1 |
Hi guys, |
2 |
|
3 |
I normally hang out on irc on #gentoo-kernel and a bunch of other #gentoo-* |
4 |
channels. I stumble across the discussion of bug 447352 [1] that was |
5 |
reported by a user that was enforcing module signatures on the kernel. This |
6 |
made me to this patch (I talked to Mike before doing this). |
7 |
|
8 |
Signed kernel modules require that the kernel is compiled with |
9 |
CONFIG_MODULE_SIG=y so that during compilation, the public key hash is |
10 |
stored in the kernel so that it can be verified later when insmod'ing an |
11 |
external module. There is no problem with in-tree modules, this are sign |
12 |
correctly and loaded, the problem is with out-of-the-tree modules installed |
13 |
by portage; this ones are not "signing ware". |
14 |
|
15 |
So this patch adds a new USE flag to the linux-mod.eclass named |
16 |
"module-signing". We enabled, it will check if the user has selected all |
17 |
the correct config options in the kernel, and optionally, where are the |
18 |
private and public parts of the key so that the module is signed and |
19 |
install time. If any of this fails, the installation of the module is |
20 |
aborted. |
21 |
|
22 |
From the end user perspective, if he wants to add support for this, all he |
23 |
has to do is enable CONFIG_MODULE_SIG in the kernel. If no keys are found |
24 |
during the build, it will be generated one. If one wants to create a key |
25 |
himself, it's also possible to use this key, he just has to name it |
26 |
signing_key.priv and siging_key.x509 and put it under /usr/src/linux. |
27 |
After the kernel is compiled, this keys can be moved elsewhere and the path |
28 |
to them specified in make.conf under the vars KERNEL_MODSECKEY and |
29 |
KERNEL_MODPUBKEY. |
30 |
|
31 |
Patch below for review, discussion and testing. |
32 |
Thanks, |
33 |
Carlos Silva |
34 |
|
35 |
[1] https://bugs.gentoo.org/show_bug.cgi?id=447352 |
36 |
|
37 |
|
38 |
--- linux-mod.eclass 2012-09-15 16:31:15.000000000 +0000 |
39 |
+++ linux-mod.eclass 2013-03-06 15:57:25.808173694 -0100 |
40 |
@@ -125,9 +125,10 @@ |
41 |
inherit eutils linux-info multilib |
42 |
EXPORT_FUNCTIONS pkg_setup pkg_preinst pkg_postinst src_install |
43 |
src_compile pkg_postrm |
44 |
|
45 |
-IUSE="kernel_linux" |
46 |
+IUSE="module-signing kernel_linux" |
47 |
SLOT="0" |
48 |
-RDEPEND="kernel_linux? ( virtual/modutils )" |
49 |
+RDEPEND="kernel_linux? ( virtual/modutils ) |
50 |
+ module-signing? ( dev-lang/perl dev-libs/openssl ) " |
51 |
DEPEND="${RDEPEND} |
52 |
sys-apps/sed |
53 |
kernel_linux? ( virtual/linux-sources )" |
54 |
@@ -208,6 +209,34 @@ |
55 |
fi |
56 |
} |
57 |
|
58 |
+ |
59 |
+# internal function |
60 |
+# |
61 |
+# FUNCTION: check_module_signing |
62 |
+# DESCRIPTION: |
63 |
+# Checks for KERNEL_MODSECKEY, KERNEL_MODPUBKEY and verifies the files |
64 |
exists |
65 |
+check_module_signing() { |
66 |
+ if ! use module-signing; then |
67 |
+ return 1 |
68 |
+ fi |
69 |
+ |
70 |
+ # Check that the configuration is correct |
71 |
+ KERNEL_MODSECKEY="${KERNEL_MODSECKEY:-${KV_DIR}/signing_key.priv}" |
72 |
+ KERNEL_MODPUBKEY="${KERNEL_MODPUBKEY:-${KV_DIR}/signing_key.x509}" |
73 |
+ if [ ! -z "${KERNEL_MODSECKEY}x" -a ! -e "${KERNEL_MODSECKEY}" ]; then |
74 |
+ eerror "KERNEL_MODSECKEY points to a missing file:" |
75 |
+ eerror "${KERNEL_MODSECKEY}" |
76 |
+ die "Invalid KERNEL_MODSECKEY" |
77 |
+ fi |
78 |
+ if [ ! -z "${KERNEL_MODPUBKEY}x" -a ! -e "${KERNEL_MODPUBKEY}" ]; then |
79 |
+ eerror "KERNEL_MODPUBKEY points to a missing file." |
80 |
+ eerror "${KERNEL_MODPUBKEY}" |
81 |
+ die "Invalid KERNEL_MODPUBKEY" |
82 |
+ fi |
83 |
+ |
84 |
+ return 0 |
85 |
+} |
86 |
+ |
87 |
# internal function |
88 |
# |
89 |
# FUNCTION: update_depmod |
90 |
@@ -581,6 +610,10 @@ |
91 |
return |
92 |
fi |
93 |
|
94 |
+ if use module-signing; then |
95 |
+ CONFIG_CHECK+="${CONFIG_CHECK} MODULE_SIG" |
96 |
+ fi |
97 |
+ |
98 |
linux-info_pkg_setup; |
99 |
require_configured_kernel |
100 |
check_kernel_built; |
101 |
@@ -663,7 +696,7 @@ |
102 |
|
103 |
# This looks messy, but it is needed to handle multiple variables |
104 |
# being passed in the BUILD_* stuff where the variables also have |
105 |
- # spaces that must be preserved. If don't do this, then the stuff |
106 |
+ # spaces that must be preserved. If dont do this, then the stuff |
107 |
# inside the variables gets used as targets for Make, which then |
108 |
# fails. |
109 |
eval "emake HOSTCC=\"$(tc-getBUILD_CC)\" \ |
110 |
@@ -710,6 +743,12 @@ |
111 |
srcdir=${srcdir:-${S}} |
112 |
objdir=${objdir:-${srcdir}} |
113 |
|
114 |
+ if check_module_signing; then |
115 |
+ ebegin "Signing module ${modulename}" |
116 |
+ ${KV_DIR}/scripts/sign-file "${KERNEL_MODSECKEY}" "${KERNEL_MODPUBKEY}" |
117 |
"${objdir}/${modulename}.${KV_OBJ}" |
118 |
+ eend $? |
119 |
+ fi |
120 |
+ |
121 |
einfo "Installing ${modulename} module" |
122 |
cd "${objdir}" || die "${objdir} does not exist" |
123 |
insinto /lib/modules/${KV_FULL}/${libdir} |