1 |
On Sun, 2022-06-26 at 03:52 -0700, Georgy Yakovlev wrote: |
2 |
> On Tue, 2022-06-21 at 14:19 -0400, Kenton Groombridge wrote: |
3 |
> > eee74b9fca1 adds support for module compression, but this breaks |
4 |
> > loading |
5 |
> > out of tree modules when module signing is enforced because modules |
6 |
> > must |
7 |
> > be signed before they are compressed. Additionally, the recommended |
8 |
> > Portage hook[1] no longer works with this change. |
9 |
> > |
10 |
> > Add module signing support in linux-mod.eclass which more or less |
11 |
> > does |
12 |
> > exactly what the aforementioned Portage hook does. If the kernel |
13 |
> > configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and |
14 |
> > keys |
15 |
> > from the kernel configuration and call the sign_file tool to sign |
16 |
> > the |
17 |
> > module before it is compressed. |
18 |
> > |
19 |
> > Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352 |
20 |
> > Signed-off-by: Kenton Groombridge <concord@g.o> |
21 |
> > --- |
22 |
> > eclass/linux-mod.eclass | 16 ++++++++++++++++ |
23 |
> > 1 file changed, 16 insertions(+) |
24 |
> > |
25 |
> > diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass |
26 |
> > index b7c13cbf7e7..fd40f6d7c6c 100644 |
27 |
> > --- a/eclass/linux-mod.eclass |
28 |
> > +++ b/eclass/linux-mod.eclass |
29 |
> > @@ -712,6 +712,22 @@ linux-mod_src_install() { |
30 |
> > cd "${objdir}" || die "${objdir} does not exist" |
31 |
> > insinto |
32 |
> > "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir} |
33 |
> > |
34 |
> > + # check here for CONFIG_MODULE_SIG_ALL and sign the |
35 |
> > module being built if enabled. |
36 |
> > + # modules must be signed before they are |
37 |
> > compressed. |
38 |
> > + |
39 |
> > + if linux_chkconfig_present MODULE_SIG_ALL; then |
40 |
> > + local |
41 |
> > module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)" |
42 |
> > + local |
43 |
> > module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)" |
44 |
> > + module_sig_key="${module_sig_key:- |
45 |
> > certs/signing_key.pem}" |
46 |
> > + if [[ "${module_sig_key#pkcs11:}" == |
47 |
> > "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}" |
48 |
> > ]]; then |
49 |
> > + local |
50 |
> > key_path="${KERNEL_DIR}/${module_sig_key}" |
51 |
> > + else |
52 |
> > + local key_path="${module_sig_key}" |
53 |
> > + fi |
54 |
> > + local |
55 |
> > cert_path="${KERNEL_DIR}/certs/signing_key.x509" |
56 |
> > + "${KERNEL_DIR}"/scripts/sign-file |
57 |
> > ${module_sig_hash//\"} ${key_path//\"} ${cert_path} |
58 |
> > ${modulename}.${KV_OBJ} |
59 |
> > + fi |
60 |
> > + |
61 |
> > # check here for |
62 |
> > CONFIG_MODULE_COMPRESS_<compression |
63 |
> > option> (NONE, GZIP, XZ, ZSTD) |
64 |
> > # and similarily compress the module being built if |
65 |
> > != NONE. |
66 |
> > |
67 |
> |
68 |
> |
69 |
> Hi, |
70 |
> |
71 |
> I've spent some time in the past ( circa 2018 ) to get this in, but |
72 |
> gave up due to various reasons, I was not a gentoo dev yet at the |
73 |
> time. |
74 |
> |
75 |
> I can't see how posted implementation will work tbh. |
76 |
> portage will strip signature out of the module, unless you prevent |
77 |
> stripping completely or package uses EAPI>=7, and omits stripping |
78 |
> modules via dostrip -x on the ko object. |
79 |
> kernel will NOT load module with stripped signature. |
80 |
> |
81 |
> so either you have to sign in pkg_postinst phase, or prevent |
82 |
> stripping. |
83 |
> signing in postinst is not ideal, because if breaks recorded file |
84 |
> checksums in vdb. |
85 |
> |
86 |
> here's old fork of eclass I made, maybe you can find some helpful |
87 |
> code |
88 |
> in there |
89 |
> |
90 |
> https://github.com/gyakovlev/linux-mod.eclass/blob/master/linux-mod.eclass |
91 |
> |
92 |
> old ML discussion we had: |
93 |
> https://archives.gentoo.org/gentoo-dev/message/4b15b1c851f379a1f802e2f2895cdfa8 |
94 |
> |
95 |
> You will also need a dependency on openssl, since sign-file uses it. |
96 |
> |
97 |
> lmk if you need more info, I might remember more details, but for now |
98 |
> that's all I have. I'll try to help get it done, but my availability |
99 |
> is |
100 |
> spotty due to limited time. |
101 |
|
102 |
after reading my old code again and thinking more I think I know what's |
103 |
going on. |
104 |
1. I've actually solved checksum/strip problem by signing in pkg- |
105 |
preinst |
106 |
2. my method will likely fail with compressed modules. |
107 |
3. your method likely works only if modules are compressed - because |
108 |
portage does not strip those I think. |
109 |
|
110 |
so looks like we need to combine both methods and do the following: |
111 |
- if signing requested without compression - sign in pkg_preinst. |
112 |
- if signing requested with compression - sign in src_install |
113 |
|
114 |
Do I make sense? I still haven't tested it, just guessing as I read my |
115 |
old bash code. |