From: | Georgy Yakovlev <gyakovlev@g.o> | ||
---|---|---|---|

To: | gentoo-dev@l.g.o | ||

Subject: | Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing |
||

Date: | Mon, 27 Jun 2022 19:46:40 | ||

Message-Id: | f1871b56f53ecf75193e7d8c34cce42f80f822e9.camel@gentoo.org |
||

In Reply to: | Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing by Kenton Groombridge |

1 | On Mon, 2022-06-27 at 14:35 -0400, Kenton Groombridge wrote: |

2 | > On 22/06/26 04:15AM, Georgy Yakovlev wrote: |

3 | > > On Sun, 2022-06-26 at 03:52 -0700, Georgy Yakovlev wrote: |

4 | > > > On Tue, 2022-06-21 at 14:19 -0400, Kenton Groombridge wrote: |

5 | > > > > eee74b9fca1 adds support for module compression, but this |

6 | > > > > breaks |

7 | > > > > loading |

8 | > > > > out of tree modules when module signing is enforced because |

9 | > > > > modules |

10 | > > > > must |

11 | > > > > be signed before they are compressed. Additionally, the |

12 | > > > > recommended |

13 | > > > > Portage hook[1] no longer works with this change. |

14 | > > > > |

15 | > > > > Add module signing support in linux-mod.eclass which more or |

16 | > > > > less |

17 | > > > > does |

18 | > > > > exactly what the aforementioned Portage hook does. If the |

19 | > > > > kernel |

20 | > > > > configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash |

21 | > > > > and |

22 | > > > > keys |

23 | > > > > from the kernel configuration and call the sign_file tool to |

24 | > > > > sign |

25 | > > > > the |

26 | > > > > module before it is compressed. |

27 | > > > > |

28 | > > > > Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352 |

29 | > > > > Signed-off-by: Kenton Groombridge <concord@g.o> |

30 | > > > > --- |

31 | > > > > eclass/linux-mod.eclass | 16 ++++++++++++++++ |

32 | > > > > 1 file changed, 16 insertions(+) |

33 | > > > > |

34 | > > > > diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass |

35 | > > > > index b7c13cbf7e7..fd40f6d7c6c 100644 |

36 | > > > > --- a/eclass/linux-mod.eclass |

37 | > > > > +++ b/eclass/linux-mod.eclass |

38 | > > > > @@ -712,6 +712,22 @@ linux-mod_src_install() { |

39 | > > > > cd "${objdir}" || die "${objdir} does not |

40 | > > > > exist" |

41 | > > > > insinto |

42 | > > > > "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir} |

43 | > > > > |

44 | > > > > + # check here for CONFIG_MODULE_SIG_ALL and sign |

45 | > > > > the |

46 | > > > > module being built if enabled. |

47 | > > > > + # modules must be signed before they are |

48 | > > > > compressed. |

49 | > > > > + |

50 | > > > > + if linux_chkconfig_present MODULE_SIG_ALL; then |

51 | > > > > + local |

52 | > > > > module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)" |

53 | > > > > + local |

54 | > > > > module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)" |

55 | > > > > + module_sig_key="${module_sig_key:- |

56 | > > > > certs/signing_key.pem}" |

57 | > > > > + if [[ "${module_sig_key#pkcs11:}" == |

58 | > > > > "${module_sig_key}" && "${module_sig_key#/}" == |

59 | > > > > "${module_sig_key}" |

60 | > > > > ]]; then |

61 | > > > > + local |

62 | > > > > key_path="${KERNEL_DIR}/${module_sig_key}" |

63 | > > > > + else |

64 | > > > > + local |

65 | > > > > key_path="${module_sig_key}" |

66 | > > > > + fi |

67 | > > > > + local |

68 | > > > > cert_path="${KERNEL_DIR}/certs/signing_key.x509" |

69 | > > > > + "${KERNEL_DIR}"/scripts/sign-file |

70 | > > > > ${module_sig_hash//\"} ${key_path//\"} ${cert_path} |

71 | > > > > ${modulename}.${KV_OBJ} |

72 | > > > > + fi |

73 | > > > > + |

74 | > > > > # check here for |

75 | > > > > CONFIG_MODULE_COMPRESS_<compression |

76 | > > > > option> (NONE, GZIP, XZ, ZSTD) |

77 | > > > > # and similarily compress the module being |

78 | > > > > built if |

79 | > > > > != NONE. |

80 | > > > > |

81 | > > > |

82 | > > > |

83 | > > > Hi, |

84 | > > > |

85 | > > > I've spent some time in the past ( circa 2018 ) to get this in, |

86 | > > > but |

87 | > > > gave up due to various reasons, I was not a gentoo dev yet at the |

88 | > > > time. |

89 | > > > |

90 | > > > I can't see how posted implementation will work tbh. |

91 | > > > portage will strip signature out of the module, unless you |

92 | > > > prevent |

93 | > > > stripping completely or package uses EAPI>=7, and omits stripping |

94 | > > > modules via dostrip -x on the ko object. |

95 | > > > kernel will NOT load module with stripped signature. |

96 | > > > |

97 | > > > so either you have to sign in pkg_postinst phase, or prevent |

98 | > > > stripping. |

99 | > > > signing in postinst is not ideal, because if breaks recorded file |

100 | > > > checksums in vdb. |

101 | > > > |

102 | > > > here's old fork of eclass I made, maybe you can find some helpful |

103 | > > > code |

104 | > > > in there |

105 | > > > |

106 | > > > https://github.com/gyakovlev/linux-mod.eclass/blob/master/linux-mod.eclass |

107 | > > > |

108 | > > > old ML discussion we had: |

109 | > > > https://archives.gentoo.org/gentoo-dev/message/4b15b1c851f379a1f802e2f2895cdfa8 |

110 | > > > |

111 | > > > You will also need a dependency on openssl, since sign-file uses |

112 | > > > it. |

113 | > > > |

114 | > > > lmk if you need more info, I might remember more details, but for |

115 | > > > now |

116 | > > > that's all I have. I'll try to help get it done, but my |

117 | > > > availability |

118 | > > > is |

119 | > > > spotty due to limited time. |

120 | > > |

121 | > > after reading my old code again and thinking more I think I know |

122 | > > what's |

123 | > > going on. |

124 | > > 1. I've actually solved checksum/strip problem by signing in pkg- |

125 | > > preinst |

126 | > > 2. my method will likely fail with compressed modules. |

127 | > > 3. your method likely works only if modules are compressed - |

128 | > > because |

129 | > > portage does not strip those I think. |

130 | > > |

131 | > |

132 | > This is exactly what I was thinking. I'm pretty sure I wasn't seeing |

133 | > the |

134 | > problematic signature stripping behavior because I have module |

135 | > compression enabled. |

136 | > |

137 | > Also good point about the OpenSSL dependency. That's something I |

138 | > didn't |

139 | > consider. |

140 | > |

141 | > > so looks like we need to combine both methods and do the following: |

142 | > > - if signing requested without compression - sign in pkg_preinst. |

143 | > > - if signing requested with compression - sign in src_install |

144 | > > |

145 | > |

146 | > Why can't we do both in pkg_preinst? I am thinking it would be best |

147 | > if |

148 | > we drop the current compression implementation and rework your old |

149 | > code |

150 | > to handle both compression and signing since the signing code is more |

151 | > or |

152 | > less already complete. |

153 | |

154 | i'm not sure if sign-file can sign compressed modules. |

155 | if we let kernel build handle compression - we have to sign prior to |

156 | compression. |

157 | if we compress modules ourselves then yes, we could sign first indeed. |

158 | |

159 | but preinst has it's own issues, you've already seen floppym's remark. |

160 | |

161 | > |

162 | > > Do I make sense? I still haven't tested it, just guessing as I read |

163 | > > my |

164 | > > old bash code. |

165 | > > |

Subject | Author |
---|---|

Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing | Kenton Groombridge <concord@g.o> |

All times displayed are in UTC (GMT+0).

Contents reflect the opinion of the author, not the Gentoo project or the Gentoo Foundation.

Gentoo is a trademark of the Gentoo Foundation, Inc. The contents of this document, unless otherwise expressly stated, are licensed under the CC-BY-SA-4.0 license. The Gentoo Name and Logo Usage Guidelines apply.