Re: [gentoo-dev] Re: [PATCH] linux-mod.eclass: support module signing
W dniu czw, 19.04.2018 o godzinie 22∶42 -0700, użytkownik Georgy Yakovlev napisał: > On Sat, 2018-04-14 at 14:25 -0700, Georgy Yakovlev wrote: > > Second version, with safety checks and simplified logic. > Fixed most issues of the first patch. > > Now only use single optional make.conf variable with the path to the > key. > Rest of parameters are magically extracted from .config or derived from > the key itself. So generally it just works. > > got rid of STRIP_MASK, all signing happens in pkg_preinst, that way the > checksum of installed file is calculated with signature appended. > now works for packages that do not use linux-mod_src_install (zfs & co) > > > Thanks to NP-Hardass for initial review and suggestions. > > > > Hi, > > > > There is an old bug[1] to support > > linux kernel module signing at install. > > > > And here is my first attempt to modify an eclass. > > Need proper input on it and a kick in the right direction. > > > > Add 3 variables, settable by users if they keep keys somewhere safe. > > Otherwise it just works with the auto-generated keys > > if CONFIG_MODULE_SIG=y and vars are unset. > > > > eclass will die if kernel requires a signed module, > > but signing is not requested. > > > > > > Known problems: > > > > Packages that do not use linux-mod_src_install() will not sign > > the modules, > > But those packages will still inherit module-sign useflag. > > It's misleading and I'm not sure how to fix that. > > Examples : sys-kernel/spl, sys-fs/zfs-kmod > > > > May need additional handling of KBUILD_SIGN_PIN variable[2], > > which can be set to hold the passphrase to the key. But it may end up > > in vdb environment files, not sure how to handle that or if it worth > > it > > > > not eapi-7 ready because of STRIP_MASK usage. > > will need to cover this case as well, probably later. > > > > older (<4.3.3) kernels use perl to sign modules, not sure if it's > > worth > > supporting old kernels, there is no gentoo-sources in the tree old > > enough, except masked 4.1 > > there are old vanilla-sources that will be affected by this. > > > > > > [1] https://bugs.gentoo.org/447352 > > [2] https://www.kernel.org/doc/html/v4.16/admin-guide/module-signing.html > > diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass > index bf580cf4cfa9..8197654081cc 100644 > --- a/eclass/linux-mod.eclass > +++ b/eclass/linux-mod.eclass > @@ -132,6 +132,16 @@ > # @DESCRIPTION: > # It's a read-only variable. It contains the extension of the kernel modules. > > +# @ECLASS-VARIABLE: KERNEL_MODULE_SIG_KEY Also @USER_VARIABLE since it's supposed to be set in make.conf. > +# @DEFAULT_UNSET > +# @DESCRIPTION: > +# A string, containing absolute path to the private key file. > +# Defaults to value of CONFIG_MODULE_SIG_KEY extracted from .config > +# Can be set by user in make.conf > +# Example: > +# KERNEL_MODULE_SIG_KEY="/secure/location/keys/kernel.pem" > +# Assumes that "/secure/location/keys/kernel.x509" is a matching pubkey. > + > inherit eutils linux-info multilib > EXPORT_FUNCTIONS pkg_setup pkg_preinst pkg_postinst src_install src_compile > pkg_postrm > > @@ -144,12 +154,13 @@ esac > 0) die "EAPI=${EAPI} is not supported with > MODULES_OPTIONAL_USE_IUSE_DEFAULT due to lack of IUSE defaults" ;; > esac > > -IUSE="kernel_linux > ${MODULES_OPTIONAL_USE:+${_modules_optional_use_iuse_default}}${MODULES_OPTIONAL_USE}" > +IUSE="module-sign kernel_linux > ${MODULES_OPTIONAL_USE:+${_modules_optional_use_iuse_default}}${MODULES_OPTIONAL_USE}" > SLOT="0" > RDEPEND="${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (} kernel_linux? ( > virtual/modutils ) ${MODULES_OPTIONAL_USE:+)}" > DEPEND="${RDEPEND} > ${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (} > sys-apps/sed > + module-sign? ( || ( dev-libs/openssl dev-libs/libressl ) ) > kernel_linux? ( virtual/linux-sources ) > ${MODULES_OPTIONAL_USE:+)}" > > @@ -352,6 +363,93 @@ get-KERNEL_CC() { > echo "${kernel_cc}" > } > > +# @FUNCTION: check_sig_force Namespace pollution. Please prefix it. > +# @INTERNAL > +# @DESCRIPTION: > +# Check if kernel requires module signing and die > +# if module is not going to be signed. > +check_sig_force() { > + debug-print-function ${FUNCNAME} $* "${@}" > + > + if linux_chkconfig_present MODULE_SIG_FORCE; then > + if use !module-sign; then > + ewarn "kernel .config has MODULE_SIG_FORCE=y option set" > + ewarn "This means that kernel requires all modules" > + ewarn "to be signed and verified before loading" > + ewarn "please enable USE=\"module-sign\" or reconfigure > your kernel" > + ewarn "otherwise loading the module will fail" Why ewarn if you die? eerror would be more appropriate. > + die "signature required" > + fi > + fi > +} > + > +# @FUNCTION: sign_module Likewise. > +#
[gentoo-dev] Re: [PATCH] linux-mod.eclass: support module signing
On Sat, 2018-04-14 at 14:25 -0700, Georgy Yakovlev wrote: Second version, with safety checks and simplified logic. Fixed most issues of the first patch. Now only use single optional make.conf variable with the path to the key. Rest of parameters are magically extracted from .config or derived from the key itself. So generally it just works. got rid of STRIP_MASK, all signing happens in pkg_preinst, that way the checksum of installed file is calculated with signature appended. now works for packages that do not use linux-mod_src_install (zfs & co) Thanks to NP-Hardass for initial review and suggestions. > Hi, > > There is an old bug[1] to support > linux kernel module signing at install. > > And here is my first attempt to modify an eclass. > Need proper input on it and a kick in the right direction. > > Add 3 variables, settable by users if they keep keys somewhere safe. > Otherwise it just works with the auto-generated keys > if CONFIG_MODULE_SIG=y and vars are unset. > > eclass will die if kernel requires a signed module, > but signing is not requested. > > > Known problems: > > Packages that do not use linux-mod_src_install() will not sign > the modules, > But those packages will still inherit module-sign useflag. > It's misleading and I'm not sure how to fix that. > Examples : sys-kernel/spl, sys-fs/zfs-kmod > > May need additional handling of KBUILD_SIGN_PIN variable[2], > which can be set to hold the passphrase to the key. But it may end up > in vdb environment files, not sure how to handle that or if it worth > it > > not eapi-7 ready because of STRIP_MASK usage. > will need to cover this case as well, probably later. > > older (<4.3.3) kernels use perl to sign modules, not sure if it's > worth > supporting old kernels, there is no gentoo-sources in the tree old > enough, except masked 4.1 > there are old vanilla-sources that will be affected by this. > > > [1] https://bugs.gentoo.org/447352 > [2] https://www.kernel.org/doc/html/v4.16/admin-guide/module-signing.html diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass index bf580cf4cfa9..8197654081cc 100644 --- a/eclass/linux-mod.eclass +++ b/eclass/linux-mod.eclass @@ -132,6 +132,16 @@ # @DESCRIPTION: # It's a read-only variable. It contains the extension of the kernel modules. +# @ECLASS-VARIABLE: KERNEL_MODULE_SIG_KEY +# @DEFAULT_UNSET +# @DESCRIPTION: +# A string, containing absolute path to the private key file. +# Defaults to value of CONFIG_MODULE_SIG_KEY extracted from .config +# Can be set by user in make.conf +# Example: +# KERNEL_MODULE_SIG_KEY="/secure/location/keys/kernel.pem" +# Assumes that "/secure/location/keys/kernel.x509" is a matching pubkey. + inherit eutils linux-info multilib EXPORT_FUNCTIONS pkg_setup pkg_preinst pkg_postinst src_install src_compile pkg_postrm @@ -144,12 +154,13 @@ esac 0) die "EAPI=${EAPI} is not supported with MODULES_OPTIONAL_USE_IUSE_DEFAULT due to lack of IUSE defaults" ;; esac -IUSE="kernel_linux ${MODULES_OPTIONAL_USE:+${_modules_optional_use_iuse_default}}${MODULES_OPTIONAL_USE}" +IUSE="module-sign kernel_linux ${MODULES_OPTIONAL_USE:+${_modules_optional_use_iuse_default}}${MODULES_OPTIONAL_USE}" SLOT="0" RDEPEND="${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (} kernel_linux? ( virtual/modutils ) ${MODULES_OPTIONAL_USE:+)}" DEPEND="${RDEPEND} ${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (} sys-apps/sed + module-sign? ( || ( dev-libs/openssl dev-libs/libressl ) ) kernel_linux? ( virtual/linux-sources ) ${MODULES_OPTIONAL_USE:+)}" @@ -352,6 +363,93 @@ get-KERNEL_CC() { echo "${kernel_cc}" } +# @FUNCTION: check_sig_force +# @INTERNAL +# @DESCRIPTION: +# Check if kernel requires module signing and die +# if module is not going to be signed. +check_sig_force() { + debug-print-function ${FUNCNAME} $* + + if linux_chkconfig_present MODULE_SIG_FORCE; then + if use !module-sign; then + ewarn "kernel .config has MODULE_SIG_FORCE=y option set" + ewarn "This means that kernel requires all modules" + ewarn "to be signed and verified before loading" + ewarn "please enable USE=\"module-sign\" or reconfigure your kernel" + ewarn "otherwise loading the module will fail" + die "signature required" + fi + fi +} + +# @FUNCTION: sign_module +# @INTERNAL +# @DESCRIPTION: +# Sign a kernel module +# @USAGE: +sign_module() { + debug-print-function ${FUNCNAME} $* + + local dotconfig_sig_hash dotconfig_sig_key + local sign_binary_path sig_key_path sig_x509_path + local module + + # extract values from kernel .config + # extracted key path is not full, e.g. "certs/signing_key.pem" + dotconfig_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)" + dotconfig_sig_key="$(linux_chkconfig_string
[gentoo-portage-dev] [PATCH 1/2] EbuildBuildDir: add async_unlock method (bug 614108)
This calls the existing AsynchronousLock async_unlock method for the build directory lock, and also handles removal of the category directory (with async lock/unlock). Bug: https://bugs.gentoo.org/614108 --- pym/_emerge/EbuildBuildDir.py | 43 +++ 1 file changed, 43 insertions(+) diff --git a/pym/_emerge/EbuildBuildDir.py b/pym/_emerge/EbuildBuildDir.py index 58905c2f6..da7128689 100644 --- a/pym/_emerge/EbuildBuildDir.py +++ b/pym/_emerge/EbuildBuildDir.py @@ -88,6 +88,9 @@ class EbuildBuildDir(SlotObject): if self._lock_obj is None: return + # Keep this legacy implementation until all consumers have migrated + # to async_unlock, since run_until_complete(self.async_unlock()) + # would add unwanted event loop recursion here. self._lock_obj.unlock() self._lock_obj = None self.locked = False @@ -102,6 +105,46 @@ class EbuildBuildDir(SlotObject): finally: catdir_lock.unlock() + def async_unlock(self): + """ + Release the lock asynchronously. Release notification is available + via the add_done_callback method of the returned Future instance. + + @returns: Future, result is None + """ + result = self.scheduler.create_future() + + def builddir_unlocked(future): + if future.exception() is not None: + result.set_exception(future.exception()) + else: + self._lock_obj = None + self.locked = False + self.settings.pop('PORTAGE_BUILDDIR_LOCKED', None) + catdir_lock = AsynchronousLock( + path=self._catdir, scheduler=self.scheduler) + catdir_lock.start() + catdir_lock.addExitListener(catdir_locked) + + def catdir_locked(catdir_lock): + if catdir_lock.wait() != os.EX_OK: + result.set_result(None) + else: + try: + os.rmdir(self._catdir) + except OSError: + pass + catdir_lock.async_unlock().add_done_callback(catdir_unlocked) + + def catdir_unlocked(future): + if future.exception() is None: + result.set_result(None) + else: + result.set_exception(future.exception()) + + self._lock_obj.async_unlock().add_done_callback(builddir_unlocked) + return result + class AlreadyLocked(portage.exception.PortageException): pass -- 2.13.6
[gentoo-portage-dev] [PATCH 2/2] EbuildBuild: use async_unlock (bug 614108)
This adds an _async_unlock_builddir method which accepts a returncode parameter for cases where it should set the returncode and notify exit listeners. Bug: https://bugs.gentoo.org/614108 --- pym/_emerge/EbuildBuild.py | 52 -- 1 file changed, 32 insertions(+), 20 deletions(-) diff --git a/pym/_emerge/EbuildBuild.py b/pym/_emerge/EbuildBuild.py index 48f470483..833996c37 100644 --- a/pym/_emerge/EbuildBuild.py +++ b/pym/_emerge/EbuildBuild.py @@ -3,6 +3,7 @@ from __future__ import unicode_literals +import functools import io import _emerge.emergelog @@ -23,6 +24,8 @@ from portage import _encodings, _unicode_decode, _unicode_encode, os from portage.package.ebuild.digestcheck import digestcheck from portage.package.ebuild.doebuild import _check_temp_dir from portage.package.ebuild._spawn_nofetch import SpawnNofetchWithoutBuilddir +from portage.util._async.AsyncTaskFuture import AsyncTaskFuture + class EbuildBuild(CompositeTask): @@ -185,8 +188,7 @@ class EbuildBuild(CompositeTask): def _pre_clean_exit(self, pre_clean_phase): if self._default_exit(pre_clean_phase) != os.EX_OK: - self._unlock_builddir() - self.wait() + self._async_unlock_builddir(returncode=self.returncode) return # for log handling @@ -209,10 +211,7 @@ class EbuildBuild(CompositeTask): msg_lines.append(msg) fetcher._eerror(msg_lines) portage.elog.elog_process(self.pkg.cpv, self.settings) - self.returncode = 1 - self._current_task = None - self._unlock_builddir() - self.wait() + self._async_unlock_builddir(returncode=1) return if already_fetched: @@ -283,8 +282,7 @@ class EbuildBuild(CompositeTask): if 'fetch' not in self.pkg.restrict and \ 'nofetch' not in self.pkg.defined_phases: - self._unlock_builddir() - self.wait() + self._async_unlock_builddir(returncode=self.returncode) return self.returncode = None @@ -294,18 +292,32 @@ class EbuildBuild(CompositeTask): def _nofetch_exit(self, nofetch_phase): self._final_exit(nofetch_phase) - self._unlock_builddir() - self.returncode = 1 - self.wait() + self._async_unlock_builddir(returncode=1) - def _unlock_builddir(self): + def _async_unlock_builddir(self, returncode=None): + """ + Release the lock asynchronously, and if a returncode parameter + is given then set self.returncode and notify exit listeners. + """ + if returncode is not None: + # The returncode will be set after unlock is complete. + self.returncode = None portage.elog.elog_process(self.pkg.cpv, self.settings) - self._build_dir.unlock() + self._start_task( + AsyncTaskFuture(future=self._build_dir.async_unlock()), + functools.partial(self._unlock_builddir_exit, returncode=returncode)) + + def _unlock_builddir_exit(self, unlock_task, returncode=None): + self._assert_current(unlock_task) + # Normally, async_unlock should not raise an exception here. + unlock_task.future.result() + if returncode is not None: + self.returncode = returncode + self.wait() def _build_exit(self, build): if self._default_exit(build) != os.EX_OK: - self._unlock_builddir() - self.wait() + self._async_unlock_builddir(returncode=self.returncode) return buildpkg = self._buildpkg @@ -370,8 +382,7 @@ class EbuildBuild(CompositeTask): """ if self._default_exit(packager) != os.EX_OK: - self._unlock_builddir() - self.wait() + self._async_unlock_builddir(returncode=self.returncode) return if self.opts.buildpkgonly: @@ -425,8 +436,9 @@ class EbuildBuild(CompositeTask): def _clean_exit(self, clean_phase): if self._final_exit(clean_phase) != os.EX_OK or \ self.opts.buildpkgonly: - self._unlock_builddir() - self.wait() + self._async_unlock_builddir(returncode=self.returncode) + else: + self.wait()
[gentoo-portage-dev] [PATCH 0/2] EbuildBuildDir: add async_unlock method (bug 614108)
Bug: https://bugs.gentoo.org/614108 Zac Medico (2): EbuildBuildDir: add async_unlock method (bug 614108) EbuildBuild: use async_unlock (bug 614108) pym/_emerge/EbuildBuild.py| 52 ++- pym/_emerge/EbuildBuildDir.py | 43 +++ 2 files changed, 75 insertions(+), 20 deletions(-) -- 2.13.6
[gentoo-dev] Package up for grabs
Hi list, I'd like to give up maintenance of dev-libs/libratbag due to the software now depending on libsystemd[1] which I do not have the tiniest interest to infect my systems with. Unfortunately upstream refuses to make libsystemd optional because they don't wanna use dbus directly but rather prefer a useless additional layer for that (libsystemd). If nobody picks it up I either gonna put it on maintainer-needed in about 30 days or (if QA prefers that) lastrite it entirely. Kind regards Lars [1] https://github.com/libratbag/libratbag/issues/239 -- Lars Wendler Gentoo package maintainer GPG: 21CC CF02 4586 0A07 ED93 9F68 498F E765 960E 9B39 pgpEIVSzHon2f.pgp Description: Digitale Signatur von OpenPGP
Re: [gentoo-dev] Regarding the State of PaX in the tree
* Anthony G. Basile schrieb am 16.04.18 um 14:12 Uhr: > On 4/16/18 4:05 AM, Marc Schiffbauer wrote: > > * Anthony G. Basile schrieb am 16.04.18 um 02:04 Uhr: > >> Hi everyone, > > > > Hi Anthony, > > > > I vote for keeping PaX Support as I am still using it and might be doing > > so in the future. > > > > Thanks ;) > > -Marc > > > > How are you able to test? Do you have your hands on the latest grsec > patches or are you using an old kernel. Old at this point means one > year old. Right now, I only have grsecurity-sources (4.9.74) but I may have access to latest grsecurity patches later this year. Gruß -Marc -- 0xCA3E7BF67F979BE5 - F7FB 78F7 7CC3 79F6 DF07 6E9E CA3E 7BF6 7F97 9BE5 signature.asc Description: PGP signature
[gentoo-dev] Old copyright assignments
Dear fellow (active and retired) developers, We (rich0, alicef, and myself) are currently working on a new Gentoo copyright policy, whose current draft version can be seen at [1]. One of its goals is to cover situations where Gentoo isn't the main copyright holder in a file. Connected to this is the question how accurate the first line of every ebuild is, which claims copyright for the Gentoo Foundation. Reportedly, in the past at least some Gentoo developers signed copyright assignment forms [2] to Gentoo Technologies, Inc., and possibly later to the Gentoo Foundation. Bug 140286 [3] suggests that this no longer took place since around 2005. Now my question to you is if (and when) you have signed such a copyright assignment form? Please reply to me personally; I'll post a summary to the gentoo-project list later. Old mailing list postings also show that several devs have refused to sign the form; please also reply to me if this applies to you. Thank you in advance, Ulrich [1] https://dev.gentoo.org/~ulm/glep-copyrightpolicy.html [2] https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo/xml/htdocs/proj/en/devrel/copyright/assignment.pdf?revision=1.1 [3] https://bugs.gentoo.org/140286 pgpfzG1yrAgwv.pgp Description: PGP signature
[gentoo-portage-dev] [PATCH] EbuildPhase._ebuild_exit: use async_unlock (bug 614108)
Use async_unlock to avoid event loop recursion, and AsyncTaskFuture to fit the resulting future into the CompositeTask framework that EbuildPhase uses. Bug: https://bugs.gentoo.org/614108 --- pym/_emerge/EbuildPhase.py | 22 +- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/pym/_emerge/EbuildPhase.py b/pym/_emerge/EbuildPhase.py index 3174cac1a..890b17870 100644 --- a/pym/_emerge/EbuildPhase.py +++ b/pym/_emerge/EbuildPhase.py @@ -1,6 +1,7 @@ # Copyright 1999-2018 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 +import functools import gzip import io import sys @@ -15,6 +16,7 @@ from _emerge.PackagePhase import PackagePhase from portage.package.ebuild.prepare_build_dirs import (_prepare_workdir, _prepare_fake_distdir, _prepare_fake_filesdir) from portage.util import writemsg +from portage.util._async.AsyncTaskFuture import AsyncTaskFuture try: from portage.xml.metadata import MetaDataXML @@ -197,13 +199,23 @@ class EbuildPhase(CompositeTask): self._start_task(ebuild_process, self._ebuild_exit) def _ebuild_exit(self, ebuild_process): - - if self._ebuild_lock is not None: - self._ebuild_lock.unlock() - self._ebuild_lock = None + self._assert_current(ebuild_process) + if self._ebuild_lock is None: + self._ebuild_exit_unlocked(ebuild_process) + else: + self._start_task( + AsyncTaskFuture(future=self._ebuild_lock.async_unlock()), + functools.partial(self._ebuild_exit_unlocked, ebuild_process)) + + def _ebuild_exit_unlocked(self, ebuild_process, unlock_task=None): + if unlock_task is not None: + self._assert_current(unlock_task) + # Normally, async_unlock should not raise an exception here. + unlock_task.future.result() fail = False - if self._default_exit(ebuild_process) != os.EX_OK: + if ebuild_process.returncode != os.EX_OK: + self.returncode = ebuild_process.returncode if self.phase == "test" and \ "test-fail-continue" in self.settings.features: # mark test phase as complete (bug #452030) -- 2.13.6