1 |
On 6/21/22 14:21, Kenton Groombridge wrote: |
2 |
> On 22/06/21 02:19PM, Kenton Groombridge wrote: |
3 |
>> eee74b9fca1 adds support for module compression, but this breaks loading |
4 |
>> out of tree modules when module signing is enforced because modules must |
5 |
>> be signed before they are compressed. Additionally, the recommended |
6 |
>> Portage hook[1] no longer works with this change. |
7 |
>> |
8 |
> |
9 |
> Forgot to include this reference: |
10 |
> |
11 |
> [1] https://wiki.gentoo.org/wiki/Signed_kernel_module_support#Automatically_signing_kernel_modules_.28Portage.29 |
12 |
> |
13 |
>> Add module signing support in linux-mod.eclass which more or less does |
14 |
>> exactly what the aforementioned Portage hook does. If the kernel |
15 |
>> configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and keys |
16 |
>> from the kernel configuration and call the sign_file tool to sign the |
17 |
>> module before it is compressed. |
18 |
>> |
19 |
>> Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352 |
20 |
>> Signed-off-by: Kenton Groombridge <concord@g.o> |
21 |
>> --- |
22 |
>> eclass/linux-mod.eclass | 16 ++++++++++++++++ |
23 |
>> 1 file changed, 16 insertions(+) |
24 |
>> |
25 |
>> diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass |
26 |
>> index b7c13cbf7e7..fd40f6d7c6c 100644 |
27 |
>> --- a/eclass/linux-mod.eclass |
28 |
>> +++ b/eclass/linux-mod.eclass |
29 |
>> @@ -712,6 +712,22 @@ linux-mod_src_install() { |
30 |
>> cd "${objdir}" || die "${objdir} does not exist" |
31 |
>> insinto "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir} |
32 |
>> |
33 |
>> + # check here for CONFIG_MODULE_SIG_ALL and sign the module being built if enabled. |
34 |
>> + # modules must be signed before they are compressed. |
35 |
>> + |
36 |
>> + if linux_chkconfig_present MODULE_SIG_ALL; then |
37 |
>> + local module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)" |
38 |
>> + local module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)" |
39 |
>> + module_sig_key="${module_sig_key:-certs/signing_key.pem}" |
40 |
>> + if [[ "${module_sig_key#pkcs11:}" == "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}" ]]; then |
41 |
>> + local key_path="${KERNEL_DIR}/${module_sig_key}" |
42 |
>> + else |
43 |
>> + local key_path="${module_sig_key}" |
44 |
>> + fi |
45 |
>> + local cert_path="${KERNEL_DIR}/certs/signing_key.x509" |
46 |
>> + "${KERNEL_DIR}"/scripts/sign-file ${module_sig_hash//\"} ${key_path//\"} ${cert_path} ${modulename}.${KV_OBJ} |
47 |
>> + fi |
48 |
>> + |
49 |
>> # check here for CONFIG_MODULE_COMPRESS_<compression option> (NONE, GZIP, XZ, ZSTD) |
50 |
>> # and similarily compress the module being built if != NONE. |
51 |
>> |
52 |
>> -- |
53 |
>> 2.35.1 |
54 |
>> |
55 |
>> |
56 |
|
57 |
|
58 |
First of all, thank-you for your work ! |
59 |
I appreciate any assistance with enhancement or clean-up of these eclasses. |
60 |
|
61 |
I tested your patch, are you signing the files in 'work' after they are installed in 'image' ? |
62 |
|
63 |
|
64 |
/usr/src/linux/scripts/extract-module-sig.pl -s ./work/kernel/nvidia.ko > /tmp/sig |
65 |
Read 47802433 bytes from module file |
66 |
Found magic number at 47802433 |
67 |
Found PKCS#7/CMS encapsulation |
68 |
Found 681 bytes of signature [308202a506092a864886f70d010702a0] |
69 |
|
70 |
/usr/src/linux/scripts/extract-module-sig.pl -s ./image/lib/modules/5.18.6-gentoo/video/nvidia.ko > /tmp/sig |
71 |
Read 47227784 bytes from module file |
72 |
Magic number not found at 47227784 |
73 |
|
74 |
|
75 |
|
76 |
Mike |
77 |
|
78 |
|
79 |
|
80 |
|
81 |
-- |
82 |
Mike Pagano |
83 |
Gentoo Developer - Kernel Project |
84 |
Gentoo Sources - Lead |
85 |
E-Mail : mpagano@g.o |
86 |
GnuPG FP : 52CC A0B0 F631 0B17 0142 F83F 92A6 DBEC 81F2 B137 |
87 |
Public Key : http://http://pgp.mit.edu/pks/lookup?search=0x92A6DBEC81F2B137&op=index |