On 22/06/23 08:51AM, Mike Pagano wrote: > On 6/21/22 14:21, Kenton Groombridge wrote: > > On 22/06/21 02:19PM, Kenton Groombridge wrote: > > > eee74b9fca1 adds support for module compression, but this breaks loading > > > out of tree modules when module signing is enforced because modules must > > > be signed before they are compressed. Additionally, the recommended > > > Portage hook[1] no longer works with this change. > > > > > > > Forgot to include this reference: > > > > [1] > > https://wiki.gentoo.org/wiki/Signed_kernel_module_support#Automatically_signing_kernel_modules_.28Portage.29 > > > > > Add module signing support in linux-mod.eclass which more or less does > > > exactly what the aforementioned Portage hook does. If the kernel > > > configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and keys > > > from the kernel configuration and call the sign_file tool to sign the > > > module before it is compressed. > > > > > > Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352 > > > Signed-off-by: Kenton Groombridge <conc...@gentoo.org> > > > --- > > > eclass/linux-mod.eclass | 16 ++++++++++++++++ > > > 1 file changed, 16 insertions(+) > > > > > > diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass > > > index b7c13cbf7e7..fd40f6d7c6c 100644 > > > --- a/eclass/linux-mod.eclass > > > +++ b/eclass/linux-mod.eclass > > > @@ -712,6 +712,22 @@ linux-mod_src_install() { > > > cd "${objdir}" || die "${objdir} does not exist" > > > insinto > > > "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir} > > > + # check here for CONFIG_MODULE_SIG_ALL and sign the module > > > being built if enabled. > > > + # modules must be signed before they are compressed. > > > + > > > + if linux_chkconfig_present MODULE_SIG_ALL; then > > > + local module_sig_hash="$(linux_chkconfig_string > > > MODULE_SIG_HASH)" > > > + local module_sig_key="$(linux_chkconfig_string > > > MODULE_SIG_KEY)" > > > + > > > module_sig_key="${module_sig_key:-certs/signing_key.pem}" > > > + if [[ "${module_sig_key#pkcs11:}" == > > > "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}" ]]; > > > then > > > + local key_path="${KERNEL_DIR}/${module_sig_key}" > > > + else > > > + local key_path="${module_sig_key}" > > > + fi > > > + local cert_path="${KERNEL_DIR}/certs/signing_key.x509" > > > + "${KERNEL_DIR}"/scripts/sign-file > > > ${module_sig_hash//\"} ${key_path//\"} ${cert_path} > > > ${modulename}.${KV_OBJ} > > > + fi > > > + > > > # check here for CONFIG_MODULE_COMPRESS_<compression > > > option> (NONE, GZIP, XZ, ZSTD) > > > # and similarily compress the module being built if != > > > NONE. > > > -- > > > 2.35.1 > > > > > > > > > First of all, thank-you for your work ! > I appreciate any assistance with enhancement or clean-up of these eclasses. > > I tested your patch, are you signing the files in 'work' after they are > installed in 'image' ? > > > /usr/src/linux/scripts/extract-module-sig.pl -s ./work/kernel/nvidia.ko > > /tmp/sig > Read 47802433 bytes from module file > Found magic number at 47802433 > Found PKCS#7/CMS encapsulation > Found 681 bytes of signature [308202a506092a864886f70d010702a0] > > /usr/src/linux/scripts/extract-module-sig.pl -s > ./image/lib/modules/5.18.6-gentoo/video/nvidia.ko > /tmp/sig > Read 47227784 bytes from module file > Magic number not found at 47227784 >
Thanks for testing! That's odd. In my environment they are signed in 'work' before installing to 'image' as they should be. # unzstd /lib/modules/5.15.48-gentoo/misc/p_lkrg.ko.zst /lib/modules/5.15.48-gentoo/misc/p_lkrg.ko.zst: 436681 bytes # /usr/src/linux/scripts/extract-module-sig.pl -s /lib/modules/5.15.48-gentoo/misc/p_lkrg.ko >sig Read 436681 bytes from module file Found magic number at 436681 Found PKCS#7/CMS encapsulation Found 681 bytes of signature [308202a506092a864886f70d010702a0] The installation of modules in linux-mod_src_install happens after signing and compression, so unless I am missing something that shouldn't be happening.
signature.asc
Description: PGP signature
