Gentoo Archives: gentoo-dev

From: Carlos Silva <r3pek@×××××.org>
To: gentoo-dev@l.g.o
Subject: [gentoo-dev] [RFC] patch linux-mod.eclass to add support for module signing
Date: Wed, 06 Mar 2013 19:26:05
Message-Id: CA+ZvHYHJEa+9BXkFd6hjMQNyptC1PD+Qxx8ue4CCtLD6DH-xBw@mail.gmail.com
1 Hi guys,
2
3 I normally hang out on irc on #gentoo-kernel and a bunch of other #gentoo-*
4 channels. I stumble across the discussion of bug 447352 [1] that was
5 reported by a user that was enforcing module signatures on the kernel. This
6 made me to this patch (I talked to Mike before doing this).
7
8 Signed kernel modules require that the kernel is compiled with
9 CONFIG_MODULE_SIG=y so that during compilation, the public key hash is
10 stored in the kernel so that it can be verified later when insmod'ing an
11 external module. There is no problem with in-tree modules, this are sign
12 correctly and loaded, the problem is with out-of-the-tree modules installed
13 by portage; this ones are not "signing ware".
14
15 So this patch adds a new USE flag to the linux-mod.eclass named
16 "module-signing". We enabled, it will check if the user has selected all
17 the correct config options in the kernel, and optionally, where are the
18 private and public parts of the key so that the module is signed and
19 install time. If any of this fails, the installation of the module is
20 aborted.
21
22 From the end user perspective, if he wants to add support for this, all he
23 has to do is enable CONFIG_MODULE_SIG in the kernel. If no keys are found
24 during the build, it will be generated one. If one wants to create a key
25 himself, it's also possible to use this key, he just has to name it
26 signing_key.priv and siging_key.x509 and put it under /usr/src/linux.
27 After the kernel is compiled, this keys can be moved elsewhere and the path
28 to them specified in make.conf under the vars KERNEL_MODSECKEY and
29 KERNEL_MODPUBKEY.
30
31 Patch below for review, discussion and testing.
32 Thanks,
33 Carlos Silva
34
35 [1] https://bugs.gentoo.org/show_bug.cgi?id=447352
36
37
38 --- linux-mod.eclass 2012-09-15 16:31:15.000000000 +0000
39 +++ linux-mod.eclass 2013-03-06 15:57:25.808173694 -0100
40 @@ -125,9 +125,10 @@
41 inherit eutils linux-info multilib
42 EXPORT_FUNCTIONS pkg_setup pkg_preinst pkg_postinst src_install
43 src_compile pkg_postrm
44
45 -IUSE="kernel_linux"
46 +IUSE="module-signing kernel_linux"
47 SLOT="0"
48 -RDEPEND="kernel_linux? ( virtual/modutils )"
49 +RDEPEND="kernel_linux? ( virtual/modutils )
50 + module-signing? ( dev-lang/perl dev-libs/openssl ) "
51 DEPEND="${RDEPEND}
52 sys-apps/sed
53 kernel_linux? ( virtual/linux-sources )"
54 @@ -208,6 +209,34 @@
55 fi
56 }
57
58 +
59 +# internal function
60 +#
61 +# FUNCTION: check_module_signing
62 +# DESCRIPTION:
63 +# Checks for KERNEL_MODSECKEY, KERNEL_MODPUBKEY and verifies the files
64 exists
65 +check_module_signing() {
66 + if ! use module-signing; then
67 + return 1
68 + fi
69 +
70 + # Check that the configuration is correct
71 + KERNEL_MODSECKEY="${KERNEL_MODSECKEY:-${KV_DIR}/signing_key.priv}"
72 + KERNEL_MODPUBKEY="${KERNEL_MODPUBKEY:-${KV_DIR}/signing_key.x509}"
73 + if [ ! -z "${KERNEL_MODSECKEY}x" -a ! -e "${KERNEL_MODSECKEY}" ]; then
74 + eerror "KERNEL_MODSECKEY points to a missing file:"
75 + eerror "${KERNEL_MODSECKEY}"
76 + die "Invalid KERNEL_MODSECKEY"
77 + fi
78 + if [ ! -z "${KERNEL_MODPUBKEY}x" -a ! -e "${KERNEL_MODPUBKEY}" ]; then
79 + eerror "KERNEL_MODPUBKEY points to a missing file."
80 + eerror "${KERNEL_MODPUBKEY}"
81 + die "Invalid KERNEL_MODPUBKEY"
82 + fi
83 +
84 + return 0
85 +}
86 +
87 # internal function
88 #
89 # FUNCTION: update_depmod
90 @@ -581,6 +610,10 @@
91 return
92 fi
93
94 + if use module-signing; then
95 + CONFIG_CHECK+="${CONFIG_CHECK} MODULE_SIG"
96 + fi
97 +
98 linux-info_pkg_setup;
99 require_configured_kernel
100 check_kernel_built;
101 @@ -663,7 +696,7 @@
102
103 # This looks messy, but it is needed to handle multiple variables
104 # being passed in the BUILD_* stuff where the variables also have
105 - # spaces that must be preserved. If don't do this, then the stuff
106 + # spaces that must be preserved. If dont do this, then the stuff
107 # inside the variables gets used as targets for Make, which then
108 # fails.
109 eval "emake HOSTCC=\"$(tc-getBUILD_CC)\" \
110 @@ -710,6 +743,12 @@
111 srcdir=${srcdir:-${S}}
112 objdir=${objdir:-${srcdir}}
113
114 + if check_module_signing; then
115 + ebegin "Signing module ${modulename}"
116 + ${KV_DIR}/scripts/sign-file "${KERNEL_MODSECKEY}" "${KERNEL_MODPUBKEY}"
117 "${objdir}/${modulename}.${KV_OBJ}"
118 + eend $?
119 + fi
120 +
121 einfo "Installing ${modulename} module"
122 cd "${objdir}" || die "${objdir} does not exist"
123 insinto /lib/modules/${KV_FULL}/${libdir}

Replies