2023-06-15 9:50 [gentoo-dev] [PATCH 1/2] kernel-build.eclass: add IUSE="strip", install generated keys Andrew Ammerlaan
2023-06-15 13:06 ` [gentoo-dev] [PATCH 1/2 v2] kernel-build.eclass: add IUSE="+strip modules-sign", " Andrew Ammerlaan
@ 2023-06-17 18:12 ` Andrew Ammerlaan
1 sibling, 0 replies; 5+ messages in thread
From: Andrew Ammerlaan @ 2023-06-17 18:12 UTC (permalink / raw
To: gentoo-dev
No functional changes in version 3, just renaming some variables and
splitting the version 2 patch.
From 969f242c3269c068ebfe5adc37ebfc92dcd56181 Mon Sep 17 00:00:00 2001
From: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Date: Thu, 15 Jun 2023 11:50:10 +0200
Subject: [PATCH] kernel-build.eclass: add IUSE="strip", install
generated keys
- Let the kernel build system handle stripping of the modules.
This is necessary for successfully signing and compressing modules.
Inspired by linux-mod-r1.eclass.
- If the build system has generated keys or certificates, install them.
This is required to successfully sign external kernel modules.
Closes: https://bugs.gentoo.org/814344
Closes: https://bugs.gentoo.org/881651
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
---
eclass/kernel-build.eclass | 26 +++++++++++++++++++++++---
1 file changed, 23 insertions(+), 3 deletions(-)
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index da215a055a467..abfb01720817a 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -1,4 +1,4 @@
-# Copyright 2020-2022 Gentoo Authors
+# Copyright 2020-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
# @ECLASS: kernel-build.eclass
@@ -41,6 +41,8 @@ BDEPEND="
app-alternatives/yacc
"
+IUSE="+strip"
+
# @FUNCTION: kernel-build_src_configure
# @DESCRIPTION:
# Prepare the toolchain for building the kernel, get the default .config
@@ -83,7 +85,7 @@ kernel-build_src_configure() {
LD="${LD}"
AR="$(tc-getAR)"
NM="$(tc-getNM)"
- STRIP=":"
+ STRIP="$(tc-getSTRIP)"
OBJCOPY="$(tc-getOBJCOPY)"
OBJDUMP="$(tc-getOBJDUMP)"
@@ -176,8 +178,18 @@ kernel-build_src_install() {
targets+=( dtbs_install )
fi
+ # Use the kernel build system to strip, this ensures the modules
+ # are stripped *before* they are signed or compressed.
+ local strip_args
+ if use strip; then
+ strip_args="--strip-unneeded"
+ fi
+ # Modules were already stripped by the kernel build system
+ dostrip -x /lib/modules
+
emake O="${WORKDIR}"/build "${MAKEARGS[@]}" \
- INSTALL_MOD_PATH="${ED}" INSTALL_PATH="${ED}/boot" "${targets[@]}"
+ INSTALL_MOD_PATH="${ED}" INSTALL_MOD_STRIP="${strip_args}" \
+ INSTALL_PATH="${ED}/boot" "${targets[@]}"
# note: we're using mv rather than doins to save space and time
# install main and arch-specific headers first, and scripts
@@ -217,6 +229,14 @@ kernel-build_src_install() {
local image_path=$(dist-kernel_get_image_path)
cp -p "build/${image_path}" "${ED}${kernel_dir}/${image_path}" || die
+ # If a key was generated, copy it so external modules can be signed
+ local suffix
+ for suffix in pem x509; do
+ if [[ -f "build/certs/signing_key.${suffix}" ]]; then
+ cp -p "build/certs/signing_key.${suffix}" "${ED}${kernel_dir}/certs"
|| die
+ fi
+ done
+
# building modules fails with 'vmlinux has no symtab?' if stripped
use ppc64 && dostrip -x "${kernel_dir}/${image_path}"
^ permalink raw reply related [flat|nested] 5+ messages in thread