Re: [Linuxwacom-devel] [PATCH input-wacom] Add support for kernel module signing and enforcement
Looks like a good workaround! Acked-by: Ping Cheng I assume you had someone tested the patch for you. Can you get a test-by from them? Thank you for your effor. Ping On Fri, Nov 30, 2018 at 10:38 AM Jason Gerecke wrote: > It is becoming more common for systems to only allow signed kernel modules > to be loaded (e.g. because the kernel is in "lockdown mode" due to secure > boot policies). Users who follow the standard configure / make / install > process find that the driver does not work after rebooting and often don't > know what is wrong. > > This commit teaches the configure script and Makefiles a few new tricks: > > * Detection of when module signing is required by the system > * Detection of existing key and cert used for module signing (Ubuntu > only) > * Ability to manually specify key, cert, and hash algorithm to be > used for module signing > * Abort configure if signing is required but not possible > * New makefile target to add the signature prior to installing > > Module signing is opportunistic by default. If a key and cert can be > found (or are provided to the configure script), the modules will be > signed -- even if not otherwise required. If a key and cert aren't > available then we will try to build an unsigned driver instead. If > the system is set up to require signed modules, we will cowardly > error out of the configure script unless the user explicitly requests > the driver to be left unsigned. > > A phony "signature" Makefile target is provided which is called by > `make install` and which is available for developers who want/need > to sign the module without actually installing it. Users can use > `make && sudo make install` while developers can use `make && sudo > make signature`. If module signing is disabled the "signature" > target does nothing. > --- > 2.6.32/Makefile.in | 12 +- > 2.6.38/Makefile.in | 12 +- > 3.17/Makefile.in | 12 +- > 3.7/Makefile.in| 12 +- > 4.5/Makefile.in| 12 +- > configure.ac | 96 ++ > 6 files changed, 151 insertions(+), 5 deletions(-) > > diff --git a/2.6.32/Makefile.in b/2.6.32/Makefile.in > index 38876be..6290771 100644 > --- a/2.6.32/Makefile.in > +++ b/2.6.32/Makefile.in > @@ -20,6 +20,9 @@ PWD := $(shell pwd) > WCM_KERNEL_DIR := @WCM_KERNEL_DIR@ > MODUTS := @MODUTS@ > WCM_KERNEL_VER := @WCM_KERNEL_VER@ > +MODSIGN_HASHALGO := @MODSIGN_HASHALGO@ > +MODSIGN_PRIVFILE := @MODSIGN_PRIVFILE@ > +MODSIGN_CERTFILE := @MODSIGN_CERTFILE@ > > all: > @echo 'Building input-wacom drivers for $(WCM_KERNEL_VER) > kernel.' > @@ -28,7 +31,13 @@ all: > clean: > $(MAKE) -C $(WCM_KERNEL_DIR) M=$(PWD) clean > > -install modules_install: > +signature: all > + if test -n "$(MODSIGN_HASHALGO)" -a -n "$(MODSIGN_PRIVFILE)" -a -n > "$(MODSIGN_CERTFILE)"; then \ > + $(WCM_KERNEL_DIR)/scripts/sign-file "$(MODSIGN_HASHALGO)" > "$(MODSIGN_PRIVFILE)" "$(MODSIGN_CERTFILE)" wacom.ko; \ > + $(WCM_KERNEL_DIR)/scripts/sign-file "$(MODSIGN_HASHALGO)" > "$(MODSIGN_PRIVFILE)" "$(MODSIGN_CERTFILE)" wacom_w8001.ko; \ > + fi > + > +install modules_install: signature > $(MAKE) -C $(WCM_KERNEL_DIR) M=$(PWD) modules_install > mkdir -p /etc/depmod.d > echo "override wacom * extra" > /etc/depmod.d/input-wacom.conf > @@ -59,5 +68,6 @@ distdir: > > EMPTY_AUTOMAKE_TARGETS = install-data install-exec uninstall install-info > EMPTY_AUTOMAKE_TARGETS += installdirs check dvi pdf ps info html tags > ctags mostlyclean maintainer-clean > +EMPTY_AUTOMAKE_TARGETS += signature > .PHONY: $(EMPTY_AUTOMAKE_TARGETS) > $(EMPTY_AUTOMAKE_TARGETS): > diff --git a/2.6.38/Makefile.in b/2.6.38/Makefile.in > index da131dc..4779420 100644 > --- a/2.6.38/Makefile.in > +++ b/2.6.38/Makefile.in > @@ -20,6 +20,9 @@ PWD := $(shell pwd) > WCM_KERNEL_DIR := @WCM_KERNEL_DIR@ > MODUTS := @MODUTS@ > WCM_KERNEL_VER := @WCM_KERNEL_VER@ > +MODSIGN_HASHALGO := @MODSIGN_HASHALGO@ > +MODSIGN_PRIVFILE := @MODSIGN_PRIVFILE@ > +MODSIGN_CERTFILE := @MODSIGN_CERTFILE@ > > all: > @echo 'Building input-wacom drivers for $(WCM_KERNEL_VER) > kernel.' > @@ -28,7 +31,13 @@ all: > clean: > $(MAKE) -C $(WCM_KERNEL_DIR) M=$(PWD) clean > > -install modules_install: > +signature: all > + if test -n "$(MODSIGN_HASHALGO)" -a -n "$(MODSIGN_PRIVFILE)" -a -n > "$(MODSIGN_CERTFILE)"; then \ > + $(WCM_KERNEL_DIR)/scripts/sign-file "$(MODSIGN_HASHALGO)" > "$(MODSIGN_PRIVFILE)" "$(MODSIGN_CERTFILE)" wacom.ko; \ > + $(WCM_KERNEL_DIR)/scripts/sign-file "$(MODSIGN_HASHALGO)" > "$(MODSIGN_PRIVFILE)" "$(MODSIGN_CERTFILE)" wacom_w8001.ko; \ > + fi > + > +install modules_install: signature > $(MAKE) -C $(WCM_KERNEL_DIR) M=$(PWD) modules_install > mkdir -p /etc/depmod.d > echo "override wacom * extra" > /etc/depmod.d/input-wacom.conf > @@ -59,5 +68,6 @@ distdir: > > EMPTY_AUTOMAKE_TARGETS
[Linuxwacom-devel] [PATCH input-wacom] Add support for kernel module signing and enforcement
It is becoming more common for systems to only allow signed kernel modules to be loaded (e.g. because the kernel is in "lockdown mode" due to secure boot policies). Users who follow the standard configure / make / install process find that the driver does not work after rebooting and often don't know what is wrong. This commit teaches the configure script and Makefiles a few new tricks: * Detection of when module signing is required by the system * Detection of existing key and cert used for module signing (Ubuntu only) * Ability to manually specify key, cert, and hash algorithm to be used for module signing * Abort configure if signing is required but not possible * New makefile target to add the signature prior to installing Module signing is opportunistic by default. If a key and cert can be found (or are provided to the configure script), the modules will be signed -- even if not otherwise required. If a key and cert aren't available then we will try to build an unsigned driver instead. If the system is set up to require signed modules, we will cowardly error out of the configure script unless the user explicitly requests the driver to be left unsigned. A phony "signature" Makefile target is provided which is called by `make install` and which is available for developers who want/need to sign the module without actually installing it. Users can use `make && sudo make install` while developers can use `make && sudo make signature`. If module signing is disabled the "signature" target does nothing. --- 2.6.32/Makefile.in | 12 +- 2.6.38/Makefile.in | 12 +- 3.17/Makefile.in | 12 +- 3.7/Makefile.in| 12 +- 4.5/Makefile.in| 12 +- configure.ac | 96 ++ 6 files changed, 151 insertions(+), 5 deletions(-) diff --git a/2.6.32/Makefile.in b/2.6.32/Makefile.in index 38876be..6290771 100644 --- a/2.6.32/Makefile.in +++ b/2.6.32/Makefile.in @@ -20,6 +20,9 @@ PWD := $(shell pwd) WCM_KERNEL_DIR := @WCM_KERNEL_DIR@ MODUTS := @MODUTS@ WCM_KERNEL_VER := @WCM_KERNEL_VER@ +MODSIGN_HASHALGO := @MODSIGN_HASHALGO@ +MODSIGN_PRIVFILE := @MODSIGN_PRIVFILE@ +MODSIGN_CERTFILE := @MODSIGN_CERTFILE@ all: @echo 'Building input-wacom drivers for $(WCM_KERNEL_VER) kernel.' @@ -28,7 +31,13 @@ all: clean: $(MAKE) -C $(WCM_KERNEL_DIR) M=$(PWD) clean -install modules_install: +signature: all + if test -n "$(MODSIGN_HASHALGO)" -a -n "$(MODSIGN_PRIVFILE)" -a -n "$(MODSIGN_CERTFILE)"; then \ + $(WCM_KERNEL_DIR)/scripts/sign-file "$(MODSIGN_HASHALGO)" "$(MODSIGN_PRIVFILE)" "$(MODSIGN_CERTFILE)" wacom.ko; \ + $(WCM_KERNEL_DIR)/scripts/sign-file "$(MODSIGN_HASHALGO)" "$(MODSIGN_PRIVFILE)" "$(MODSIGN_CERTFILE)" wacom_w8001.ko; \ + fi + +install modules_install: signature $(MAKE) -C $(WCM_KERNEL_DIR) M=$(PWD) modules_install mkdir -p /etc/depmod.d echo "override wacom * extra" > /etc/depmod.d/input-wacom.conf @@ -59,5 +68,6 @@ distdir: EMPTY_AUTOMAKE_TARGETS = install-data install-exec uninstall install-info EMPTY_AUTOMAKE_TARGETS += installdirs check dvi pdf ps info html tags ctags mostlyclean maintainer-clean +EMPTY_AUTOMAKE_TARGETS += signature .PHONY: $(EMPTY_AUTOMAKE_TARGETS) $(EMPTY_AUTOMAKE_TARGETS): diff --git a/2.6.38/Makefile.in b/2.6.38/Makefile.in index da131dc..4779420 100644 --- a/2.6.38/Makefile.in +++ b/2.6.38/Makefile.in @@ -20,6 +20,9 @@ PWD := $(shell pwd) WCM_KERNEL_DIR := @WCM_KERNEL_DIR@ MODUTS := @MODUTS@ WCM_KERNEL_VER := @WCM_KERNEL_VER@ +MODSIGN_HASHALGO := @MODSIGN_HASHALGO@ +MODSIGN_PRIVFILE := @MODSIGN_PRIVFILE@ +MODSIGN_CERTFILE := @MODSIGN_CERTFILE@ all: @echo 'Building input-wacom drivers for $(WCM_KERNEL_VER) kernel.' @@ -28,7 +31,13 @@ all: clean: $(MAKE) -C $(WCM_KERNEL_DIR) M=$(PWD) clean -install modules_install: +signature: all + if test -n "$(MODSIGN_HASHALGO)" -a -n "$(MODSIGN_PRIVFILE)" -a -n "$(MODSIGN_CERTFILE)"; then \ + $(WCM_KERNEL_DIR)/scripts/sign-file "$(MODSIGN_HASHALGO)" "$(MODSIGN_PRIVFILE)" "$(MODSIGN_CERTFILE)" wacom.ko; \ + $(WCM_KERNEL_DIR)/scripts/sign-file "$(MODSIGN_HASHALGO)" "$(MODSIGN_PRIVFILE)" "$(MODSIGN_CERTFILE)" wacom_w8001.ko; \ + fi + +install modules_install: signature $(MAKE) -C $(WCM_KERNEL_DIR) M=$(PWD) modules_install mkdir -p /etc/depmod.d echo "override wacom * extra" > /etc/depmod.d/input-wacom.conf @@ -59,5 +68,6 @@ distdir: EMPTY_AUTOMAKE_TARGETS = install-data install-exec uninstall install-info EMPTY_AUTOMAKE_TARGETS += installdirs check dvi pdf ps info html tags ctags mostlyclean maintainer-clean +EMPTY_AUTOMAKE_TARGETS += signature .PHONY: $(EMPTY_AUTOMAKE_TARGETS) $(EMPTY_AUTOMAKE_TARGETS): diff --git a/3.17/Makefile.in b/3.17/Makefile.in index b3683b7..7077d8c 100644 --- a/3.17/Makefile.in +++ b/3.17/Makefile.in @@ -29,6 +29,9 @@ DRACUT := $(shell command
