1 |
On Friday, September 21, 2018 5:58:00 AM PDT Alexander Tsoy wrote: |
2 |
> В Чт, 20/09/2018 в 22:13 -0700, Georgy Yakovlev пишет: |
3 |
> > ----------------->%------------------- |
4 |
> > @@ -144,13 +158,16 @@ esac |
5 |
> > |
6 |
> > 0) die "EAPI=${EAPI} is not supported with |
7 |
> > |
8 |
> > MODULES_OPTIONAL_USE_IUSE_DEFAULT due to lack of IUSE defaults" ;; |
9 |
> > |
10 |
> > esac |
11 |
> > |
12 |
> > -IUSE="kernel_linux |
13 |
> > ${MODULES_OPTIONAL_USE:+${_modules_optional_use_iuse_default}}${MODUL |
14 |
> > ES_OPTIONAL_USE}" |
15 |
> > +IUSE="module-sign kernel_linux |
16 |
> > ${MODULES_OPTIONAL_USE:+${_modules_optional_use_iuse_default}}${MODUL |
17 |
> > ES_OPTIONAL_USE}" |
18 |
> > |
19 |
> > SLOT="0" |
20 |
> > RDEPEND="${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (} |
21 |
> > |
22 |
> > kernel_linux? ( virtual/modutils ) ${MODULES_OPTIONAL_USE:+)}" |
23 |
> > |
24 |
> > DEPEND="${RDEPEND} |
25 |
> > |
26 |
> > ${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (} |
27 |
> > |
28 |
> > sys-apps/sed |
29 |
> > |
30 |
> > - kernel_linux? ( virtual/linux-sources virtual/libelf ) |
31 |
> > + kernel_linux? ( |
32 |
> > + virtual/linux-sources virtual/libelf |
33 |
> > + module-sign? ( || ( dev-libs/openssl dev- |
34 |
> > libs/libressl ) ) |
35 |
> > + ) |
36 |
> |
37 |
> It should depend on the proper openssl slot: dev-libs/openssl:0 |
38 |
Thanks for suggestion. |
39 |
Not sure, all it does is it makes sure -lcrypto works while building module. |
40 |
libcrypto is not required to load the module. |
41 |
Adding slot build dep to a package with a module does not make a lot of sense |
42 |
to me, but probably does not hurt either. |
43 |
> |
44 |
> > ${MODULES_OPTIONAL_USE:+)}" |
45 |
> > |
46 |
> > # eclass utilities |
47 |
> > |
48 |
> > @@ -352,6 +369,84 @@ get-KERNEL_CC() { |
49 |
> > |
50 |
> > echo "${kernel_cc}" |
51 |
> > |
52 |
> > } |
53 |
> > |
54 |
> > +# @FUNCTION: _check_sig_force |
55 |
> > +# @INTERNAL |
56 |
> > +# @DESCRIPTION: |
57 |
> > +# Check if kernel requires module signing and die |
58 |
> > +# if modules are not going to be signed. |
59 |
> > +_check_sig_force() { |
60 |
> > + debug-print-function ${FUNCNAME} "${@}" |
61 |
> > + |
62 |
> > + if linux_chkconfig_present MODULE_SIG_FORCE; then |
63 |
> > + if use !module-sign; then |
64 |
> > + eerror "kernel .config has |
65 |
> > MODULE_SIG_FORCE=y option set" |
66 |
> > + eerror "This means that kernel requires all |
67 |
> > modules" |
68 |
> > + eerror "to be signed and verified before |
69 |
> > loading" |
70 |
> > + eerror "please enable USE=\"module-sign\" or |
71 |
> > reconfigure your kernel" |
72 |
> > + eerror "otherwise loading the module will |
73 |
> > fail" |
74 |
> > + die "signature required" |
75 |
> > + fi |
76 |
> > + fi |
77 |
> > +} |
78 |
> > + |
79 |
> > +# @FUNCTION: _sign_module |
80 |
> > +# @INTERNAL |
81 |
> > +# @USAGE: <filename> |
82 |
> > +# @DESCRIPTION: |
83 |
> > +# Sign a kernel module |
84 |
> > +_sign_module() { |
85 |
> > + debug-print-function ${FUNCNAME} "${@}" |
86 |
> > + |
87 |
> > + local dotconfig_sig_hash dotconfig_sig_key |
88 |
> > + local sign_binary_path sig_key_path sig_x509_path |
89 |
> > + local module |
90 |
> > + |
91 |
> > + # extract values from kernel .config |
92 |
> > + # extracted key path is not full, e.g. |
93 |
> > "certs/signing_key.pem" |
94 |
> > + dotconfig_sig_hash="$(linux_chkconfig_string |
95 |
> > MODULE_SIG_HASH)" |
96 |
> > + dotconfig_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)" |
97 |
> > + |
98 |
> > + # sign-file binary chokes on double quotes |
99 |
> > + dotconfig_sig_hash=${dotconfig_sig_hash//\"/} |
100 |
> > + dotconfig_sig_key=${dotconfig_sig_key//\"/} |
101 |
> > + |
102 |
> > + sign_binary_path="${KV_OUT_DIR}/scripts/sign-file" |
103 |
> |
104 |
> Yet another way to screw up modules building. It relies on some binary |
105 |
> in the kernel build dir that may break after openssl update (e.g. |
106 |
> soname change). |
107 |
|
108 |
openssl soname rarely changes and a user likely to build kernel first (thus |
109 |
re-building sign-file binary) and update modules later (probably with @module- |
110 |
rebuild). |
111 |
Last ABI change was in 2016 (still masked in gentoo), and in 2010 before that. |
112 |
It's unlikely to encounter an abi changing openssl upgrade and a random module |
113 |
rebuild while updating unless a user updates very infrequently. |
114 |
|
115 |
simple workaround: |
116 |
|
117 |
cd /usr/src/linux && rm scripts/sign-file && make scripts |
118 |
|
119 |
I can probably add this to die message and/or create a news item/wiki article. |
120 |
|
121 |
The whole eclass relies on kernel build dir to be available with exact same |
122 |
configuration to build modules, not just the signing part. |
123 |
|
124 |
As an example, using kernel gcc plugins situation is much worse, but still not |
125 |
a big deal, just rebuild a kernel after upgrading gcc to be able to build out- |
126 |
of tree modules. |
127 |
sign-file binary is rather simple and is not that picky and rarely breaks. At |
128 |
least what's what I observe while testing this patch. |
129 |
I build kernels weekly (and rebuilding modules) and have not seen a single |
130 |
problem related to signing. |
131 |
|
132 |
I'll post rebased/updated patch with latest changes happened to eclass to |
133 |
support EAPI7. |
134 |
|
135 |
-- |
136 |
Regads, |
137 |
Georgy Yakovlev |
138 |
Gentoo Linux Developer |