eee74b9fca1 adds support for module compression, but this breaks loading
out of tree modules when module signing is enforced because modules must
be signed before they are compressed. Additionally, the recommended
Portage hook[1] no longer works with this change.
Add module signing support in linux-mod.eclass which more or less does exactly what the aforementioned Portage hook does. If the kernel configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and keys
from the kernel configuration and call the sign_file tool to sign the
module before it is compressed.
Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
eclass/linux-mod.eclass | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
index b7c13cbf7e7..fd40f6d7c6c 100644
--- a/eclass/linux-mod.eclass
+++ b/eclass/linux-mod.eclass
@@ -712,6 +712,22 @@ linux-mod_src_install() {
cd "${objdir}" || die "${objdir} does not exist"
insinto "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir}
+ # check here for CONFIG_MODULE_SIG_ALL and sign the module being built if enabled.
+ # modules must be signed before they are compressed.
+
+ if linux_chkconfig_present MODULE_SIG_ALL; then
+ local module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)"
+ local module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)"
+ module_sig_key="${module_sig_key:-certs/signing_key.pem}"
+ if [[ "${module_sig_key#pkcs11:}" == "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}" ]]; then
+ local key_path="${KERNEL_DIR}/${module_sig_key}"
+ else
+ local key_path="${module_sig_key}"
+ fi
+ local cert_path="${KERNEL_DIR}/certs/signing_key.x509" + "${KERNEL_DIR}"/scripts/sign-file ${module_sig_hash//\"} ${key_path//\"} ${cert_path} ${modulename}.${KV_OBJ}
+ fi
+
# check here for CONFIG_MODULE_COMPRESS_<compression option> (NONE, GZIP, XZ, ZSTD)
# and similarily compress the module being built if != NONE.
--
2.35.1
On 22/06/21 02:19PM, Kenton Groombridge wrote:
eee74b9fca1 adds support for module compression, but this breaks loading
out of tree modules when module signing is enforced because modules must
be signed before they are compressed. Additionally, the recommended
Portage hook[1] no longer works with this change.
Forgot to include this reference:
[1] https://wiki.gentoo.org/wiki/Signed_kernel_module_support#Automatically_signing_kernel_modules_.28Portage.29
Add module signing support in linux-mod.eclass which more or less does
exactly what the aforementioned Portage hook does. If the kernel
configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and keys
from the kernel configuration and call the sign_file tool to sign the
module before it is compressed.
Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
eclass/linux-mod.eclass | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
index b7c13cbf7e7..fd40f6d7c6c 100644
--- a/eclass/linux-mod.eclass
+++ b/eclass/linux-mod.eclass
@@ -712,6 +712,22 @@ linux-mod_src_install() {
cd "${objdir}" || die "${objdir} does not exist"
insinto "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir} >>
+ # check here for CONFIG_MODULE_SIG_ALL and sign the module being built if enabled.
+ # modules must be signed before they are compressed.
+
+ if linux_chkconfig_present MODULE_SIG_ALL; then
+ local module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)"
+ local module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)"
+ module_sig_key="${module_sig_key:-certs/signing_key.pem}"
+ if [[ "${module_sig_key#pkcs11:}" == "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}" ]]; then
+ local key_path="${KERNEL_DIR}/${module_sig_key}"
+ else
+ local key_path="${module_sig_key}"
+ fi
+ local cert_path="${KERNEL_DIR}/certs/signing_key.x509" >> + "${KERNEL_DIR}"/scripts/sign-file ${module_sig_hash//\"} ${key_path//\"} ${cert_path} ${modulename}.${KV_OBJ}
+ fi
+
# check here for CONFIG_MODULE_COMPRESS_<compression option> (NONE, GZIP, XZ, ZSTD)
# and similarily compress the module being built if != NONE.
--
2.35.1
On 6/21/22 14:21, Kenton Groombridge wrote:
On 22/06/21 02:19PM, Kenton Groombridge wrote:
eee74b9fca1 adds support for module compression, but this breaks loading out of tree modules when module signing is enforced because modules must be signed before they are compressed. Additionally, the recommended Portage hook[1] no longer works with this change.
Forgot to include this reference:
[1] https://wiki.gentoo.org/wiki/Signed_kernel_module_support#Automatically_signing_kernel_modules_.28Portage.29
Add module signing support in linux-mod.eclass which more or less does exactly what the aforementioned Portage hook does. If the kernel configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and keys from the kernel configuration and call the sign_file tool to sign the module before it is compressed.
Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
eclass/linux-mod.eclass | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
index b7c13cbf7e7..fd40f6d7c6c 100644
--- a/eclass/linux-mod.eclass
+++ b/eclass/linux-mod.eclass
@@ -712,6 +712,22 @@ linux-mod_src_install() {
cd "${objdir}" || die "${objdir} does not exist"
insinto "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir}
+ # check here for CONFIG_MODULE_SIG_ALL and sign the module being built if enabled.
+ # modules must be signed before they are compressed.
+
+ if linux_chkconfig_present MODULE_SIG_ALL; then
+ local module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)"
+ local module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)"
+ module_sig_key="${module_sig_key:-certs/signing_key.pem}"
+ if [[ "${module_sig_key#pkcs11:}" == "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}" ]]; then
+ local key_path="${KERNEL_DIR}/${module_sig_key}"
+ else
+ local key_path="${module_sig_key}"
+ fi
+ local cert_path="${KERNEL_DIR}/certs/signing_key.x509" + "${KERNEL_DIR}"/scripts/sign-file ${module_sig_hash//\"} ${key_path//\"} ${cert_path} ${modulename}.${KV_OBJ}
+ fi
+
# check here for CONFIG_MODULE_COMPRESS_<compression option> (NONE, GZIP, XZ, ZSTD)
# and similarily compress the module being built if != NONE.
--
2.35.1
First of all, thank-you for your work !
I appreciate any assistance with enhancement or clean-up of these eclasses.
I tested your patch, are you signing the files in 'work' after they are installed in 'image' ?
/usr/src/linux/scripts/extract-module-sig.pl -s ./work/kernel/nvidia.ko > /tmp/sig
Read 47802433 bytes from module file
Found magic number at 47802433
Found PKCS#7/CMS encapsulation
Found 681 bytes of signature [308202a506092a864886f70d010702a0]
/usr/src/linux/scripts/extract-module-sig.pl -s ./image/lib/modules/5.18.6-gentoo/video/nvidia.ko > /tmp/sig
Read 47227784 bytes from module file
Magic number not found at 47227784
On Tue, 2022-06-21 at 14:19 -0400, Kenton Groombridge wrote:
eee74b9fca1 adds support for module compression, but this breaks
loading
out of tree modules when module signing is enforced because modules
must
be signed before they are compressed. Additionally, the recommended
Portage hook[1] no longer works with this change.
Add module signing support in linux-mod.eclass which more or less
does
exactly what the aforementioned Portage hook does. If the kernel configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and
keys
from the kernel configuration and call the sign_file tool to sign
the
module before it is compressed.
Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
eclass/linux-mod.eclass | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
index b7c13cbf7e7..fd40f6d7c6c 100644
--- a/eclass/linux-mod.eclass
+++ b/eclass/linux-mod.eclass
@@ -712,6 +712,22 @@ linux-mod_src_install() { cd "${objdir}" || die "${objdir} does not exist"
insinto "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir}
+ # check here for CONFIG_MODULE_SIG_ALL and sign the
module being built if enabled.
+ # modules must be signed before they are compressed.
+
+ if linux_chkconfig_present MODULE_SIG_ALL; then
+ local module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)" + local module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)" + module_sig_key="${module_sig_key:-
certs/signing_key.pem}"
+ if [[ "${module_sig_key#pkcs11:}" ==
"${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}"
]]; then + local key_path="${KERNEL_DIR}/${module_sig_key}" + else + local key_path="${module_sig_key}"
+ fi + local cert_path="${KERNEL_DIR}/certs/signing_key.x509" + "${KERNEL_DIR}"/scripts/sign-file
${module_sig_hash//\"} ${key_path//\"} ${cert_path}
${modulename}.${KV_OBJ}
+ fi
+
# check here for CONFIG_MODULE_COMPRESS_<compression
option> (NONE, GZIP, XZ, ZSTD)
# and similarily compress the module being built if
!= NONE.
Hi,
I've spent some time in the past ( circa 2018 ) to get this in, but
gave up due to various reasons, I was not a gentoo dev yet at the
time.
I can't see how posted implementation will work tbh.
portage will strip signature out of the module, unless you prevent
stripping completely or package uses EAPI>=7, and omits stripping
modules via dostrip -x on the ko object.
kernel will NOT load module with stripped signature.
so either you have to sign in pkg_postinst phase, or prevent
stripping.
signing in postinst is not ideal, because if breaks recorded file
checksums in vdb.
here's old fork of eclass I made, maybe you can find some helpful
code
in there
https://github.com/gyakovlev/linux-mod.eclass/blob/master/linux-mod.eclass
old ML discussion we had: https://archives.gentoo.org/gentoo-dev/message/4b15b1c851f379a1f802e2f2895cdfa8
You will also need a dependency on openssl, since sign-file uses it.
lmk if you need more info, I might remember more details, but for now
that's all I have. I'll try to help get it done, but my availability
is
spotty due to limited time.
On Sun, 2022-06-26 at 03:52 -0700, Georgy Yakovlev wrote:
On Tue, 2022-06-21 at 14:19 -0400, Kenton Groombridge wrote:
eee74b9fca1 adds support for module compression, but this breaks
loading
out of tree modules when module signing is enforced because modules
must
be signed before they are compressed. Additionally, the recommended Portage hook[1] no longer works with this change.
Add module signing support in linux-mod.eclass which more or less
does
exactly what the aforementioned Portage hook does. If the kernel configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and
keys
from the kernel configuration and call the sign_file tool to sign
the
module before it is compressed.
Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
eclass/linux-mod.eclass | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
index b7c13cbf7e7..fd40f6d7c6c 100644
--- a/eclass/linux-mod.eclass
+++ b/eclass/linux-mod.eclass
@@ -712,6 +712,22 @@ linux-mod_src_install() { cd "${objdir}" || die "${objdir} does not exist"
insinto "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir}
+ # check here for CONFIG_MODULE_SIG_ALL and sign the
module being built if enabled.
+ # modules must be signed before they are compressed.
+
+ if linux_chkconfig_present MODULE_SIG_ALL; then
+ local module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)" + local module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)" + module_sig_key="${module_sig_key:-
certs/signing_key.pem}"
+ if [[ "${module_sig_key#pkcs11:}" ==
"${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}"
]]; then + local key_path="${KERNEL_DIR}/${module_sig_key}" + else + local key_path="${module_sig_key}"
+ fi + local cert_path="${KERNEL_DIR}/certs/signing_key.x509" + "${KERNEL_DIR}"/scripts/sign-file
${module_sig_hash//\"} ${key_path//\"} ${cert_path} ${modulename}.${KV_OBJ}
+ fi
+
# check here for CONFIG_MODULE_COMPRESS_<compression
option> (NONE, GZIP, XZ, ZSTD)
# and similarily compress the module being built if
!= NONE.
Hi,
I've spent some time in the past ( circa 2018 ) to get this in, but
gave up due to various reasons, I was not a gentoo dev yet at the
time.
I can't see how posted implementation will work tbh.
portage will strip signature out of the module, unless you prevent stripping completely or package uses EAPI>=7, and omits stripping
modules via dostrip -x on the ko object.
kernel will NOT load module with stripped signature.
so either you have to sign in pkg_postinst phase, or prevent
stripping.
signing in postinst is not ideal, because if breaks recorded file
checksums in vdb.
here's old fork of eclass I made, maybe you can find some helpful
code
in there
https://github.com/gyakovlev/linux-mod.eclass/blob/master/linux-mod.eclass
old ML discussion we had: https://archives.gentoo.org/gentoo-dev/message/4b15b1c851f379a1f802e2f2895cdfa8
You will also need a dependency on openssl, since sign-file uses it.
lmk if you need more info, I might remember more details, but for now that's all I have. I'll try to help get it done, but my availability
is
spotty due to limited time.
after reading my old code again and thinking more I think I know what's
going on.
1. I've actually solved checksum/strip problem by signing in pkg-
preinst
2. my method will likely fail with compressed modules.
3. your method likely works only if modules are compressed - because
portage does not strip those I think.
so looks like we need to combine both methods and do the following:
- if signing requested without compression - sign in pkg_preinst.
- if signing requested with compression - sign in src_install
Do I make sense? I still haven't tested it, just guessing as I read my
old bash code.
so looks like we need to combine both methods and do the following:
- if signing requested without compression - sign in pkg_preinst.
- if signing requested with compression - sign in src_install
Why can't we do both in pkg_preinst? I am thinking it would be best if
we drop the current compression implementation and rework your old code
to handle both compression and signing since the signing code is more or
less already complete.
On 22/06/26 04:15AM, Georgy Yakovlev wrote:
On Sun, 2022-06-26 at 03:52 -0700, Georgy Yakovlev wrote:
On Tue, 2022-06-21 at 14:19 -0400, Kenton Groombridge wrote:
eee74b9fca1 adds support for module compression, but this
breaks
loading
out of tree modules when module signing is enforced because
modules
must
be signed before they are compressed. Additionally, the
recommended
Portage hook[1] no longer works with this change.
Add module signing support in linux-mod.eclass which more or
less
does
exactly what the aforementioned Portage hook does. If the
kernel
configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash
and
keys
from the kernel configuration and call the sign_file tool to
sign
the
module before it is compressed.
Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
eclass/linux-mod.eclass | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
index b7c13cbf7e7..fd40f6d7c6c 100644
--- a/eclass/linux-mod.eclass
+++ b/eclass/linux-mod.eclass
@@ -712,6 +712,22 @@ linux-mod_src_install() { cd "${objdir}" || die "${objdir} does not
exist"
insinto "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir}
+ # check here for CONFIG_MODULE_SIG_ALL and sign
the
module being built if enabled.
+ # modules must be signed before they are compressed.
+
+ if linux_chkconfig_present MODULE_SIG_ALL; then
+ local module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)" + local module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)" + module_sig_key="${module_sig_key:-
certs/signing_key.pem}" + if [[ "${module_sig_key#pkcs11:}" ==
"${module_sig_key}" && "${module_sig_key#/}" ==
"${module_sig_key}"
]]; then + local key_path="${KERNEL_DIR}/${module_sig_key}" + else + local key_path="${module_sig_key}" + fi + local cert_path="${KERNEL_DIR}/certs/signing_key.x509" + "${KERNEL_DIR}"/scripts/sign-file
${module_sig_hash//\"} ${key_path//\"} ${cert_path} ${modulename}.${KV_OBJ}
+ fi
+
# check here for CONFIG_MODULE_COMPRESS_<compression
option> (NONE, GZIP, XZ, ZSTD)
# and similarily compress the module being
built if
!= NONE.
Hi,
I've spent some time in the past ( circa 2018 ) to get this in,
but
gave up due to various reasons, I was not a gentoo dev yet at the
time.
I can't see how posted implementation will work tbh.
portage will strip signature out of the module, unless you
prevent
stripping completely or package uses EAPI>=7, and omits stripping
modules via dostrip -x on the ko object.
kernel will NOT load module with stripped signature.
so either you have to sign in pkg_postinst phase, or prevent
stripping.
signing in postinst is not ideal, because if breaks recorded file checksums in vdb.
here's old fork of eclass I made, maybe you can find some helpful
code
in there
https://github.com/gyakovlev/linux-mod.eclass/blob/master/linux-mod.eclass
old ML discussion we had: https://archives.gentoo.org/gentoo-dev/message/4b15b1c851f379a1f802e2f2895cdfa8
You will also need a dependency on openssl, since sign-file uses
it.
lmk if you need more info, I might remember more details, but for
now
that's all I have. I'll try to help get it done, but my
availability
is
spotty due to limited time.
after reading my old code again and thinking more I think I know
what's
going on.
1. I've actually solved checksum/strip problem by signing in pkg-
preinst
2. my method will likely fail with compressed modules.
3. your method likely works only if modules are compressed -
because
portage does not strip those I think.
This is exactly what I was thinking. I'm pretty sure I wasn't seeing
the
problematic signature stripping behavior because I have module
compression enabled.
Also good point about the OpenSSL dependency. That's something I
didn't
consider.
so looks like we need to combine both methods and do the following:
- if signing requested without compression - sign in pkg_preinst.
- if signing requested with compression - sign in src_install
Why can't we do both in pkg_preinst? I am thinking it would be best
if
we drop the current compression implementation and rework your old
code
to handle both compression and signing since the signing code is more
or
less already complete.
Do I make sense? I still haven't tested it, just guessing as I read
my
old bash code.
On Mon, Jun 27, 2022 at 2:35 PM Kenton Groombridge <concord@gentoo.org> wrote:
so looks like we need to combine both methods and do the following:
- if signing requested without compression - sign in pkg_preinst.
- if signing requested with compression - sign in src_install
Why can't we do both in pkg_preinst? I am thinking it would be best if
we drop the current compression implementation and rework your old code
to handle both compression and signing since the signing code is more or less already complete.
Signing modules in pkg_preinst seems like a bad idea to me. That means
you need to copy your private keys around to every host where the
package might be installed.
If you sign in src_compile or src_install, you only need private keys
on the system building your binpkg.
On Mon, Jun 27, 2022 at 2:35 PM Kenton Groombridge
<concord@gentoo.org> wrote:
so looks like we need to combine both methods and do the
following:
- if signing requested without compression - sign in
pkg_preinst.
- if signing requested with compression - sign in src_install
Why can't we do both in pkg_preinst? I am thinking it would be best
if
we drop the current compression implementation and rework your old
code
to handle both compression and signing since the signing code is
more or
less already complete.
Signing modules in pkg_preinst seems like a bad idea to me. That
means
you need to copy your private keys around to every host where the
package might be installed.
If you sign in src_compile or src_install, you only need private keys
on the system building your binpkg.
On Mon, 2022-06-27 at 14:56 -0400, Mike Gilbert wrote:
On Mon, Jun 27, 2022 at 2:35 PM Kenton Groombridge
<concord@gentoo.org> wrote:
so looks like we need to combine both methods and do the
following:
- if signing requested without compression - sign in
pkg_preinst.
- if signing requested with compression - sign in src_install
Why can't we do both in pkg_preinst? I am thinking it would be best
if
we drop the current compression implementation and rework your old
code
to handle both compression and signing since the signing code is
more or
less already complete.
Signing modules in pkg_preinst seems like a bad idea to me. That
means
you need to copy your private keys around to every host where the
package might be installed.
If you sign in src_compile or src_install, you only need private keys
on the system building your binpkg.
unfortunately portage will unconditionally strip .ko objects, rendering modules unloadable by stripping signature, unless we do dostrip -x
(requires EAPI7+, which should not be a problem nowadays, but was a
problem back in 2018), which can be quite unfortunate on debug enabled kernels.
Why can't we do both in pkg_preinst? I am thinking it would be best
if
we drop the current compression implementation and rework your old
code
to handle both compression and signing since the signing code is more
or
less already complete.
i'm not sure if sign-file can sign compressed modules.
if we let kernel build handle compression - we have to sign prior to compression.
if we compress modules ourselves then yes, we could sign first indeed.
but preinst has it's own issues, you've already seen floppym's remark.
On Mon, Jun 27, 2022 at 3:42 PM Georgy Yakovlev
<gyakovlev@gentoo.org> wrote:
On Mon, 2022-06-27 at 14:56 -0400, Mike Gilbert wrote:
On Mon, Jun 27, 2022 at 2:35 PM Kenton Groombridge
<concord@gentoo.org> wrote:
so looks like we need to combine both methods and do the
following:
- if signing requested without compression - sign in
pkg_preinst.
- if signing requested with compression - sign in
src_install
Why can't we do both in pkg_preinst? I am thinking it would be
best
if
we drop the current compression implementation and rework your
old
code
to handle both compression and signing since the signing code
is
more or
less already complete.
Signing modules in pkg_preinst seems like a bad idea to me. That
means
you need to copy your private keys around to every host where the
package might be installed.
If you sign in src_compile or src_install, you only need private
keys
on the system building your binpkg.
unfortunately portage will unconditionally strip .ko objects,
rendering
modules unloadable by stripping signature, unless we do dostrip -x (requires EAPI7+, which should not be a problem nowadays, but was a
problem back in 2018), which can be quite unfortunate on debug
enabled
kernels.
Sounds like something to fix/change in Portage. It could probably be
updated to not strip the signature. However, I would guess the
signature needs to be updated after the binary is modified in any
case.
Or as a workaround you could disable automatic striping via dostrip -
x
and run the proper commands to strip the modules in src_install as
well.
Why can't we do both in pkg_preinst? I am thinking it would be
best
if
we drop the current compression implementation and rework your
old
code
to handle both compression and signing since the signing code is
more
or
less already complete.
i'm not sure if sign-file can sign compressed modules.
sign-file will not error when signing a compressed module, but the
kernel will not be able to load it.
if we let kernel build handle compression - we have to sign prior
to
compression.
if we compress modules ourselves then yes, we could sign first
indeed.
but preinst has it's own issues, you've already seen floppym's
remark.
On Mon, 2022-06-27 at 15:49 -0400, Mike Gilbert wrote:
On Mon, Jun 27, 2022 at 3:42 PM Georgy Yakovlev
<gyakovlev@gentoo.org> wrote:
On Mon, 2022-06-27 at 14:56 -0400, Mike Gilbert wrote:
On Mon, Jun 27, 2022 at 2:35 PM Kenton Groombridge
<concord@gentoo.org> wrote:
so looks like we need to combine both methods and do the
following:
- if signing requested without compression - sign in
pkg_preinst.
- if signing requested with compression - sign in
src_install
Why can't we do both in pkg_preinst? I am thinking it would be
best
if
we drop the current compression implementation and rework your
old
code
to handle both compression and signing since the signing code
is
more or
less already complete.
Signing modules in pkg_preinst seems like a bad idea to me. That
means
you need to copy your private keys around to every host where the package might be installed.
If you sign in src_compile or src_install, you only need private
keys
on the system building your binpkg.
unfortunately portage will unconditionally strip .ko objects,
rendering
modules unloadable by stripping signature, unless we do dostrip -x (requires EAPI7+, which should not be a problem nowadays, but was a problem back in 2018), which can be quite unfortunate on debug
enabled
kernels.
Sounds like something to fix/change in Portage. It could probably be updated to not strip the signature. However, I would guess the
signature needs to be updated after the binary is modified in any
case.
Or as a workaround you could disable automatic striping via dostrip -
x
and run the proper commands to strip the modules in src_install as
well.
I think even strip itself does not have proper options not to break
module. Several years back it was the case, basically one has to strip
first, sign second, otherwise module will be unloadable.
"Signed modules are BRITTLE as the signature is outside of the defined
ELF container. Thus they MAY NOT be stripped once the signature is
computed and attached. Note the entire module is the signed payload, including any and all debug information present at the time of
signing."
https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html#signed-modules-and-stripping
On Mon, Jun 27, 2022 at 5:11 PM Georgy Yakovlev
<gyakovlev@gentoo.org> wrote:
On Mon, 2022-06-27 at 15:49 -0400, Mike Gilbert wrote:
On Mon, Jun 27, 2022 at 3:42 PM Georgy Yakovlev
<gyakovlev@gentoo.org> wrote:
On Mon, 2022-06-27 at 14:56 -0400, Mike Gilbert wrote:
On Mon, Jun 27, 2022 at 2:35 PM Kenton Groombridge <concord@gentoo.org> wrote:
so looks like we need to combine both methods and do the following:
- if signing requested without compression - sign in pkg_preinst.
- if signing requested with compression - sign in
src_install
Why can't we do both in pkg_preinst? I am thinking it would
be
best
if
we drop the current compression implementation and rework
your
old
code
to handle both compression and signing since the signing
code
is
more or
less already complete.
Signing modules in pkg_preinst seems like a bad idea to me.
That
means
you need to copy your private keys around to every host where
the
package might be installed.
If you sign in src_compile or src_install, you only need
private
keys
on the system building your binpkg.
unfortunately portage will unconditionally strip .ko objects,
rendering
modules unloadable by stripping signature, unless we do
dostrip -x
(requires EAPI7+, which should not be a problem nowadays, but
was a
problem back in 2018), which can be quite unfortunate on debug
enabled
kernels.
Sounds like something to fix/change in Portage. It could probably
be
updated to not strip the signature. However, I would guess the
signature needs to be updated after the binary is modified in any
case.
Or as a workaround you could disable automatic striping via
dostrip -
x
and run the proper commands to strip the modules in src_install
as
well.
I think even strip itself does not have proper options not to break
module. Several years back it was the case, basically one has to
strip
first, sign second, otherwise module will be unloadable.
"Signed modules are BRITTLE as the signature is outside of the
defined
ELF container. Thus they MAY NOT be stripped once the signature is
computed and attached. Note the entire module is the signed
payload,
including any and all debug information present at the time of
signing."
https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html#signed-modules-and-stripping
In that case, I think the only viable way to make this work is to
disable automatic stripping and handle stripping via custom code in
the ebuild/eclass.
In that case, I think the only viable way to make this work is to
disable automatic stripping and handle stripping via custom code in
the ebuild/eclass.
might work indeed if we do something like (pseudo-bash)
if [[ module_sign == yes ]]; then
dostrip -x /lib/modules # to stop portage stripping .ko objects
manual-strip-respecting-features-nostrip -r /lib/modules
sign-all-modules -r /lib/modules
fi
[[ compress_modules == yes ]] && compress-modules -r /lib/modules
this will equire eapi-bumping couple of packages https://qa-reports.gentoo.org/output/eapi-per-eclass/linux-mod.eclass/6.txt and restricting linux-mod.eclass to eapi7 or later.
started playing with my old code and got blocked right away:
looks like dostrip just creates a list of files/directories to strip
and processed at the very end of install phase.
so skipping strip and doing manual one might be problematic.
internally portage uses estrip https://github.com/gentoo/portage/blob/master/bin/estrip
which contains quite a lot of logic and code and I don't think
partially re-implementing this in eclass code is appropriate.
...snip
In that case, I think the only viable way to make this work is to
disable automatic stripping and handle stripping via custom code in
the ebuild/eclass.
might work indeed if we do something like (pseudo-bash)
if [[ module_sign == yes ]]; then
dostrip -x /lib/modules # to stop portage stripping .ko objects
manual-strip-respecting-features-nostrip -r /lib/modules
sign-all-modules -r /lib/modules
fi
[[ compress_modules == yes ]] && compress-modules -r /lib/modules
this will equire eapi-bumping couple of packages https://qa-reports.gentoo.org/output/eapi-per-eclass/linux-mod.eclass/6.txt and restricting linux-mod.eclass to eapi7 or later.
started playing with my old code and got blocked right away:
looks like dostrip just creates a list of files/directories to strip
and processed at the very end of install phase.
so skipping strip and doing manual one might be problematic.
internally portage uses estrip https://github.com/gentoo/portage/blob/master/bin/estrip
which contains quite a lot of logic and code and I don't think
partially re-implementing this in eclass code is appropriate.
| Sysop: | Keyop |
|---|---|
| Location: | Huddersfield, West Yorkshire, UK |
| Users: | 470 |
| Nodes: | 16 (3 / 13) |
| Uptime: | 82:43:18 |
| Calls: | 9,457 |
| Calls today: | 1 |
| Files: | 13,599 |
| Messages: | 6,115,098 |