1 |
On 22/06/21 02:19PM, Kenton Groombridge wrote: |
2 |
> eee74b9fca1 adds support for module compression, but this breaks loading |
3 |
> out of tree modules when module signing is enforced because modules must |
4 |
> be signed before they are compressed. Additionally, the recommended |
5 |
> Portage hook[1] no longer works with this change. |
6 |
> |
7 |
|
8 |
Forgot to include this reference: |
9 |
|
10 |
[1] https://wiki.gentoo.org/wiki/Signed_kernel_module_support#Automatically_signing_kernel_modules_.28Portage.29 |
11 |
|
12 |
> Add module signing support in linux-mod.eclass which more or less does |
13 |
> exactly what the aforementioned Portage hook does. If the kernel |
14 |
> configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and keys |
15 |
> from the kernel configuration and call the sign_file tool to sign the |
16 |
> module before it is compressed. |
17 |
> |
18 |
> Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352 |
19 |
> Signed-off-by: Kenton Groombridge <concord@g.o> |
20 |
> --- |
21 |
> eclass/linux-mod.eclass | 16 ++++++++++++++++ |
22 |
> 1 file changed, 16 insertions(+) |
23 |
> |
24 |
> diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass |
25 |
> index b7c13cbf7e7..fd40f6d7c6c 100644 |
26 |
> --- a/eclass/linux-mod.eclass |
27 |
> +++ b/eclass/linux-mod.eclass |
28 |
> @@ -712,6 +712,22 @@ linux-mod_src_install() { |
29 |
> cd "${objdir}" || die "${objdir} does not exist" |
30 |
> insinto "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir} |
31 |
> |
32 |
> + # check here for CONFIG_MODULE_SIG_ALL and sign the module being built if enabled. |
33 |
> + # modules must be signed before they are compressed. |
34 |
> + |
35 |
> + if linux_chkconfig_present MODULE_SIG_ALL; then |
36 |
> + local module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)" |
37 |
> + local module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)" |
38 |
> + module_sig_key="${module_sig_key:-certs/signing_key.pem}" |
39 |
> + if [[ "${module_sig_key#pkcs11:}" == "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}" ]]; then |
40 |
> + local key_path="${KERNEL_DIR}/${module_sig_key}" |
41 |
> + else |
42 |
> + local key_path="${module_sig_key}" |
43 |
> + fi |
44 |
> + local cert_path="${KERNEL_DIR}/certs/signing_key.x509" |
45 |
> + "${KERNEL_DIR}"/scripts/sign-file ${module_sig_hash//\"} ${key_path//\"} ${cert_path} ${modulename}.${KV_OBJ} |
46 |
> + fi |
47 |
> + |
48 |
> # check here for CONFIG_MODULE_COMPRESS_<compression option> (NONE, GZIP, XZ, ZSTD) |
49 |
> # and similarily compress the module being built if != NONE. |
50 |
> |
51 |
> -- |
52 |
> 2.35.1 |
53 |
> |
54 |
> |