| 1 |
On Friday, September 21, 2018 5:58:00 AM PDT Alexander Tsoy wrote: |
| 2 |
> В Чт, 20/09/2018 в 22:13 -0700, Georgy Yakovlev пишет: |
| 3 |
> > ----------------->%------------------- |
| 4 |
> > @@ -144,13 +158,16 @@ esac |
| 5 |
> > |
| 6 |
> > 0) die "EAPI=${EAPI} is not supported with |
| 7 |
> > |
| 8 |
> > MODULES_OPTIONAL_USE_IUSE_DEFAULT due to lack of IUSE defaults" ;; |
| 9 |
> > |
| 10 |
> > esac |
| 11 |
> > |
| 12 |
> > -IUSE="kernel_linux |
| 13 |
> > ${MODULES_OPTIONAL_USE:+${_modules_optional_use_iuse_default}}${MODUL |
| 14 |
> > ES_OPTIONAL_USE}" |
| 15 |
> > +IUSE="module-sign kernel_linux |
| 16 |
> > ${MODULES_OPTIONAL_USE:+${_modules_optional_use_iuse_default}}${MODUL |
| 17 |
> > ES_OPTIONAL_USE}" |
| 18 |
> > |
| 19 |
> > SLOT="0" |
| 20 |
> > RDEPEND="${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (} |
| 21 |
> > |
| 22 |
> > kernel_linux? ( virtual/modutils ) ${MODULES_OPTIONAL_USE:+)}" |
| 23 |
> > |
| 24 |
> > DEPEND="${RDEPEND} |
| 25 |
> > |
| 26 |
> > ${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (} |
| 27 |
> > |
| 28 |
> > sys-apps/sed |
| 29 |
> > |
| 30 |
> > - kernel_linux? ( virtual/linux-sources virtual/libelf ) |
| 31 |
> > + kernel_linux? ( |
| 32 |
> > + virtual/linux-sources virtual/libelf |
| 33 |
> > + module-sign? ( || ( dev-libs/openssl dev- |
| 34 |
> > libs/libressl ) ) |
| 35 |
> > + ) |
| 36 |
> |
| 37 |
> It should depend on the proper openssl slot: dev-libs/openssl:0 |
| 38 |
Thanks for suggestion. |
| 39 |
Not sure, all it does is it makes sure -lcrypto works while building module. |
| 40 |
libcrypto is not required to load the module. |
| 41 |
Adding slot build dep to a package with a module does not make a lot of sense |
| 42 |
to me, but probably does not hurt either. |
| 43 |
> |
| 44 |
> > ${MODULES_OPTIONAL_USE:+)}" |
| 45 |
> > |
| 46 |
> > # eclass utilities |
| 47 |
> > |
| 48 |
> > @@ -352,6 +369,84 @@ get-KERNEL_CC() { |
| 49 |
> > |
| 50 |
> > echo "${kernel_cc}" |
| 51 |
> > |
| 52 |
> > } |
| 53 |
> > |
| 54 |
> > +# @FUNCTION: _check_sig_force |
| 55 |
> > +# @INTERNAL |
| 56 |
> > +# @DESCRIPTION: |
| 57 |
> > +# Check if kernel requires module signing and die |
| 58 |
> > +# if modules are not going to be signed. |
| 59 |
> > +_check_sig_force() { |
| 60 |
> > + debug-print-function ${FUNCNAME} "${@}" |
| 61 |
> > + |
| 62 |
> > + if linux_chkconfig_present MODULE_SIG_FORCE; then |
| 63 |
> > + if use !module-sign; then |
| 64 |
> > + eerror "kernel .config has |
| 65 |
> > MODULE_SIG_FORCE=y option set" |
| 66 |
> > + eerror "This means that kernel requires all |
| 67 |
> > modules" |
| 68 |
> > + eerror "to be signed and verified before |
| 69 |
> > loading" |
| 70 |
> > + eerror "please enable USE=\"module-sign\" or |
| 71 |
> > reconfigure your kernel" |
| 72 |
> > + eerror "otherwise loading the module will |
| 73 |
> > fail" |
| 74 |
> > + die "signature required" |
| 75 |
> > + fi |
| 76 |
> > + fi |
| 77 |
> > +} |
| 78 |
> > + |
| 79 |
> > +# @FUNCTION: _sign_module |
| 80 |
> > +# @INTERNAL |
| 81 |
> > +# @USAGE: <filename> |
| 82 |
> > +# @DESCRIPTION: |
| 83 |
> > +# Sign a kernel module |
| 84 |
> > +_sign_module() { |
| 85 |
> > + debug-print-function ${FUNCNAME} "${@}" |
| 86 |
> > + |
| 87 |
> > + local dotconfig_sig_hash dotconfig_sig_key |
| 88 |
> > + local sign_binary_path sig_key_path sig_x509_path |
| 89 |
> > + local module |
| 90 |
> > + |
| 91 |
> > + # extract values from kernel .config |
| 92 |
> > + # extracted key path is not full, e.g. |
| 93 |
> > "certs/signing_key.pem" |
| 94 |
> > + dotconfig_sig_hash="$(linux_chkconfig_string |
| 95 |
> > MODULE_SIG_HASH)" |
| 96 |
> > + dotconfig_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)" |
| 97 |
> > + |
| 98 |
> > + # sign-file binary chokes on double quotes |
| 99 |
> > + dotconfig_sig_hash=${dotconfig_sig_hash//\"/} |
| 100 |
> > + dotconfig_sig_key=${dotconfig_sig_key//\"/} |
| 101 |
> > + |
| 102 |
> > + sign_binary_path="${KV_OUT_DIR}/scripts/sign-file" |
| 103 |
> |
| 104 |
> Yet another way to screw up modules building. It relies on some binary |
| 105 |
> in the kernel build dir that may break after openssl update (e.g. |
| 106 |
> soname change). |
| 107 |
|
| 108 |
openssl soname rarely changes and a user likely to build kernel first (thus |
| 109 |
re-building sign-file binary) and update modules later (probably with @module- |
| 110 |
rebuild). |
| 111 |
Last ABI change was in 2016 (still masked in gentoo), and in 2010 before that. |
| 112 |
It's unlikely to encounter an abi changing openssl upgrade and a random module |
| 113 |
rebuild while updating unless a user updates very infrequently. |
| 114 |
|
| 115 |
simple workaround: |
| 116 |
|
| 117 |
cd /usr/src/linux && rm scripts/sign-file && make scripts |
| 118 |
|
| 119 |
I can probably add this to die message and/or create a news item/wiki article. |
| 120 |
|
| 121 |
The whole eclass relies on kernel build dir to be available with exact same |
| 122 |
configuration to build modules, not just the signing part. |
| 123 |
|
| 124 |
As an example, using kernel gcc plugins situation is much worse, but still not |
| 125 |
a big deal, just rebuild a kernel after upgrading gcc to be able to build out- |
| 126 |
of tree modules. |
| 127 |
sign-file binary is rather simple and is not that picky and rarely breaks. At |
| 128 |
least what's what I observe while testing this patch. |
| 129 |
I build kernels weekly (and rebuilding modules) and have not seen a single |
| 130 |
problem related to signing. |
| 131 |
|
| 132 |
I'll post rebased/updated patch with latest changes happened to eclass to |
| 133 |
support EAPI7. |
| 134 |
|
| 135 |
-- |
| 136 |
Regads, |
| 137 |
Georgy Yakovlev |
| 138 |
Gentoo Linux Developer |
Archives