This commit adds some eclass variables and private functions
and a new global useflag.
Example config, part of make.conf
USE="... module-sign ..."
KERNEL_MODULE_SIG_KEY="/secure/location/kernel.pem"
And possible kernel options:
CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_ALL=y
CONFIG_MODULE_SIG_SHA512=y
CONFIG_MODULE_SIG_HASH="sha512"
NOTE to libressl users: libressl does not support anything
except CONFIG_MODULE_SIG_SHA1=y CONFIG_MODULE_SIG_HASH="sha1"
Even if user does not follow key creation procedure and
just enables module encryption while configuring kernel eclass "just works".
All the signing happens in pkg_preinst.
This means that binpkg users are expected to
have keys and sign modules on target system, not on builder.
I've been using this since March and have not encountered
a single problem with various out-of-tree kernel modules
Tested so far:
virtualbox-modules
nvidia-drivers
zfs & co
wireguard
and many more
If an ebuild uses Kbuild and/or runs linux-mod_pkg_preinst(), signing should
work.
All the signing happens as root, this means user can have the
keys stored with secure permissions and mount as required.
If user configured kernel to require signed modules the eclass
will detect it and refuse to emerge if useflag is not enabled.
I'll appreciate your testing and feedbak.
NOTE to amdgpu users: if you use CONFIG_HSA_AMD, you'll want to have
CONFIG_HSA_AMD=y
having it as a module fails to sing for some reason, it's something in
kernel/kbuild and not related to this eclass change.
Closes: https://bugs.gentoo.org/447352
Signed-off-by: Georgy Yakovlev
---
eclass/linux-mod.eclass | 109 ++--
profiles/use.desc | 1 +
2 files changed, 106 insertions(+), 4 deletions(-)
diff --git a/eclass/linux-mod.eclass b/eclass/linux-mod.eclass
index e5b5ec782f0..540b55286f8 100644
--- a/eclass/linux-mod.eclass
+++ b/eclass/linux-mod.eclass
@@ -132,6 +132,20 @@
# @DESCRIPTION:
# It's a read-only variable. It contains the extension of the kernel modules.
+# @ECLASS-VARIABLE: KERNEL_MODULE_SIG_KEY
+# @USER_VARIABLE
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# A string, containing absolute path to the private key file.
+# eclass will use value of CONFIG_MODULE_SIG_KEY extracted from .config
+# if KERNEL_MODULE_SIG_KEY is not set by user.
+#
+# Example:
+# @CODE
+# KERNEL_MODULE_SIG_KEY="/secure/location/kernel.pem"
+# @CODE
+# Assumes that "/secure/location/kernel.x509" public key file exists.
+
inherit eutils linux-info multilib
EXPORT_FUNCTIONS pkg_setup pkg_preinst pkg_postinst src_install src_compile
pkg_postrm
@@ -144,13 +158,16 @@ esac
0) die "EAPI=${EAPI} is not supported with
MODULES_OPTIONAL_USE_IUSE_DEFAULT due to lack of IUSE defaults" ;;
esac
-IUSE="kernel_linux
${MODULES_OPTIONAL_USE:+${_modules_optional_use_iuse_default}}${MODULES_OPTIONAL_USE}"
+IUSE="module-sign kernel_linux
${MODULES_OPTIONAL_USE:+${_modules_optional_use_iuse_default}}${MODULES_OPTIONAL_USE}"
SLOT="0"
RDEPEND="${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (} kernel_linux? (
virtual/modutils ) ${MODULES_OPTIONAL_USE:+)}"
DEPEND="${RDEPEND}
${MODULES_OPTIONAL_USE}${MODULES_OPTIONAL_USE:+? (}
sys-apps/sed
- kernel_linux? ( virtual/linux-sources virtual/libelf )
+ kernel_linux? (
+ virtual/linux-sources virtual/libelf
+ module-sign? ( || ( dev-libs/openssl dev-libs/libressl ) )
+ )
${MODULES_OPTIONAL_USE:+)}"
# eclass utilities
@@ -352,6 +369,84 @@ get-KERNEL_CC() {
echo "${kernel_cc}"
}
+# @FUNCTION: _check_sig_force
+# @INTERNAL
+# @DESCRIPTION:
+# Check if kernel requires module signing and die
+# if modules are not going to be signed.
+_check_sig_force() {
+ debug-print-function ${FUNCNAME} "${@}"
+
+ if linux_chkconfig_present MODULE_SIG_FORCE; then
+ if use !module-sign; then
+ eerror "kernel .config has MODULE_SIG_FORCE=y option
set"
+ eerror "This means that kernel requires all modules"
+ eerror "to be signed and verified before loading"
+ eerror "please enable USE=\"module-sign\" or
reconfigure your kernel"
+ eerror "otherwise loading the module will fail"
+ die "signature required"
+ fi
+ fi
+}
+
+# @FUNCTION: _sign_module
+# @INTERNAL
+# @USAGE:
+# @DESCRIPTION:
+# Sign a kernel module
+_sign_module() {
+ debug-print-function ${FUNCNAME} "${@}"
+
+ local dotconfig_sig_hash dotconfig_sig_key
+ local sign_binary_path sig_key_path sig_x509_path
+ local module
+
+ # extract values from kernel .config
+ # extracted key path is not full, e.g. "certs/signing_key.pem"
+ dotconfig_sig_hash="$(linux_chkconfig_string MODULE_SIG_HASH)"
+ dotconfig_sig_key="$(linux_chkconfig_string MODULE_SIG_KEY)"
+
+ # sign-file binary chokes
