Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing - gentoo-dev

From:	Georgy Yakovlev <gyakovlev@g.o>
To:	gentoo-dev@l.g.o
Subject:	Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing
Date:	Sun, 26 Jun 2022 10:52:17
Message-Id:	`84e99a74d64f0d9dd326af0f2c54b9d5717b2f8d.camel@gentoo.org`
In Reply to:	[gentoo-dev] [PATCH] linux-mod.eclass: support module signing by Kenton Groombridge

1

On Tue, 2022-06-21 at 14:19 -0400, Kenton Groombridge wrote:

2

> eee74b9fca1 adds support for module compression, but this breaks

3

> loading

4

> out of tree modules when module signing is enforced because modules

5

> must

6

> be signed before they are compressed. Additionally, the recommended

7

> Portage hook[1] no longer works with this change.

8

>

9

> Add module signing support in linux-mod.eclass which more or less

10

> does

11

> exactly what the aforementioned Portage hook does. If the kernel

12

> configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and

13

> keys

14

> from the kernel configuration and call the sign_file tool to sign the

15

> module before it is compressed.

16

>

17

> Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352

18

> Signed-off-by: Kenton Groombridge <concord@g.o>

19

> ---

20

>  eclass/linux-mod.eclass | 16 ++++++++++++++++

21

>  1 file changed, 16 insertions(+)

22

>

23

> diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass

24

> index b7c13cbf7e7..fd40f6d7c6c 100644

25

> --- a/eclass/linux-mod.eclass

26

> +++ b/eclass/linux-mod.eclass

27

> @@ -712,6 +712,22 @@ linux-mod_src_install() {

28

>                 cd "${objdir}" || die "${objdir} does not exist"

29

>                 insinto

30

> "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir}

31

>

32

> +               # check here for CONFIG_MODULE_SIG_ALL and sign the

33

> module being built if enabled.

34

> +               # modules must be signed before they are compressed.

35

> +

36

> +               if linux_chkconfig_present MODULE_SIG_ALL; then

37

> +                       local

38

> module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)"

39

> +                       local

40

> module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)"

41

> +                       module_sig_key="${module_sig_key:-

42

> certs/signing_key.pem}"

43

> +                       if [[ "${module_sig_key#pkcs11:}" ==

44

> "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}"

45

> ]]; then

46

> +                               local

47

> key_path="${KERNEL_DIR}/${module_sig_key}"

48

> +                       else

49

> +                               local key_path="${module_sig_key}"

50

> +                       fi

51

> +                       local

52

> cert_path="${KERNEL_DIR}/certs/signing_key.x509"

53

> +                       "${KERNEL_DIR}"/scripts/sign-file

54

> ${module_sig_hash//\"} ${key_path//\"} ${cert_path}

55

> ${modulename}.${KV_OBJ}

56

> +               fi

57

> +

58

>                 # check here for CONFIG_MODULE_COMPRESS_<compression

59

> option> (NONE, GZIP, XZ, ZSTD)

60

>                 # and similarily compress the module being built if

61

> != NONE.

62

>

63

64

65

Hi,

66

67

I've spent some time in the past ( circa 2018 ) to get this in, but 

68

gave up due to various reasons, I was not a gentoo dev yet at the time.

69

70

I can't see how posted implementation will work tbh.

71

portage will strip signature out of the module, unless you prevent

72

stripping completely or package uses EAPI>=7, and omits stripping

73

modules via dostrip -x on the ko object.

74

kernel will NOT load module with stripped signature.

75

76

so either you have to sign in pkg_postinst phase, or prevent stripping.

77

signing in postinst is not ideal, because if breaks recorded file

78

checksums in vdb.

79

80

here's old fork of eclass I made, maybe you can find some helpful code

81

in there

82

83

https://github.com/gyakovlev/linux-mod.eclass/blob/master/linux-mod.eclass

84

85

old ML discussion we had:

86

https://archives.gentoo.org/gentoo-dev/message/4b15b1c851f379a1f802e2f2895cdfa8

87

88

You will also need a dependency on openssl, since sign-file uses it.

89

90

lmk if you need more info, I might remember more details, but for now

91

that's all I have. I'll try to help get it done, but my availability is

92

spotty due to limited time.

Gentoo Archives: gentoo-dev

Replies

1	On Tue, 2022-06-21 at 14:19 -0400, Kenton Groombridge wrote:
2	> eee74b9fca1 adds support for module compression, but this breaks
3	> loading
4	> out of tree modules when module signing is enforced because modules
5	> must
6	> be signed before they are compressed. Additionally, the recommended
7	> Portage hook[1] no longer works with this change.
8	>
9	> Add module signing support in linux-mod.eclass which more or less
10	> does
11	> exactly what the aforementioned Portage hook does. If the kernel
12	> configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and
13	> keys
14	> from the kernel configuration and call the sign_file tool to sign the
15	> module before it is compressed.
16	>
17	> Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352
18	> Signed-off-by: Kenton Groombridge <concord@g.o>
19	> ---
20	> eclass/linux-mod.eclass \| 16 ++++++++++++++++
21	> 1 file changed, 16 insertions(+)
22	>
23	> diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
24	> index b7c13cbf7e7..fd40f6d7c6c 100644
25	> --- a/eclass/linux-mod.eclass
26	> +++ b/eclass/linux-mod.eclass
27	> @@ -712,6 +712,22 @@ linux-mod_src_install() {
28	> cd "${objdir}" \|\| die "${objdir} does not exist"
29	> insinto
30	> "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir}
31	>
32	> + # check here for CONFIG_MODULE_SIG_ALL and sign the
33	> module being built if enabled.
34	> + # modules must be signed before they are compressed.
35	> +
36	> + if linux_chkconfig_present MODULE_SIG_ALL; then
37	> + local
38	> module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)"
39	> + local
40	> module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)"
41	> + module_sig_key="${module_sig_key:-
42	> certs/signing_key.pem}"
43	> + if [[ "${module_sig_key#pkcs11:}" ==
44	> "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}"
45	> ]]; then
46	> + local
47	> key_path="${KERNEL_DIR}/${module_sig_key}"
48	> + else
49	> + local key_path="${module_sig_key}"
50	> + fi
51	> + local
52	> cert_path="${KERNEL_DIR}/certs/signing_key.x509"
53	> + "${KERNEL_DIR}"/scripts/sign-file
54	> ${module_sig_hash//\"} ${key_path//\"} ${cert_path}
55	> ${modulename}.${KV_OBJ}
56	> + fi
57	> +
58	> # check here for CONFIG_MODULE_COMPRESS_<compression
59	> option> (NONE, GZIP, XZ, ZSTD)
60	> # and similarily compress the module being built if
61	> != NONE.
62	>
63
64
65	Hi,
66
67	I've spent some time in the past ( circa 2018 ) to get this in, but
68	gave up due to various reasons, I was not a gentoo dev yet at the time.
69
70	I can't see how posted implementation will work tbh.
71	portage will strip signature out of the module, unless you prevent
72	stripping completely or package uses EAPI>=7, and omits stripping
73	modules via dostrip -x on the ko object.
74	kernel will NOT load module with stripped signature.
75
76	so either you have to sign in pkg_postinst phase, or prevent stripping.
77	signing in postinst is not ideal, because if breaks recorded file
78	checksums in vdb.
79
80	here's old fork of eclass I made, maybe you can find some helpful code
81	in there
82
83	https://github.com/gyakovlev/linux-mod.eclass/blob/master/linux-mod.eclass
84
85	old ML discussion we had:
86	https://archives.gentoo.org/gentoo-dev/message/4b15b1c851f379a1f802e2f2895cdfa8
87
88	You will also need a dependency on openssl, since sign-file uses it.
89
90	lmk if you need more info, I might remember more details, but for now
91	that's all I have. I'll try to help get it done, but my availability is
92	spotty due to limited time.