Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: Kenton Groombridge <concord@g.o>
To: gentoo-dev@l.g.o
Subject: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing
Date: Tue, 21 Jun 2022 18:20:12
Message-Id: 20220621181959.920941-1-concord@gentoo.org
1 eee74b9fca1 adds support for module compression, but this breaks loading
2 out of tree modules when module signing is enforced because modules must
3 be signed before they are compressed. Additionally, the recommended
4 Portage hook[1] no longer works with this change.
5
6 Add module signing support in linux-mod.eclass which more or less does
7 exactly what the aforementioned Portage hook does. If the kernel
8 configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and keys
9 from the kernel configuration and call the sign_file tool to sign the
10 module before it is compressed.
11
12 Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352
13 Signed-off-by: Kenton Groombridge <concord@g.o>
14 ---
15 eclass/linux-mod.eclass | 16 ++++++++++++++++
16 1 file changed, 16 insertions(+)
17
18 diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
19 index b7c13cbf7e7..fd40f6d7c6c 100644
20 --- a/eclass/linux-mod.eclass
21 +++ b/eclass/linux-mod.eclass
22 @@ -712,6 +712,22 @@ linux-mod_src_install() {
23 cd "${objdir}" || die "${objdir} does not exist"
24 insinto "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir}
25
26 + # check here for CONFIG_MODULE_SIG_ALL and sign the module being built if enabled.
27 + # modules must be signed before they are compressed.
28 +
29 + if linux_chkconfig_present MODULE_SIG_ALL; then
30 + local module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)"
31 + local module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)"
32 + module_sig_key="${module_sig_key:-certs/signing_key.pem}"
33 + if [[ "${module_sig_key#pkcs11:}" == "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}" ]]; then
34 + local key_path="${KERNEL_DIR}/${module_sig_key}"
35 + else
36 + local key_path="${module_sig_key}"
37 + fi
38 + local cert_path="${KERNEL_DIR}/certs/signing_key.x509"
39 + "${KERNEL_DIR}"/scripts/sign-file ${module_sig_hash//\"} ${key_path//\"} ${cert_path} ${modulename}.${KV_OBJ}
40 + fi
41 +
42 # check here for CONFIG_MODULE_COMPRESS_<compression option> (NONE, GZIP, XZ, ZSTD)
43 # and similarily compress the module being built if != NONE.
44
45 --
46 2.35.1

Replies

Subject Author
Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing Kenton Groombridge <me@×××××××.sh>
Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing Georgy Yakovlev <gyakovlev@g.o>
Report Message
Find on MARC Find on Google Groups