Gentoo Archives: gentoo-dev

From:	Carlos Silva <r3pek@×××××.org>
To:	gentoo-dev@l.g.o
Subject:	[gentoo-dev] [RFC] patch linux-mod.eclass to add support for module signing V2
Date:	Mon, 11 Mar 2013 20:06:00
Message-Id:	`CA+ZvHYGLLUoJX9yG09RJDPqG=5oV1pEfZB6sDU7KVJrPz9iumA@mail.gmail.com`

1	This is the same patch posted earlier but with the feedback from Steven J.
2	Long from the last post on the previous thread. (Thanks!)
3
4
5
6	Signed kernel modules require that the kernel is compiled with
7	CONFIG_MODULE_SIG=y so that during compilation, the public key hash is
8	stored in the kernel so that it can be verified later when insmod'ing an
9	external module. There is no problem with in-tree modules, this are sign
10	correctly and loaded, the problem is with out-of-the-tree modules installed
11	by portage; this ones are not "signing ware".
12
13	So this patch adds a new USE flag to the linux-mod.eclass named
14	"module-signing". We enabled, it will check if the user has selected all
15	the correct config options in the kernel, and optionally, where are the
16	private and public parts of the key so that the module is signed and
17	install time. If any of this fails, the installation of the module is
18	aborted.
19
20	From the end user perspective, if he wants to add support for this, all he
21	has to do is enable CONFIG_MODULE_SIG in the kernel. If no keys are found
22	during the build, it will be generated one. If one wants to create a key
23	himself, it's also possible to use this key, he just has to name it
24	signing_key.priv and siging_key.x509 and put it under /usr/src/linux.
25	After the kernel is compiled, this keys can be moved elsewhere and the path
26	to them specified in make.conf under the vars KERNEL_MODSECKEY and
27	KERNEL_MODPUBKEY.
28
29	Patch below for review, discussion and testing.
30	Thanks,
31	Carlos Silva
32
33
34
35	--- linux-mod.eclass 2012-09-15 16:31:15.000000000 +0000
36	+++ linux-mod.eclass 2013-03-11 18:58:34.075561064 -0100
37	@@ -125,9 +125,10 @@
38	inherit eutils linux-info multilib
39	EXPORT_FUNCTIONS pkg_setup pkg_preinst pkg_postinst src_install
40	src_compile pkg_postrm
41
42	-IUSE="kernel_linux"
43	+IUSE="module-signing kernel_linux"
44	SLOT="0"
45	-RDEPEND="kernel_linux? ( virtual/modutils )"
46	+RDEPEND="kernel_linux? ( virtual/modutils )
47	+ module-signing? ( app-crypt/gnupg ) "
48	DEPEND="${RDEPEND}
49	sys-apps/sed
50	kernel_linux? ( virtual/linux-sources )"
51	@@ -208,6 +209,32 @@
52	fi
53	}
54
55	+
56	+# internal function
57	+#
58	+# FUNCTION: check_module_signing
59	+# DESCRIPTION:
60	+# Checks for KERNEL_MODSECKEY, KERNEL_MODPUBKEY and verifies the files
61	exists
62	+check_module_signing() {
63	+ use module-signing \|\| return 1
64	+
65	+ # Check that the configuration is correct
66	+ KERNEL_MODSECKEY=${KERNEL_MODSECKEY:-${KV_DIR}/signing_key.priv}
67	+ KERNEL_MODPUBKEY=${KERNEL_MODPUBKEY:-${KV_DIR}/signing_key.x509}
68	+ if [[ -s ${KERNEL_MODSECKEY} ]]; then
69	+ eerror "KERNEL_MODSECKEY points to a missing or empty file:"
70	+ eerror "${KERNEL_MODSECKEY}"
71	+ die "Invalid KERNEL_MODSECKEY"
72	+ fi
73	+ if [[ -s ${KERNEL_MODPUBKEY} ]]; then
74	+ eerror "KERNEL_MODPUBKEY points to a missing or empty file:"
75	+ eerror "${KERNEL_MODPUBKEY}"
76	+ die "Invalid KERNEL_MODPUBKEY"
77	+ fi
78	+
79	+ return 0
80	+}
81	+
82	# internal function
83	#
84	# FUNCTION: update_depmod
85	@@ -581,6 +608,10 @@
86	return
87	fi
88
89	+ if use module-signing; then
90	+ CONFIG_CHECK+="${CONFIG_CHECK} MODULE_SIG"
91	+ fi
92	+
93	linux-info_pkg_setup;
94	require_configured_kernel
95	check_kernel_built;
96	@@ -710,6 +741,12 @@
97	srcdir=${srcdir:-${S}}
98	objdir=${objdir:-${srcdir}}
99
100	+ if check_module_signing; then
101	+ ebegin "Signing module ${modulename}"
102	+ ${KV_DIR}/scripts/sign-file "${KERNEL_MODSECKEY}" "${KERNEL_MODPUBKEY}"
103	"${objdir}/${modulename}.${KV_OBJ}"
104	+ eend $?
105	+ fi
106	+
107	einfo "Installing ${modulename} module"
108	cd "${objdir}" \|\| die "${objdir} does not exist"
109	insinto /lib/modules/${KV_FULL}/${libdir}

Report Message

Find on MARC Find on Google Groups