On 22/06/26 04:15AM, Georgy Yakovlev wrote: > On Sun, 2022-06-26 at 03:52 -0700, Georgy Yakovlev wrote: > > On Tue, 2022-06-21 at 14:19 -0400, Kenton Groombridge wrote: > > > eee74b9fca1 adds support for module compression, but this breaks > > > loading > > > out of tree modules when module signing is enforced because modules > > > must > > > be signed before they are compressed. Additionally, the recommended > > > Portage hook[1] no longer works with this change. > > > > > > Add module signing support in linux-mod.eclass which more or less > > > does > > > exactly what the aforementioned Portage hook does. If the kernel > > > configuration has CONFIG_MODULE_SIG_ALL=y, then read the hash and > > > keys > > > from the kernel configuration and call the sign_file tool to sign > > > the > > > module before it is compressed. > > > > > > Bug: https://bugs.gentoo.org/show_bug.cgi?id=447352 > > > Signed-off-by: Kenton Groombridge <conc...@gentoo.org> > > > --- > > > eclass/linux-mod.eclass | 16 ++++++++++++++++ > > > 1 file changed, 16 insertions(+) > > > > > > diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass > > > index b7c13cbf7e7..fd40f6d7c6c 100644 > > > --- a/eclass/linux-mod.eclass > > > +++ b/eclass/linux-mod.eclass > > > @@ -712,6 +712,22 @@ linux-mod_src_install() { > > > cd "${objdir}" || die "${objdir} does not exist" > > > insinto > > > "${INSTALL_MOD_PATH}"/lib/modules/${KV_FULL}/${libdir} > > > > > > + # check here for CONFIG_MODULE_SIG_ALL and sign the > > > module being built if enabled. > > > + # modules must be signed before they are > > > compressed. > > > + > > > + if linux_chkconfig_present MODULE_SIG_ALL; then > > > + local > > > module_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)" > > > + local > > > module_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)" > > > + module_sig_key="${module_sig_key:- > > > certs/signing_key.pem}" > > > + if [[ "${module_sig_key#pkcs11:}" == > > > "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}" > > > ]]; then > > > + local > > > key_path="${KERNEL_DIR}/${module_sig_key}" > > > + else > > > + local key_path="${module_sig_key}" > > > + fi > > > + local > > > cert_path="${KERNEL_DIR}/certs/signing_key.x509" > > > + "${KERNEL_DIR}"/scripts/sign-file > > > ${module_sig_hash//\"} ${key_path//\"} ${cert_path} > > > ${modulename}.${KV_OBJ} > > > + fi > > > + > > > # check here for > > > CONFIG_MODULE_COMPRESS_<compression > > > option> (NONE, GZIP, XZ, ZSTD) > > > # and similarily compress the module being built if > > > != NONE. > > > > > > > > > Hi, > > > > I've spent some time in the past ( circa 2018 ) to get this in, but > > gave up due to various reasons, I was not a gentoo dev yet at the > > time. > > > > I can't see how posted implementation will work tbh. > > portage will strip signature out of the module, unless you prevent > > stripping completely or package uses EAPI>=7, and omits stripping > > modules via dostrip -x on the ko object. > > kernel will NOT load module with stripped signature. > > > > so either you have to sign in pkg_postinst phase, or prevent > > stripping. > > signing in postinst is not ideal, because if breaks recorded file > > checksums in vdb. > > > > here's old fork of eclass I made, maybe you can find some helpful > > code > > in there > > > > https://github.com/gyakovlev/linux-mod.eclass/blob/master/linux-mod.eclass > > > > old ML discussion we had: > > https://archives.gentoo.org/gentoo-dev/message/4b15b1c851f379a1f802e2f2895cdfa8 > > > > You will also need a dependency on openssl, since sign-file uses it. > > > > lmk if you need more info, I might remember more details, but for now > > that's all I have. I'll try to help get it done, but my availability > > is > > spotty due to limited time. > > after reading my old code again and thinking more I think I know what's > going on. > 1. I've actually solved checksum/strip problem by signing in pkg- > preinst > 2. my method will likely fail with compressed modules. > 3. your method likely works only if modules are compressed - because > portage does not strip those I think. >
This is exactly what I was thinking. I'm pretty sure I wasn't seeing the problematic signature stripping behavior because I have module compression enabled. Also good point about the OpenSSL dependency. That's something I didn't consider. > so looks like we need to combine both methods and do the following: > - if signing requested without compression - sign in pkg_preinst. > - if signing requested with compression - sign in src_install > Why can't we do both in pkg_preinst? I am thinking it would be best if we drop the current compression implementation and rework your old code to handle both compression and signing since the signing code is more or less already complete. > Do I make sense? I still haven't tested it, just guessing as I read my > old bash code. >
signature.asc
Description: PGP signature
