From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 699E0158094 for ; Mon, 27 Jun 2022 19:50:05 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7FE36E0B67; Mon, 27 Jun 2022 19:50:01 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 0845DE0A02 for ; Mon, 27 Jun 2022 19:50:01 +0000 (UTC) Received: by mail-yw1-f169.google.com with SMTP id 00721157ae682-31772f8495fso96016727b3.4 for ; Mon, 27 Jun 2022 12:50:00 -0700 (PDT) X-Gm-Message-State: AJIora9G5CR81kEGztZPKCGg5Iy8RJsc5wZWEiK3qkIwG5KUcZdcMTUq WPlppCN5hP3uXrpLK1hjjyK3Rac2vOhyed3Qhrk= X-Google-Smtp-Source: AGRyM1v5g4Ham16XgzGYaVp1Hj1rwPCUUX857NTv6RKijs8oWOfZpzCVwa9utlW55Dq+We9u8l+ueWYhPjZmRc7LYeo= X-Received: by 2002:a0d:e446:0:b0:316:624c:c74e with SMTP id n67-20020a0de446000000b00316624cc74emr16481907ywe.389.1656359398246; Mon, 27 Jun 2022 12:49:58 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 References: <20220621181959.920941-1-concord@gentoo.org> <84e99a74d64f0d9dd326af0f2c54b9d5717b2f8d.camel@gentoo.org> <9317f3aa1815d9ef219625794c06a8fb3057d707.camel@gentoo.org> <20220627183531.palnmdpvgzf44ssk@fuuko> In-Reply-To: From: Mike Gilbert Date: Mon, 27 Jun 2022 15:49:47 -0400 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing To: Gentoo Dev Content-Type: text/plain; charset="UTF-8" X-Archives-Salt: 82aa04be-20bf-4bcc-ae4f-5f56a16f5730 X-Archives-Hash: ca561054e0e8d31b31f3d73a2d2a397b On Mon, Jun 27, 2022 at 3:42 PM Georgy Yakovlev wrote: > > On Mon, 2022-06-27 at 14:56 -0400, Mike Gilbert wrote: > > On Mon, Jun 27, 2022 at 2:35 PM Kenton Groombridge > > wrote: > > > > so looks like we need to combine both methods and do the > > > > following: > > > > - if signing requested without compression - sign in > > > > pkg_preinst. > > > > - if signing requested with compression - sign in src_install > > > > > > > > > > Why can't we do both in pkg_preinst? I am thinking it would be best > > > if > > > we drop the current compression implementation and rework your old > > > code > > > to handle both compression and signing since the signing code is > > > more or > > > less already complete. > > > > Signing modules in pkg_preinst seems like a bad idea to me. That > > means > > you need to copy your private keys around to every host where the > > package might be installed. > > > > If you sign in src_compile or src_install, you only need private keys > > on the system building your binpkg. > > > > unfortunately portage will unconditionally strip .ko objects, rendering > modules unloadable by stripping signature, unless we do dostrip -x > (requires EAPI7+, which should not be a problem nowadays, but was a > problem back in 2018), which can be quite unfortunate on debug enabled > kernels. Sounds like something to fix/change in Portage. It could probably be updated to not strip the signature. However, I would guess the signature needs to be updated after the binary is modified in any case. Or as a workaround you could disable automatic striping via dostrip -x and run the proper commands to strip the modules in src_install as well.