| 1 |
On 22/06/23 08:51AM, Mike Pagano wrote: |
| 2 |
> On 6/21/22 14:21, Kenton Groombridge wrote: |
| 3 |
> > On 22/06/21 02:19PM, Kenton Groombridge wrote: |
| 4 |
> > > eee74b9fca1 adds support for module compression, but this breaks loading |
| 5 |
> > > out of tree modules when module signing is enforced because modules must |
| 6 |
> > > be signed before they are compressed. Additionally, the recommended |
| 7 |
> > > Portage hook[1] no longer works with this change. |
| 8 |
> > > |
| 9 |
> > |
| 10 |
> > Forgot to include this reference: |
| 11 |
> > |
| 12 |
> > [1] https://wiki.gentoo.org/wiki/Signed_kernel_module_support#Automatically_signing_kernel_modules_.28Portage.29 |
| 13 |
> > |
| 14 |
> > > Add module signing support in linux-mod.eclass which more or less does |
| 15 |
> > > exactly what the aforementioned Portage hook does. If the kernel |
| 16 |
> > > configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and keys |
| 17 |
> > > from the kernel configuration and call the sign_file tool to sign the |
| 18 |
> > > module before it is compressed. |
| 19 |
> > > |
| 20 |
> > > Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352 |
| 21 |
> > > Signed-off-by: Kenton Groombridge <concord@g.o> |
| 22 |
> > > --- |
| 23 |
> > > eclass/linux-mod.eclass | 16 ++++++++++++++++ |
| 24 |
> > > 1 file changed, 16 insertions(+) |
| 25 |
> > > |
| 26 |
> > > diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass |
| 27 |
> > > index b7c13cbf7e7..fd40f6d7c6c 100644 |
| 28 |
> > > --- a/eclass/linux-mod.eclass |
| 29 |
> > > +++ b/eclass/linux-mod.eclass |
| 30 |
> > > @@ -712,6 +712,22 @@ linux-mod_src_install() { |
| 31 |
> > > cd "${objdir}" || die "${objdir} does not exist" |
| 32 |
> > > insinto "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir} |
| 33 |
> > > + # check here for CONFIG_MODULE_SIG_ALL and sign the module being built if enabled. |
| 34 |
> > > + # modules must be signed before they are compressed. |
| 35 |
> > > + |
| 36 |
> > > + if linux_chkconfig_present MODULE_SIG_ALL; then |
| 37 |
> > > + local module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)" |
| 38 |
> > > + local module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)" |
| 39 |
> > > + module_sig_key="${module_sig_key:-certs/signing_key.pem}" |
| 40 |
> > > + if [[ "${module_sig_key#pkcs11:}" == "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}" ]]; then |
| 41 |
> > > + local key_path="${KERNEL_DIR}/${module_sig_key}" |
| 42 |
> > > + else |
| 43 |
> > > + local key_path="${module_sig_key}" |
| 44 |
> > > + fi |
| 45 |
> > > + local cert_path="${KERNEL_DIR}/certs/signing_key.x509" |
| 46 |
> > > + "${KERNEL_DIR}"/scripts/sign-file ${module_sig_hash//\"} ${key_path//\"} ${cert_path} ${modulename}.${KV_OBJ} |
| 47 |
> > > + fi |
| 48 |
> > > + |
| 49 |
> > > # check here for CONFIG_MODULE_COMPRESS_<compression option> (NONE, GZIP, XZ, ZSTD) |
| 50 |
> > > # and similarily compress the module being built if != NONE. |
| 51 |
> > > -- |
| 52 |
> > > 2.35.1 |
| 53 |
> > > |
| 54 |
> > > |
| 55 |
> |
| 56 |
> |
| 57 |
> First of all, thank-you for your work ! |
| 58 |
> I appreciate any assistance with enhancement or clean-up of these eclasses. |
| 59 |
> |
| 60 |
> I tested your patch, are you signing the files in 'work' after they are installed in 'image' ? |
| 61 |
> |
| 62 |
> |
| 63 |
> /usr/src/linux/scripts/extract-module-sig.pl -s ./work/kernel/nvidia.ko > /tmp/sig |
| 64 |
> Read 47802433 bytes from module file |
| 65 |
> Found magic number at 47802433 |
| 66 |
> Found PKCS#7/CMS encapsulation |
| 67 |
> Found 681 bytes of signature [308202a506092a864886f70d010702a0] |
| 68 |
> |
| 69 |
> /usr/src/linux/scripts/extract-module-sig.pl -s ./image/lib/modules/5.18.6-gentoo/video/nvidia.ko > /tmp/sig |
| 70 |
> Read 47227784 bytes from module file |
| 71 |
> Magic number not found at 47227784 |
| 72 |
> |
| 73 |
|
| 74 |
Thanks for testing! |
| 75 |
|
| 76 |
That's odd. In my environment they are signed in 'work' before |
| 77 |
installing to 'image' as they should be. |
| 78 |
|
| 79 |
# unzstd /lib/modules/5.15.48-gentoo/misc/p_lkrg.ko.zst |
| 80 |
/lib/modules/5.15.48-gentoo/misc/p_lkrg.ko.zst: 436681 bytes |
| 81 |
# /usr/src/linux/scripts/extract-module-sig.pl -s /lib/modules/5.15.48-gentoo/misc/p_lkrg.ko >sig |
| 82 |
Read 436681 bytes from module file |
| 83 |
Found magic number at 436681 |
| 84 |
Found PKCS#7/CMS encapsulation |
| 85 |
Found 681 bytes of signature [308202a506092a864886f70d010702a0] |
| 86 |
|
| 87 |
The installation of modules in linux-mod_src_install happens after |
| 88 |
signing and compression, so unless I am missing something that shouldn't |
| 89 |
be happening. |
Archives