1 |
On 22/06/26 04:15AM, Georgy Yakovlev wrote: |
2 |
> On Sun, 2022-06-26 at 03:52 -0700, Georgy Yakovlev wrote: |
3 |
> > On Tue, 2022-06-21 at 14:19 -0400, Kenton Groombridge wrote: |
4 |
> > > eee74b9fca1 adds support for module compression, but this breaks |
5 |
> > > loading |
6 |
> > > out of tree modules when module signing is enforced because modules |
7 |
> > > must |
8 |
> > > be signed before they are compressed. Additionally, the recommended |
9 |
> > > Portage hook[1] no longer works with this change. |
10 |
> > > |
11 |
> > > Add module signing support in linux-mod.eclass which more or less |
12 |
> > > does |
13 |
> > > exactly what the aforementioned Portage hook does. If the kernel |
14 |
> > > configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and |
15 |
> > > keys |
16 |
> > > from the kernel configuration and call the sign_file tool to sign |
17 |
> > > the |
18 |
> > > module before it is compressed. |
19 |
> > > |
20 |
> > > Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352 |
21 |
> > > Signed-off-by: Kenton Groombridge <concord@g.o> |
22 |
> > > --- |
23 |
> > > eclass/linux-mod.eclass | 16 ++++++++++++++++ |
24 |
> > > 1 file changed, 16 insertions(+) |
25 |
> > > |
26 |
> > > diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass |
27 |
> > > index b7c13cbf7e7..fd40f6d7c6c 100644 |
28 |
> > > --- a/eclass/linux-mod.eclass |
29 |
> > > +++ b/eclass/linux-mod.eclass |
30 |
> > > @@ -712,6 +712,22 @@ linux-mod_src_install() { |
31 |
> > > cd "${objdir}" || die "${objdir} does not exist" |
32 |
> > > insinto |
33 |
> > > "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir} |
34 |
> > > |
35 |
> > > + # check here for CONFIG_MODULE_SIG_ALL and sign the |
36 |
> > > module being built if enabled. |
37 |
> > > + # modules must be signed before they are |
38 |
> > > compressed. |
39 |
> > > + |
40 |
> > > + if linux_chkconfig_present MODULE_SIG_ALL; then |
41 |
> > > + local |
42 |
> > > module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)" |
43 |
> > > + local |
44 |
> > > module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)" |
45 |
> > > + module_sig_key="${module_sig_key:- |
46 |
> > > certs/signing_key.pem}" |
47 |
> > > + if [[ "${module_sig_key#pkcs11:}" == |
48 |
> > > "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}" |
49 |
> > > ]]; then |
50 |
> > > + local |
51 |
> > > key_path="${KERNEL_DIR}/${module_sig_key}" |
52 |
> > > + else |
53 |
> > > + local key_path="${module_sig_key}" |
54 |
> > > + fi |
55 |
> > > + local |
56 |
> > > cert_path="${KERNEL_DIR}/certs/signing_key.x509" |
57 |
> > > + "${KERNEL_DIR}"/scripts/sign-file |
58 |
> > > ${module_sig_hash//\"} ${key_path//\"} ${cert_path} |
59 |
> > > ${modulename}.${KV_OBJ} |
60 |
> > > + fi |
61 |
> > > + |
62 |
> > > # check here for |
63 |
> > > CONFIG_MODULE_COMPRESS_<compression |
64 |
> > > option> (NONE, GZIP, XZ, ZSTD) |
65 |
> > > # and similarily compress the module being built if |
66 |
> > > != NONE. |
67 |
> > > |
68 |
> > |
69 |
> > |
70 |
> > Hi, |
71 |
> > |
72 |
> > I've spent some time in the past ( circa 2018 ) to get this in, but |
73 |
> > gave up due to various reasons, I was not a gentoo dev yet at the |
74 |
> > time. |
75 |
> > |
76 |
> > I can't see how posted implementation will work tbh. |
77 |
> > portage will strip signature out of the module, unless you prevent |
78 |
> > stripping completely or package uses EAPI>=7, and omits stripping |
79 |
> > modules via dostrip -x on the ko object. |
80 |
> > kernel will NOT load module with stripped signature. |
81 |
> > |
82 |
> > so either you have to sign in pkg_postinst phase, or prevent |
83 |
> > stripping. |
84 |
> > signing in postinst is not ideal, because if breaks recorded file |
85 |
> > checksums in vdb. |
86 |
> > |
87 |
> > here's old fork of eclass I made, maybe you can find some helpful |
88 |
> > code |
89 |
> > in there |
90 |
> > |
91 |
> > https://github.com/gyakovlev/linux-mod.eclass/blob/master/linux-mod.eclass |
92 |
> > |
93 |
> > old ML discussion we had: |
94 |
> > https://archives.gentoo.org/gentoo-dev/message/4b15b1c851f379a1f802e2f2895cdfa8 |
95 |
> > |
96 |
> > You will also need a dependency on openssl, since sign-file uses it. |
97 |
> > |
98 |
> > lmk if you need more info, I might remember more details, but for now |
99 |
> > that's all I have. I'll try to help get it done, but my availability |
100 |
> > is |
101 |
> > spotty due to limited time. |
102 |
> |
103 |
> after reading my old code again and thinking more I think I know what's |
104 |
> going on. |
105 |
> 1. I've actually solved checksum/strip problem by signing in pkg- |
106 |
> preinst |
107 |
> 2. my method will likely fail with compressed modules. |
108 |
> 3. your method likely works only if modules are compressed - because |
109 |
> portage does not strip those I think. |
110 |
> |
111 |
|
112 |
This is exactly what I was thinking. I'm pretty sure I wasn't seeing the |
113 |
problematic signature stripping behavior because I have module |
114 |
compression enabled. |
115 |
|
116 |
Also good point about the OpenSSL dependency. That's something I didn't |
117 |
consider. |
118 |
|
119 |
> so looks like we need to combine both methods and do the following: |
120 |
> - if signing requested without compression - sign in pkg_preinst. |
121 |
> - if signing requested with compression - sign in src_install |
122 |
> |
123 |
|
124 |
Why can't we do both in pkg_preinst? I am thinking it would be best if |
125 |
we drop the current compression implementation and rework your old code |
126 |
to handle both compression and signing since the signing code is more or |
127 |
less already complete. |
128 |
|
129 |
> Do I make sense? I still haven't tested it, just guessing as I read my |
130 |
> old bash code. |
131 |
> |