1 |
This is the same patch posted earlier but with the feedback from Steven J. |
2 |
Long from the last post on the previous thread. (Thanks!) |
3 |
|
4 |
|
5 |
|
6 |
Signed kernel modules require that the kernel is compiled with |
7 |
CONFIG_MODULE_SIG=y so that during compilation, the public key hash is |
8 |
stored in the kernel so that it can be verified later when insmod'ing an |
9 |
external module. There is no problem with in-tree modules, this are sign |
10 |
correctly and loaded, the problem is with out-of-the-tree modules installed |
11 |
by portage; this ones are not "signing ware". |
12 |
|
13 |
So this patch adds a new USE flag to the linux-mod.eclass named |
14 |
"module-signing". We enabled, it will check if the user has selected all |
15 |
the correct config options in the kernel, and optionally, where are the |
16 |
private and public parts of the key so that the module is signed and |
17 |
install time. If any of this fails, the installation of the module is |
18 |
aborted. |
19 |
|
20 |
From the end user perspective, if he wants to add support for this, all he |
21 |
has to do is enable CONFIG_MODULE_SIG in the kernel. If no keys are found |
22 |
during the build, it will be generated one. If one wants to create a key |
23 |
himself, it's also possible to use this key, he just has to name it |
24 |
signing_key.priv and siging_key.x509 and put it under /usr/src/linux. |
25 |
After the kernel is compiled, this keys can be moved elsewhere and the path |
26 |
to them specified in make.conf under the vars KERNEL_MODSECKEY and |
27 |
KERNEL_MODPUBKEY. |
28 |
|
29 |
Patch below for review, discussion and testing. |
30 |
Thanks, |
31 |
Carlos Silva |
32 |
|
33 |
|
34 |
|
35 |
--- linux-mod.eclass 2012-09-15 16:31:15.000000000 +0000 |
36 |
+++ linux-mod.eclass 2013-03-11 18:58:34.075561064 -0100 |
37 |
@@ -125,9 +125,10 @@ |
38 |
inherit eutils linux-info multilib |
39 |
EXPORT_FUNCTIONS pkg_setup pkg_preinst pkg_postinst src_install |
40 |
src_compile pkg_postrm |
41 |
|
42 |
-IUSE="kernel_linux" |
43 |
+IUSE="module-signing kernel_linux" |
44 |
SLOT="0" |
45 |
-RDEPEND="kernel_linux? ( virtual/modutils )" |
46 |
+RDEPEND="kernel_linux? ( virtual/modutils ) |
47 |
+ module-signing? ( app-crypt/gnupg ) " |
48 |
DEPEND="${RDEPEND} |
49 |
sys-apps/sed |
50 |
kernel_linux? ( virtual/linux-sources )" |
51 |
@@ -208,6 +209,32 @@ |
52 |
fi |
53 |
} |
54 |
|
55 |
+ |
56 |
+# internal function |
57 |
+# |
58 |
+# FUNCTION: check_module_signing |
59 |
+# DESCRIPTION: |
60 |
+# Checks for KERNEL_MODSECKEY, KERNEL_MODPUBKEY and verifies the files |
61 |
exists |
62 |
+check_module_signing() { |
63 |
+ use module-signing || return 1 |
64 |
+ |
65 |
+ # Check that the configuration is correct |
66 |
+ KERNEL_MODSECKEY=${KERNEL_MODSECKEY:-${KV_DIR}/signing_key.priv} |
67 |
+ KERNEL_MODPUBKEY=${KERNEL_MODPUBKEY:-${KV_DIR}/signing_key.x509} |
68 |
+ if [[ -s ${KERNEL_MODSECKEY} ]]; then |
69 |
+ eerror "KERNEL_MODSECKEY points to a missing or empty file:" |
70 |
+ eerror "${KERNEL_MODSECKEY}" |
71 |
+ die "Invalid KERNEL_MODSECKEY" |
72 |
+ fi |
73 |
+ if [[ -s ${KERNEL_MODPUBKEY} ]]; then |
74 |
+ eerror "KERNEL_MODPUBKEY points to a missing or empty file:" |
75 |
+ eerror "${KERNEL_MODPUBKEY}" |
76 |
+ die "Invalid KERNEL_MODPUBKEY" |
77 |
+ fi |
78 |
+ |
79 |
+ return 0 |
80 |
+} |
81 |
+ |
82 |
# internal function |
83 |
# |
84 |
# FUNCTION: update_depmod |
85 |
@@ -581,6 +608,10 @@ |
86 |
return |
87 |
fi |
88 |
|
89 |
+ if use module-signing; then |
90 |
+ CONFIG_CHECK+="${CONFIG_CHECK} MODULE_SIG" |
91 |
+ fi |
92 |
+ |
93 |
linux-info_pkg_setup; |
94 |
require_configured_kernel |
95 |
check_kernel_built; |
96 |
@@ -710,6 +741,12 @@ |
97 |
srcdir=${srcdir:-${S}} |
98 |
objdir=${objdir:-${srcdir}} |
99 |
|
100 |
+ if check_module_signing; then |
101 |
+ ebegin "Signing module ${modulename}" |
102 |
+ ${KV_DIR}/scripts/sign-file "${KERNEL_MODSECKEY}" "${KERNEL_MODPUBKEY}" |
103 |
"${objdir}/${modulename}.${KV_OBJ}" |
104 |
+ eend $? |
105 |
+ fi |
106 |
+ |
107 |
einfo "Installing ${modulename} module" |
108 |
cd "${objdir}" || die "${objdir} does not exist" |
109 |
insinto /lib/modules/${KV_FULL}/${libdir} |