Gentoo Archives: gentoo-dev

From: Georgy Yakovlev <gyakovlev@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing
Date: Mon, 27 Jun 2022 19:46:40
Message-Id: f1871b56f53ecf75193e7d8c34cce42f80f822e9.camel@gentoo.org
In Reply to: Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing by Kenton Groombridge
1 On Mon, 2022-06-27 at 14:35 -0400, Kenton Groombridge wrote:
2 > On 22/06/26 04:15AM, Georgy Yakovlev wrote:
3 > > On Sun, 2022-06-26 at 03:52 -0700, Georgy Yakovlev wrote:
4 > > > On Tue, 2022-06-21 at 14:19 -0400, Kenton Groombridge wrote:
5 > > > > eee74b9fca1 adds support for module compression, but this
6 > > > > breaks
7 > > > > loading
8 > > > > out of tree modules when module signing is enforced because
9 > > > > modules
10 > > > > must
11 > > > > be signed before they are compressed. Additionally, the
12 > > > > recommended
13 > > > > Portage hook[1] no longer works with this change.
14 > > > >
15 > > > > Add module signing support in linux-mod.eclass which more or
16 > > > > less
17 > > > > does
18 > > > > exactly what the aforementioned Portage hook does. If the
19 > > > > kernel
20 > > > > configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash
21 > > > > and
22 > > > > keys
23 > > > > from the kernel configuration and call the sign_file tool to
24 > > > > sign
25 > > > > the
26 > > > > module before it is compressed.
27 > > > >
28 > > > > Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352
29 > > > > Signed-off-by: Kenton Groombridge <concord@g.o>
30 > > > > ---
31 > > > >  eclass/linux-mod.eclass | 16 ++++++++++++++++
32 > > > >  1 file changed, 16 insertions(+)
33 > > > >
34 > > > > diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
35 > > > > index b7c13cbf7e7..fd40f6d7c6c 100644
36 > > > > --- a/eclass/linux-mod.eclass
37 > > > > +++ b/eclass/linux-mod.eclass
38 > > > > @@ -712,6 +712,22 @@ linux-mod_src_install() {
39 > > > >                 cd "${objdir}" || die "${objdir} does not
40 > > > > exist"
41 > > > >                 insinto
42 > > > > "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir}
43 > > > >  
44 > > > > +               # check here for CONFIG_MODULE_SIG_ALL and sign
45 > > > > the
46 > > > > module being built if enabled.
47 > > > > +               # modules must be signed before they are
48 > > > > compressed.
49 > > > > +
50 > > > > +               if linux_chkconfig_present MODULE_SIG_ALL; then
51 > > > > +                       local
52 > > > > module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)"
53 > > > > +                       local
54 > > > > module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)"
55 > > > > +                       module_sig_key="${module_sig_key:-
56 > > > > certs/signing_key.pem}"
57 > > > > +                       if [[ "${module_sig_key#pkcs11:}" ==
58 > > > > "${module_sig_key}" && "${module_sig_key#/}" ==
59 > > > > "${module_sig_key}"
60 > > > > ]]; then
61 > > > > +                               local
62 > > > > key_path="${KERNEL_DIR}/${module_sig_key}"
63 > > > > +                       else
64 > > > > +                               local
65 > > > > key_path="${module_sig_key}"
66 > > > > +                       fi
67 > > > > +                       local
68 > > > > cert_path="${KERNEL_DIR}/certs/signing_key.x509"
69 > > > > +                       "${KERNEL_DIR}"/scripts/sign-file
70 > > > > ${module_sig_hash//\"} ${key_path//\"} ${cert_path}
71 > > > > ${modulename}.${KV_OBJ}
72 > > > > +               fi
73 > > > > +
74 > > > >                 # check here for
75 > > > > CONFIG_MODULE_COMPRESS_<compression
76 > > > > option> (NONE, GZIP, XZ, ZSTD)
77 > > > >                 # and similarily compress the module being
78 > > > > built if
79 > > > > != NONE.
80 > > > >  
81 > > >
82 > > >
83 > > > Hi,
84 > > >
85 > > > I've spent some time in the past ( circa 2018 ) to get this in,
86 > > > but
87 > > > gave up due to various reasons, I was not a gentoo dev yet at the
88 > > > time.
89 > > >
90 > > > I can't see how posted implementation will work tbh.
91 > > > portage will strip signature out of the module, unless you
92 > > > prevent
93 > > > stripping completely or package uses EAPI>=7, and omits stripping
94 > > > modules via dostrip -x on the ko object.
95 > > > kernel will NOT load module with stripped signature.
96 > > >
97 > > > so either you have to sign in pkg_postinst phase, or prevent
98 > > > stripping.
99 > > > signing in postinst is not ideal, because if breaks recorded file
100 > > > checksums in vdb.
101 > > >
102 > > > here's old fork of eclass I made, maybe you can find some helpful
103 > > > code
104 > > > in there
105 > > >
106 > > > https://github.com/gyakovlev/linux-mod.eclass/blob/master/linux-mod.eclass
107 > > >
108 > > > old ML discussion we had:
109 > > > https://archives.gentoo.org/gentoo-dev/message/4b15b1c851f379a1f802e2f2895cdfa8
110 > > >
111 > > > You will also need a dependency on openssl, since sign-file uses
112 > > > it.
113 > > >
114 > > > lmk if you need more info, I might remember more details, but for
115 > > > now
116 > > > that's all I have. I'll try to help get it done, but my
117 > > > availability
118 > > > is
119 > > > spotty due to limited time.
120 > >
121 > > after reading my old code again and thinking more I think I know
122 > > what's
123 > > going on.
124 > >  1. I've actually solved checksum/strip problem by signing in pkg-
125 > > preinst
126 > >  2. my method will likely fail with compressed modules.
127 > >  3. your method likely works only if modules are compressed -
128 > > because
129 > > portage does not strip those I think.
130 > >
131 >
132 > This is exactly what I was thinking. I'm pretty sure I wasn't seeing
133 > the
134 > problematic signature stripping behavior because I have module
135 > compression enabled.
136 >
137 > Also good point about the OpenSSL dependency. That's something I
138 > didn't
139 > consider.
140 >
141 > > so looks like we need to combine both methods and do the following:
142 > >  - if signing requested without compression - sign in pkg_preinst.
143 > >  - if signing requested with compression - sign in src_install
144 > >
145 >
146 > Why can't we do both in pkg_preinst? I am thinking it would be best
147 > if
148 > we drop the current compression implementation and rework your old
149 > code
150 > to handle both compression and signing since the signing code is more
151 > or
152 > less already complete.
153
154 i'm not sure if sign-file can sign compressed modules.
155 if we let kernel build handle compression - we have to sign prior to
156 compression.
157 if we compress modules ourselves then yes, we could sign first indeed.
158
159 but preinst has it's own issues, you've already seen floppym's remark.
160
161 >
162 > > Do I make sense? I still haven't tested it, just guessing as I read
163 > > my
164 > > old bash code.
165 > >

Replies

Subject Author
Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing Kenton Groombridge <concord@g.o>