1 |
On Tue, 2022-06-21 at 14:19 -0400, Kenton Groombridge wrote: |
2 |
> eee74b9fca1 adds support for module compression, but this breaks |
3 |
> loading |
4 |
> out of tree modules when module signing is enforced because modules |
5 |
> must |
6 |
> be signed before they are compressed. Additionally, the recommended |
7 |
> Portage hook[1] no longer works with this change. |
8 |
> |
9 |
> Add module signing support in linux-mod.eclass which more or less |
10 |
> does |
11 |
> exactly what the aforementioned Portage hook does. If the kernel |
12 |
> configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and |
13 |
> keys |
14 |
> from the kernel configuration and call the sign_file tool to sign the |
15 |
> module before it is compressed. |
16 |
> |
17 |
> Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352 |
18 |
> Signed-off-by: Kenton Groombridge <concord@g.o> |
19 |
> --- |
20 |
> eclass/linux-mod.eclass | 16 ++++++++++++++++ |
21 |
> 1 file changed, 16 insertions(+) |
22 |
> |
23 |
> diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass |
24 |
> index b7c13cbf7e7..fd40f6d7c6c 100644 |
25 |
> --- a/eclass/linux-mod.eclass |
26 |
> +++ b/eclass/linux-mod.eclass |
27 |
> @@ -712,6 +712,22 @@ linux-mod_src_install() { |
28 |
> cd "${objdir}" || die "${objdir} does not exist" |
29 |
> insinto |
30 |
> "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir} |
31 |
> |
32 |
> + # check here for CONFIG_MODULE_SIG_ALL and sign the |
33 |
> module being built if enabled. |
34 |
> + # modules must be signed before they are compressed. |
35 |
> + |
36 |
> + if linux_chkconfig_present MODULE_SIG_ALL; then |
37 |
> + local |
38 |
> module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)" |
39 |
> + local |
40 |
> module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)" |
41 |
> + module_sig_key="${module_sig_key:- |
42 |
> certs/signing_key.pem}" |
43 |
> + if [[ "${module_sig_key#pkcs11:}" == |
44 |
> "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}" |
45 |
> ]]; then |
46 |
> + local |
47 |
> key_path="${KERNEL_DIR}/${module_sig_key}" |
48 |
> + else |
49 |
> + local key_path="${module_sig_key}" |
50 |
> + fi |
51 |
> + local |
52 |
> cert_path="${KERNEL_DIR}/certs/signing_key.x509" |
53 |
> + "${KERNEL_DIR}"/scripts/sign-file |
54 |
> ${module_sig_hash//\"} ${key_path//\"} ${cert_path} |
55 |
> ${modulename}.${KV_OBJ} |
56 |
> + fi |
57 |
> + |
58 |
> # check here for CONFIG_MODULE_COMPRESS_<compression |
59 |
> option> (NONE, GZIP, XZ, ZSTD) |
60 |
> # and similarily compress the module being built if |
61 |
> != NONE. |
62 |
> |
63 |
|
64 |
|
65 |
Hi, |
66 |
|
67 |
I've spent some time in the past ( circa 2018 ) to get this in, but |
68 |
gave up due to various reasons, I was not a gentoo dev yet at the time. |
69 |
|
70 |
I can't see how posted implementation will work tbh. |
71 |
portage will strip signature out of the module, unless you prevent |
72 |
stripping completely or package uses EAPI>=7, and omits stripping |
73 |
modules via dostrip -x on the ko object. |
74 |
kernel will NOT load module with stripped signature. |
75 |
|
76 |
so either you have to sign in pkg_postinst phase, or prevent stripping. |
77 |
signing in postinst is not ideal, because if breaks recorded file |
78 |
checksums in vdb. |
79 |
|
80 |
here's old fork of eclass I made, maybe you can find some helpful code |
81 |
in there |
82 |
|
83 |
https://github.com/gyakovlev/linux-mod.eclass/blob/master/linux-mod.eclass |
84 |
|
85 |
old ML discussion we had: |
86 |
https://archives.gentoo.org/gentoo-dev/message/4b15b1c851f379a1f802e2f2895cdfa8 |
87 |
|
88 |
You will also need a dependency on openssl, since sign-file uses it. |
89 |
|
90 |
lmk if you need more info, I might remember more details, but for now |
91 |
that's all I have. I'll try to help get it done, but my availability is |
92 |
spotty due to limited time. |