1 |
On Mon, 2022-06-27 at 14:35 -0400, Kenton Groombridge wrote: |
2 |
> On 22/06/26 04:15AM, Georgy Yakovlev wrote: |
3 |
> > On Sun, 2022-06-26 at 03:52 -0700, Georgy Yakovlev wrote: |
4 |
> > > On Tue, 2022-06-21 at 14:19 -0400, Kenton Groombridge wrote: |
5 |
> > > > eee74b9fca1 adds support for module compression, but this |
6 |
> > > > breaks |
7 |
> > > > loading |
8 |
> > > > out of tree modules when module signing is enforced because |
9 |
> > > > modules |
10 |
> > > > must |
11 |
> > > > be signed before they are compressed. Additionally, the |
12 |
> > > > recommended |
13 |
> > > > Portage hook[1] no longer works with this change. |
14 |
> > > > |
15 |
> > > > Add module signing support in linux-mod.eclass which more or |
16 |
> > > > less |
17 |
> > > > does |
18 |
> > > > exactly what the aforementioned Portage hook does. If the |
19 |
> > > > kernel |
20 |
> > > > configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash |
21 |
> > > > and |
22 |
> > > > keys |
23 |
> > > > from the kernel configuration and call the sign_file tool to |
24 |
> > > > sign |
25 |
> > > > the |
26 |
> > > > module before it is compressed. |
27 |
> > > > |
28 |
> > > > Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352 |
29 |
> > > > Signed-off-by: Kenton Groombridge <concord@g.o> |
30 |
> > > > --- |
31 |
> > > > eclass/linux-mod.eclass | 16 ++++++++++++++++ |
32 |
> > > > 1 file changed, 16 insertions(+) |
33 |
> > > > |
34 |
> > > > diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass |
35 |
> > > > index b7c13cbf7e7..fd40f6d7c6c 100644 |
36 |
> > > > --- a/eclass/linux-mod.eclass |
37 |
> > > > +++ b/eclass/linux-mod.eclass |
38 |
> > > > @@ -712,6 +712,22 @@ linux-mod_src_install() { |
39 |
> > > > cd "${objdir}" || die "${objdir} does not |
40 |
> > > > exist" |
41 |
> > > > insinto |
42 |
> > > > "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir} |
43 |
> > > > |
44 |
> > > > + # check here for CONFIG_MODULE_SIG_ALL and sign |
45 |
> > > > the |
46 |
> > > > module being built if enabled. |
47 |
> > > > + # modules must be signed before they are |
48 |
> > > > compressed. |
49 |
> > > > + |
50 |
> > > > + if linux_chkconfig_present MODULE_SIG_ALL; then |
51 |
> > > > + local |
52 |
> > > > module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)" |
53 |
> > > > + local |
54 |
> > > > module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)" |
55 |
> > > > + module_sig_key="${module_sig_key:- |
56 |
> > > > certs/signing_key.pem}" |
57 |
> > > > + if [[ "${module_sig_key#pkcs11:}" == |
58 |
> > > > "${module_sig_key}" && "${module_sig_key#/}" == |
59 |
> > > > "${module_sig_key}" |
60 |
> > > > ]]; then |
61 |
> > > > + local |
62 |
> > > > key_path="${KERNEL_DIR}/${module_sig_key}" |
63 |
> > > > + else |
64 |
> > > > + local |
65 |
> > > > key_path="${module_sig_key}" |
66 |
> > > > + fi |
67 |
> > > > + local |
68 |
> > > > cert_path="${KERNEL_DIR}/certs/signing_key.x509" |
69 |
> > > > + "${KERNEL_DIR}"/scripts/sign-file |
70 |
> > > > ${module_sig_hash//\"} ${key_path//\"} ${cert_path} |
71 |
> > > > ${modulename}.${KV_OBJ} |
72 |
> > > > + fi |
73 |
> > > > + |
74 |
> > > > # check here for |
75 |
> > > > CONFIG_MODULE_COMPRESS_<compression |
76 |
> > > > option> (NONE, GZIP, XZ, ZSTD) |
77 |
> > > > # and similarily compress the module being |
78 |
> > > > built if |
79 |
> > > > != NONE. |
80 |
> > > > |
81 |
> > > |
82 |
> > > |
83 |
> > > Hi, |
84 |
> > > |
85 |
> > > I've spent some time in the past ( circa 2018 ) to get this in, |
86 |
> > > but |
87 |
> > > gave up due to various reasons, I was not a gentoo dev yet at the |
88 |
> > > time. |
89 |
> > > |
90 |
> > > I can't see how posted implementation will work tbh. |
91 |
> > > portage will strip signature out of the module, unless you |
92 |
> > > prevent |
93 |
> > > stripping completely or package uses EAPI>=7, and omits stripping |
94 |
> > > modules via dostrip -x on the ko object. |
95 |
> > > kernel will NOT load module with stripped signature. |
96 |
> > > |
97 |
> > > so either you have to sign in pkg_postinst phase, or prevent |
98 |
> > > stripping. |
99 |
> > > signing in postinst is not ideal, because if breaks recorded file |
100 |
> > > checksums in vdb. |
101 |
> > > |
102 |
> > > here's old fork of eclass I made, maybe you can find some helpful |
103 |
> > > code |
104 |
> > > in there |
105 |
> > > |
106 |
> > > https://github.com/gyakovlev/linux-mod.eclass/blob/master/linux-mod.eclass |
107 |
> > > |
108 |
> > > old ML discussion we had: |
109 |
> > > https://archives.gentoo.org/gentoo-dev/message/4b15b1c851f379a1f802e2f2895cdfa8 |
110 |
> > > |
111 |
> > > You will also need a dependency on openssl, since sign-file uses |
112 |
> > > it. |
113 |
> > > |
114 |
> > > lmk if you need more info, I might remember more details, but for |
115 |
> > > now |
116 |
> > > that's all I have. I'll try to help get it done, but my |
117 |
> > > availability |
118 |
> > > is |
119 |
> > > spotty due to limited time. |
120 |
> > |
121 |
> > after reading my old code again and thinking more I think I know |
122 |
> > what's |
123 |
> > going on. |
124 |
> > 1. I've actually solved checksum/strip problem by signing in pkg- |
125 |
> > preinst |
126 |
> > 2. my method will likely fail with compressed modules. |
127 |
> > 3. your method likely works only if modules are compressed - |
128 |
> > because |
129 |
> > portage does not strip those I think. |
130 |
> > |
131 |
> |
132 |
> This is exactly what I was thinking. I'm pretty sure I wasn't seeing |
133 |
> the |
134 |
> problematic signature stripping behavior because I have module |
135 |
> compression enabled. |
136 |
> |
137 |
> Also good point about the OpenSSL dependency. That's something I |
138 |
> didn't |
139 |
> consider. |
140 |
> |
141 |
> > so looks like we need to combine both methods and do the following: |
142 |
> > - if signing requested without compression - sign in pkg_preinst. |
143 |
> > - if signing requested with compression - sign in src_install |
144 |
> > |
145 |
> |
146 |
> Why can't we do both in pkg_preinst? I am thinking it would be best |
147 |
> if |
148 |
> we drop the current compression implementation and rework your old |
149 |
> code |
150 |
> to handle both compression and signing since the signing code is more |
151 |
> or |
152 |
> less already complete. |
153 |
|
154 |
i'm not sure if sign-file can sign compressed modules. |
155 |
if we let kernel build handle compression - we have to sign prior to |
156 |
compression. |
157 |
if we compress modules ourselves then yes, we could sign first indeed. |
158 |
|
159 |
but preinst has it's own issues, you've already seen floppym's remark. |
160 |
|
161 |
> |
162 |
> > Do I make sense? I still haven't tested it, just guessing as I read |
163 |
> > my |
164 |
> > old bash code. |
165 |
> > |