Gentoo Archives: gentoo-dev

From: Kenton Groombridge <concord@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing
Date: Mon, 27 Jun 2022 18:35:41
Message-Id: 20220627183531.palnmdpvgzf44ssk@fuuko
In Reply to: Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing by Georgy Yakovlev
1 On 22/06/26 04:15AM, Georgy Yakovlev wrote:
2 > On Sun, 2022-06-26 at 03:52 -0700, Georgy Yakovlev wrote:
3 > > On Tue, 2022-06-21 at 14:19 -0400, Kenton Groombridge wrote:
4 > > > eee74b9fca1 adds support for module compression, but this breaks
5 > > > loading
6 > > > out of tree modules when module signing is enforced because modules
7 > > > must
8 > > > be signed before they are compressed. Additionally, the recommended
9 > > > Portage hook[1] no longer works with this change.
10 > > >
11 > > > Add module signing support in linux-mod.eclass which more or less
12 > > > does
13 > > > exactly what the aforementioned Portage hook does. If the kernel
14 > > > configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and
15 > > > keys
16 > > > from the kernel configuration and call the sign_file tool to sign
17 > > > the
18 > > > module before it is compressed.
19 > > >
20 > > > Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352
21 > > > Signed-off-by: Kenton Groombridge <concord@g.o>
22 > > > ---
23 > > >  eclass/linux-mod.eclass | 16 ++++++++++++++++
24 > > >  1 file changed, 16 insertions(+)
25 > > >
26 > > > diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
27 > > > index b7c13cbf7e7..fd40f6d7c6c 100644
28 > > > --- a/eclass/linux-mod.eclass
29 > > > +++ b/eclass/linux-mod.eclass
30 > > > @@ -712,6 +712,22 @@ linux-mod_src_install() {
31 > > >                 cd "${objdir}" || die "${objdir} does not exist"
32 > > >                 insinto
33 > > > "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir}
34 > > >  
35 > > > +               # check here for CONFIG_MODULE_SIG_ALL and sign the
36 > > > module being built if enabled.
37 > > > +               # modules must be signed before they are
38 > > > compressed.
39 > > > +
40 > > > +               if linux_chkconfig_present MODULE_SIG_ALL; then
41 > > > +                       local
42 > > > module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)"
43 > > > +                       local
44 > > > module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)"
45 > > > +                       module_sig_key="${module_sig_key:-
46 > > > certs/signing_key.pem}"
47 > > > +                       if [[ "${module_sig_key#pkcs11:}" ==
48 > > > "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}"
49 > > > ]]; then
50 > > > +                               local
51 > > > key_path="${KERNEL_DIR}/${module_sig_key}"
52 > > > +                       else
53 > > > +                               local key_path="${module_sig_key}"
54 > > > +                       fi
55 > > > +                       local
56 > > > cert_path="${KERNEL_DIR}/certs/signing_key.x509"
57 > > > +                       "${KERNEL_DIR}"/scripts/sign-file
58 > > > ${module_sig_hash//\"} ${key_path//\"} ${cert_path}
59 > > > ${modulename}.${KV_OBJ}
60 > > > +               fi
61 > > > +
62 > > >                 # check here for
63 > > > CONFIG_MODULE_COMPRESS_<compression
64 > > > option> (NONE, GZIP, XZ, ZSTD)
65 > > >                 # and similarily compress the module being built if
66 > > > != NONE.
67 > > >  
68 > >
69 > >
70 > > Hi,
71 > >
72 > > I've spent some time in the past ( circa 2018 ) to get this in, but
73 > > gave up due to various reasons, I was not a gentoo dev yet at the
74 > > time.
75 > >
76 > > I can't see how posted implementation will work tbh.
77 > > portage will strip signature out of the module, unless you prevent
78 > > stripping completely or package uses EAPI>=7, and omits stripping
79 > > modules via dostrip -x on the ko object.
80 > > kernel will NOT load module with stripped signature.
81 > >
82 > > so either you have to sign in pkg_postinst phase, or prevent
83 > > stripping.
84 > > signing in postinst is not ideal, because if breaks recorded file
85 > > checksums in vdb.
86 > >
87 > > here's old fork of eclass I made, maybe you can find some helpful
88 > > code
89 > > in there
90 > >
91 > > https://github.com/gyakovlev/linux-mod.eclass/blob/master/linux-mod.eclass
92 > >
93 > > old ML discussion we had:
94 > > https://archives.gentoo.org/gentoo-dev/message/4b15b1c851f379a1f802e2f2895cdfa8
95 > >
96 > > You will also need a dependency on openssl, since sign-file uses it.
97 > >
98 > > lmk if you need more info, I might remember more details, but for now
99 > > that's all I have. I'll try to help get it done, but my availability
100 > > is
101 > > spotty due to limited time.
102 >
103 > after reading my old code again and thinking more I think I know what's
104 > going on.
105 > 1. I've actually solved checksum/strip problem by signing in pkg-
106 > preinst
107 > 2. my method will likely fail with compressed modules.
108 > 3. your method likely works only if modules are compressed - because
109 > portage does not strip those I think.
110 >
111
112 This is exactly what I was thinking. I'm pretty sure I wasn't seeing the
113 problematic signature stripping behavior because I have module
114 compression enabled.
115
116 Also good point about the OpenSSL dependency. That's something I didn't
117 consider.
118
119 > so looks like we need to combine both methods and do the following:
120 > - if signing requested without compression - sign in pkg_preinst.
121 > - if signing requested with compression - sign in src_install
122 >
123
124 Why can't we do both in pkg_preinst? I am thinking it would be best if
125 we drop the current compression implementation and rework your old code
126 to handle both compression and signing since the signing code is more or
127 less already complete.
128
129 > Do I make sense? I still haven't tested it, just guessing as I read my
130 > old bash code.
131 >

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies