Gentoo Archives: gentoo-dev

From:	Kenton Groombridge <me@×××××××.sh>
To:	gentoo-dev@l.g.o
Subject:	Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing
Date:	Tue, 21 Jun 2022 18:22:16
Message-Id:	`20220621182158.qo57sqqn6gcgdzry@fuuko`
In Reply to:	[gentoo-dev] [PATCH] linux-mod.eclass: support module signing by Kenton Groombridge

1	On 22/06/21 02:19PM, Kenton Groombridge wrote:
2	> eee74b9fca1 adds support for module compression, but this breaks loading
3	> out of tree modules when module signing is enforced because modules must
4	> be signed before they are compressed. Additionally, the recommended
5	> Portage hook[1] no longer works with this change.
6	>
7
8	Forgot to include this reference:
9
10	[1] https://wiki.gentoo.org/wiki/Signed_kernel_module_support#Automatically_signing_kernel_modules_.28Portage.29
11
12	> Add module signing support in linux-mod.eclass which more or less does
13	> exactly what the aforementioned Portage hook does. If the kernel
14	> configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and keys
15	> from the kernel configuration and call the sign_file tool to sign the
16	> module before it is compressed.
17	>
18	> Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352
19	> Signed-off-by: Kenton Groombridge <concord@g.o>
20	> ---
21	> eclass/linux-mod.eclass \| 16 ++++++++++++++++
22	> 1 file changed, 16 insertions(+)
23	>
24	> diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
25	> index b7c13cbf7e7..fd40f6d7c6c 100644
26	> --- a/eclass/linux-mod.eclass
27	> +++ b/eclass/linux-mod.eclass
28	> @@ -712,6 +712,22 @@ linux-mod_src_install() {
29	> cd "${objdir}" \|\| die "${objdir} does not exist"
30	> insinto "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir}
31	>
32	> + # check here for CONFIG_MODULE_SIG_ALL and sign the module being built if enabled.
33	> + # modules must be signed before they are compressed.
34	> +
35	> + if linux_chkconfig_present MODULE_SIG_ALL; then
36	> + local module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)"
37	> + local module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)"
38	> + module_sig_key="${module_sig_key:-certs/signing_key.pem}"
39	> + if [[ "${module_sig_key#pkcs11:}" == "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}" ]]; then
40	> + local key_path="${KERNEL_DIR}/${module_sig_key}"
41	> + else
42	> + local key_path="${module_sig_key}"
43	> + fi
44	> + local cert_path="${KERNEL_DIR}/certs/signing_key.x509"
45	> + "${KERNEL_DIR}"/scripts/sign-file ${module_sig_hash//\"} ${key_path//\"} ${cert_path} ${modulename}.${KV_OBJ}
46	> + fi
47	> +
48	> # check here for CONFIG_MODULE_COMPRESS_<compression option> (NONE, GZIP, XZ, ZSTD)
49	> # and similarily compress the module being built if != NONE.
50	>
51	> --
52	> 2.35.1
53	>
54	>

Attachments

File name	MIME type
signature.asc	application/pgp-signature

Replies

Subject	Author
Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing	Mike Pagano <mpagano@g.o>

Report Message

Find on MARC Find on Google Groups