Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing - gentoo-dev

From:	Georgy Yakovlev <gyakovlev@g.o>
To:	gentoo-dev@l.g.o
Subject:	Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing
Date:	Sun, 26 Jun 2022 11:15:11
Message-Id:	`9317f3aa1815d9ef219625794c06a8fb3057d707.camel@gentoo.org`
In Reply to:	Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing by Georgy Yakovlev

1

On Sun, 2022-06-26 at 03:52 -0700, Georgy Yakovlev wrote:

2

> On Tue, 2022-06-21 at 14:19 -0400, Kenton Groombridge wrote:

3

> > eee74b9fca1 adds support for module compression, but this breaks

4

> > loading

5

> > out of tree modules when module signing is enforced because modules

6

> > must

7

> > be signed before they are compressed. Additionally, the recommended

8

> > Portage hook[1] no longer works with this change.

9

> >

10

> > Add module signing support in linux-mod.eclass which more or less

11

> > does

12

> > exactly what the aforementioned Portage hook does. If the kernel

13

> > configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and

14

> > keys

15

> > from the kernel configuration and call the sign_file tool to sign

16

> > the

17

> > module before it is compressed.

18

> >

19

> > Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352

20

> > Signed-off-by: Kenton Groombridge <concord@g.o>

21

> > ---

22

> >  eclass/linux-mod.eclass | 16 ++++++++++++++++

23

> >  1 file changed, 16 insertions(+)

24

> >

25

> > diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass

26

> > index b7c13cbf7e7..fd40f6d7c6c 100644

27

> > --- a/eclass/linux-mod.eclass

28

> > +++ b/eclass/linux-mod.eclass

29

> > @@ -712,6 +712,22 @@ linux-mod_src_install() {

30

> >                 cd "${objdir}" || die "${objdir} does not exist"

31

> >                 insinto

32

> > "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir}

33

> >

34

> > +               # check here for CONFIG_MODULE_SIG_ALL and sign the

35

> > module being built if enabled.

36

> > +               # modules must be signed before they are

37

> > compressed.

38

> > +

39

> > +               if linux_chkconfig_present MODULE_SIG_ALL; then

40

> > +                       local

41

> > module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)"

42

> > +                       local

43

> > module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)"

44

> > +                       module_sig_key="${module_sig_key:-

45

> > certs/signing_key.pem}"

46

> > +                       if [[ "${module_sig_key#pkcs11:}" ==

47

> > "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}"

48

> > ]]; then

49

> > +                               local

50

> > key_path="${KERNEL_DIR}/${module_sig_key}"

51

> > +                       else

52

> > +                               local key_path="${module_sig_key}"

53

> > +                       fi

54

> > +                       local

55

> > cert_path="${KERNEL_DIR}/certs/signing_key.x509"

56

> > +                       "${KERNEL_DIR}"/scripts/sign-file

57

> > ${module_sig_hash//\"} ${key_path//\"} ${cert_path}

58

> > ${modulename}.${KV_OBJ}

59

> > +               fi

60

> > +

61

> >                 # check here for

62

> > CONFIG_MODULE_COMPRESS_<compression

63

> > option> (NONE, GZIP, XZ, ZSTD)

64

> >                 # and similarily compress the module being built if

65

> > != NONE.

66

> >

67

>

68

>

69

> Hi,

70

>

71

> I've spent some time in the past ( circa 2018 ) to get this in, but

72

> gave up due to various reasons, I was not a gentoo dev yet at the

73

> time.

74

>

75

> I can't see how posted implementation will work tbh.

76

> portage will strip signature out of the module, unless you prevent

77

> stripping completely or package uses EAPI>=7, and omits stripping

78

> modules via dostrip -x on the ko object.

79

> kernel will NOT load module with stripped signature.

80

>

81

> so either you have to sign in pkg_postinst phase, or prevent

82

> stripping.

83

> signing in postinst is not ideal, because if breaks recorded file

84

> checksums in vdb.

85

>

86

> here's old fork of eclass I made, maybe you can find some helpful

87

> code

88

> in there

89

>

90

> https://github.com/gyakovlev/linux-mod.eclass/blob/master/linux-mod.eclass

91

>

92

> old ML discussion we had:

93

> https://archives.gentoo.org/gentoo-dev/message/4b15b1c851f379a1f802e2f2895cdfa8

94

>

95

> You will also need a dependency on openssl, since sign-file uses it.

96

>

97

> lmk if you need more info, I might remember more details, but for now

98

> that's all I have. I'll try to help get it done, but my availability

99

> is

100

> spotty due to limited time.

101

102

after reading my old code again and thinking more I think I know what's

103

going on.

104

 1. I've actually solved checksum/strip problem by signing in pkg-

105

preinst

106

 2. my method will likely fail with compressed modules.

107

 3. your method likely works only if modules are compressed - because

108

portage does not strip those I think.

109

110

so looks like we need to combine both methods and do the following:

111

 - if signing requested without compression - sign in pkg_preinst.

112

 - if signing requested with compression - sign in src_install

113

114

Do I make sense? I still haven't tested it, just guessing as I read my

115

old bash code.

Gentoo Archives: gentoo-dev

Replies

1	On Sun, 2022-06-26 at 03:52 -0700, Georgy Yakovlev wrote:
2	> On Tue, 2022-06-21 at 14:19 -0400, Kenton Groombridge wrote:
3	> > eee74b9fca1 adds support for module compression, but this breaks
4	> > loading
5	> > out of tree modules when module signing is enforced because modules
6	> > must
7	> > be signed before they are compressed. Additionally, the recommended
8	> > Portage hook[1] no longer works with this change.
9	> >
10	> > Add module signing support in linux-mod.eclass which more or less
11	> > does
12	> > exactly what the aforementioned Portage hook does. If the kernel
13	> > configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and
14	> > keys
15	> > from the kernel configuration and call the sign_file tool to sign
16	> > the
17	> > module before it is compressed.
18	> >
19	> > Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352
20	> > Signed-off-by: Kenton Groombridge <concord@g.o>
21	> > ---
22	> > eclass/linux-mod.eclass \| 16 ++++++++++++++++
23	> > 1 file changed, 16 insertions(+)
24	> >
25	> > diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
26	> > index b7c13cbf7e7..fd40f6d7c6c 100644
27	> > --- a/eclass/linux-mod.eclass
28	> > +++ b/eclass/linux-mod.eclass
29	> > @@ -712,6 +712,22 @@ linux-mod_src_install() {
30	> > cd "${objdir}" \|\| die "${objdir} does not exist"
31	> > insinto
32	> > "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir}
33	> >
34	> > + # check here for CONFIG_MODULE_SIG_ALL and sign the
35	> > module being built if enabled.
36	> > + # modules must be signed before they are
37	> > compressed.
38	> > +
39	> > + if linux_chkconfig_present MODULE_SIG_ALL; then
40	> > + local
41	> > module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)"
42	> > + local
43	> > module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)"
44	> > + module_sig_key="${module_sig_key:-
45	> > certs/signing_key.pem}"
46	> > + if [[ "${module_sig_key#pkcs11:}" ==
47	> > "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}"
48	> > ]]; then
49	> > + local
50	> > key_path="${KERNEL_DIR}/${module_sig_key}"
51	> > + else
52	> > + local key_path="${module_sig_key}"
53	> > + fi
54	> > + local
55	> > cert_path="${KERNEL_DIR}/certs/signing_key.x509"
56	> > + "${KERNEL_DIR}"/scripts/sign-file
57	> > ${module_sig_hash//\"} ${key_path//\"} ${cert_path}
58	> > ${modulename}.${KV_OBJ}
59	> > + fi
60	> > +
61	> > # check here for
62	> > CONFIG_MODULE_COMPRESS_<compression
63	> > option> (NONE, GZIP, XZ, ZSTD)
64	> > # and similarily compress the module being built if
65	> > != NONE.
66	> >
67	>
68	>
69	> Hi,
70	>
71	> I've spent some time in the past ( circa 2018 ) to get this in, but
72	> gave up due to various reasons, I was not a gentoo dev yet at the
73	> time.
74	>
75	> I can't see how posted implementation will work tbh.
76	> portage will strip signature out of the module, unless you prevent
77	> stripping completely or package uses EAPI>=7, and omits stripping
78	> modules via dostrip -x on the ko object.
79	> kernel will NOT load module with stripped signature.
80	>
81	> so either you have to sign in pkg_postinst phase, or prevent
82	> stripping.
83	> signing in postinst is not ideal, because if breaks recorded file
84	> checksums in vdb.
85	>
86	> here's old fork of eclass I made, maybe you can find some helpful
87	> code
88	> in there
89	>
90	> https://github.com/gyakovlev/linux-mod.eclass/blob/master/linux-mod.eclass
91	>
92	> old ML discussion we had:
93	> https://archives.gentoo.org/gentoo-dev/message/4b15b1c851f379a1f802e2f2895cdfa8
94	>
95	> You will also need a dependency on openssl, since sign-file uses it.
96	>
97	> lmk if you need more info, I might remember more details, but for now
98	> that's all I have. I'll try to help get it done, but my availability
99	> is
100	> spotty due to limited time.
101
102	after reading my old code again and thinking more I think I know what's
103	going on.
104	1. I've actually solved checksum/strip problem by signing in pkg-
105	preinst
106	2. my method will likely fail with compressed modules.
107	3. your method likely works only if modules are compressed - because
108	portage does not strip those I think.
109
110	so looks like we need to combine both methods and do the following:
111	- if signing requested without compression - sign in pkg_preinst.
112	- if signing requested with compression - sign in src_install
113
114	Do I make sense? I still haven't tested it, just guessing as I read my
115	old bash code.