[gentoo-dev] [PATCH 0/2] kernel-build.eclass: fix signing and compressing of kernel modules

Thu, 15 Jun 2023 02:50:11 -0700 

Hi all,
This first patch reworks the stripping of kernel modules, mirroring the changes from linux-mod.eclass to linux-mod-r1.eclass, and fixing Bug 814344 and Bug 881651. 


Before this change enabling the CONFIG_MODULE_SIG=y and 
CONFIG_MODULE_SIG_ALL=y kernel options would cause the kernel build 
system to sign the kernel modules (as it should) but then portage would 
strip this signature again during install. Additionally, any keys 
generated during the build process were not installed, making it 
impossible to sign additional external kernel modules.



Similarly enabling the CONFIG_MODULE_COMPRESS_*=y options would cause 
the kernel build system to compress the modules (as it should). But then 
portage can no longer strip the modules. Resulting in modules that, 
while compressed, still contain the debug symbols.



The solution is to introduce 'IUSE="+strip"' (like in 
linux-mod-r1.eclass) and have the kernel build system itself take care 
of stripping. This way modules are stripped, if the flag is enabled, 
*before* they are signed and/or compressed.



Additionally the eclass now also installs any signing keys that may have 
been generated during the build process.



The second patch does not fix any bugs but does add convenience. This 
patch makes gentoo-kernel-x.y.z.ebuild respect the variables already 
introduced by linux-mod-r1.eclass. And adds a warning if we are letting 
the kernel build system generate the keys (CONFIG_MODULE_SIG=y but 
CONFIG_MODULE_SIG_KEY set to default). Because these generated keys will 
end up in any binary packages which might be undesirable. From a 
security point of view it is better to use an external key (i.e. define 
MODULES_SIGN_KEY="").



The end result of both patches is that users who do not wish to 
configure the kernel, but still would like signed kernel modules can 
simply set 'USE="dist-kernel modules-sign"' and optionally 
'MODULES_SIGN_HASH=""' and 'MODULES_SIGN_KEY=""', portage will take care 
of the rest.


Special thanks to Ionen Wolkens for his feedback on the initial draft.

Let me know what you think,

Best regards,
Andrew

See Also: https://github.com/gentoo/gentoo/pull/31358
















    











					Reply via email to