Hello community, here is the log from the commit of package suse-module-tools for openSUSE:Factory checked in at 2016-06-12 18:50:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/suse-module-tools (Old) and /work/SRC/openSUSE:Factory/.suse-module-tools.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "suse-module-tools" Changes: -------- --- /work/SRC/openSUSE:Factory/suse-module-tools/suse-module-tools.changes 2016-05-19 12:02:31.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.suse-module-tools.new/suse-module-tools.changes 2016-06-12 18:50:17.000000000 +0200 @@ -1,0 +2,17 @@ +Fri May 27 13:14:36 UTC 2016 - mma...@suse.cz + +- Run dos2unix on the modhash script. + +------------------------------------------------------------------- +Thu May 26 07:36:58 UTC 2016 - j...@suse.com + +- Add modhash tool to calculate hash of signed module. + It strips X.509 or PKCS#7 signature before hash kernel module. + (fate#319460) + +------------------------------------------------------------------- +Wed May 25 13:23:35 UTC 2016 - mma...@suse.cz + +- Remove -x bit from 50-kernel-uname_r.conf (bsc#981291). + +------------------------------------------------------------------- New: ---- modhash ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ suse-module-tools.spec ++++++ --- /var/tmp/diff_new_pack.6GAOZz/_old 2016-06-12 18:50:18.000000000 +0200 +++ /var/tmp/diff_new_pack.6GAOZz/_new 2016-06-12 18:50:18.000000000 +0200 @@ -46,6 +46,7 @@ Source11: macros.initrd Source12: regenerate-initrd-posttrans Source13: 50-kernel-uname_r.conf +Source14: modhash BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -94,10 +95,12 @@ install -d -m 755 "$b/usr/bin" install -pm 755 %_sourcedir/modsign-verify "$b/usr/bin/" install -pm 755 %_sourcedir/kmp-install "$b/usr/bin/" +# modhash for calculating hash of signed kernel module +install -pm 755 %_sourcedir/modhash "$b/usr/bin/" # systemd service to load /boot/sysctl.conf-`uname -r` install -d -m 755 "$b/usr/lib/systemd/system/systemd-sysctl.service.d" -install -pm 755 %_sourcedir/50-kernel-uname_r.conf "$b/usr/lib/systemd/system/systemd-sysctl.service.d" +install -pm 644 %_sourcedir/50-kernel-uname_r.conf "$b/usr/lib/systemd/system/systemd-sysctl.service.d" %post test_allow_on_install() @@ -163,6 +166,7 @@ %config /etc/depmod.d/00-system.conf %config /etc/rpm/macros.initrd %_docdir/module-init-tools +/usr/bin/modhash /usr/bin/kmp-install /usr/bin/modsign-verify /usr/lib/module-init-tools ++++++ modhash ++++++ #!/usr/bin/perl # # Calculate the digest of the kernel module # It will strip kernel modules signature before calculation. # # Based on modsign-verify, written by Michal Marek # Authors: # Gary Lin <g...@suse.com> # Joey Lee <j...@suse.com> # my $USAGE = "Usage: modhash [-v] [-q] [-d <digest algorithm>] <module>\n"; use strict; use warnings; use IPC::Open2; use Getopt::Long; use File::Temp qw(tempfile); my $verbose = 1; my $dgst = "sha256"; GetOptions( "d=s" => \$dgst, "q|quiet" => sub { $verbose-- if $verbose; }, "v|verbose" => sub { $verbose++; }, "h|help" => sub { print $USAGE; exit(0); } ) or die($USAGE); sub _verbose { my $level = shift; return if $verbose < $level; print STDERR @_; } sub info { _verbose(1, @_); } sub verbose { _verbose(2, @_); } sub debug { _verbose(3, @_); } if (@ARGV > 1) { print STDERR "Excess arguments\n"; die($USAGE); } elsif (@ARGV < 1) { print STDERR "No module supplied\n"; die($USAGE); } my $module_name = shift(@ARGV); if ($dgst ne "sha" and $dgst ne "sha1" and $dgst ne "sha256" and $dgst ne "sha384" and $dgst ne "sha512") { die("unsupported algorithm: $dgst"); } # # Function to read the contents of a file into a variable. # sub read_file($) { my ($file) = @_; my $contents; my $len; open(FD, "<$file") || die $file; binmode FD; my @st = stat(FD); die $file if (!@st); $len = read(FD, $contents, $st[7]) || die $file; close(FD) || die $file; die "$file: Wanted length ", $st[7], ", got ", $len, "\n" if ($len != $st[7]); return $contents; } sub openssl_pipe($$) { my ($input, $cmd) = @_; my ($pid, $res); $pid = open2(*read_from, *write_to, $cmd) || die $cmd; binmode write_to; if (defined($input) && $input ne "") { print write_to $input || die "$cmd: $!"; } close(write_to) || die "$cmd: $!"; binmode read_from; read(read_from, $res, 4096) || die "$cmd: $!"; close(read_from) || die "$cmd: $!"; waitpid($pid, 0) || die; die "$cmd died: $?" if ($? >> 8); return $res; } my $module = read_file($module_name); my $module_len = length($module); my $magic_number = "~Module signature appended~\n"; my $magic_len = length($magic_number); my $info_len = 12; if ($module_len < $magic_len) { die "Module size too short\n"; } sub eat { my $length = shift; if ($module_len < $length) { die "Module size too short\n"; } my $res = substr($module, -$length); $module = substr($module, 0, $module_len - $length); $module_len -= $length; return $res; } if (substr($module, -$magic_len) eq $magic_number) { $module = substr($module, 0, $module_len - $magic_len); $module_len -= $magic_len; my $info = eat($info_len); my ($algo, $hash, $id_type, $name_len, $key_len, $sig_len) = unpack("CCCCCxxxN", $info); my $signature = eat($sig_len); if ($id_type == 1) { if (unpack("n", $signature) == $sig_len - 2) { verbose ("signed module (X.509)\n"); } else { die "Invalid signature format\n"; } if ($algo != 1) { die "Unsupported signature algorithm\n"; } $signature = substr($signature, 2); my $key_id = eat($key_len); my $name = eat($name_len); } elsif ($id_type == 2) { verbose ("signed module (PKCS#7)\n"); } } else { verbose ("unsigned module\n"); } verbose("Hash algorithm: $dgst\n"); my $digest = openssl_pipe($module, "openssl dgst -$dgst"); $digest =~ s/\(stdin\)= //; print "$module_name: $digest"