[PATCH 0/3] Use rusty-style signed modules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi All,

Following is a brief series to change the F18 kernel over to using the
"Rusty" style signed modules.  This takes David's 'modsign-rusty' branch
and applies it in place of the currently used 'modsign' patch set.
There is one notable change I've done, which is to replace David's:

    MODSIGN: Sign modules during the build process

patch with a different one.  The new patch adds a new 'modules_sign'
make target and allows us to still utilize RPM's debuginfo generation
with signed modules.  I've attached just that patch below for closer
review.

To spare people's inboxes, patch 3/3 won't contain the full
modsign-rusty-jwb and secure-boot patchsets.  Those can be found here:

http://jwboyer.fedorapeople.org/pub/modsign-rusty-jwb.patch
http://jwboyer.fedorapeople.org/pub/secure-boot-20120830.patch

Most of the overall change in these patches is dealing with moving some
of the modules-extra handling around to make it easier.  The rest should
be fairly self-explanatory.

I've tested this on both x86_64 and i686/PAE KVM guests using the kernel
command line options to verify things.  The modules are indeed still
signed after install, and the debuginfo seems to still work properly via
gdb in that gdb can find the correct .debug files for modules, etc.

Comments/questions welcome.

josh

---

>From d992574c734c346760a370b32a28580d47729f7c Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@xxxxxxxxxx>
Date: Fri, 14 Sep 2012 11:58:01 -0400
Subject: [PATCH 21/27] MODSIGN: Add modules_sign make target

If CONFIG_MODULE_SIG is set, and 'make modules_sign' is called then this
patch will cause the modules to get a signature installed.  The make target
is intended to be run after 'make modules_install', and will modify the
modules in-place in the installed location.

The signature will be appended to the module, along with the payload size,
the signature size and a magic string.  This requires private and public
keys to be available.  By default these are expected to be found in PGP
keyring files called modsign.sec (the secret key) and modsign.pub (the
public key) in the build root.

If signing occurs, lines like the following will be seen:

	SIGN [M] <install path>/fs/foo/foo.ko

will appear in the build log.  If the signature step will be skipped and the
following will be seen:

	NO SIGN [M] <install path>/fs/foo/foo.ko

NOTE!  After the signature step, the signed module must not be passed through
strip.  If you wish to strip or otherwise modify the kernel modules, use the
built-in stripping capabilities with 'make modules_install' or perform said
modifications before calling this make target.  This restriction may affect
packaging tools (such as rpmbuild) and initramfs composition tools.

Note that I do not agree with this method of attaching signatures to modules.
Based on work by David Howells <dhowells@xxxxxxxxxx>

Signed-off-by: Josh Boyer <jwboyer@xxxxxxxxxx>
---
 Makefile                 |  6 +++
 scripts/Makefile.modsign | 98 ++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 104 insertions(+)
 create mode 100644 scripts/Makefile.modsign

diff --git a/Makefile b/Makefile
index a347b81..a708eae 100644
--- a/Makefile
+++ b/Makefile
@@ -965,6 +965,12 @@ _modinst_post: _modinst_
 	$(Q)$(MAKE) -f $(srctree)/scripts/Makefile.fwinst obj=firmware __fw_modinst
 	$(call cmd,depmod)
 
+ifeq ($(CONFIG_MODULE_SIG), y)
+PHONY += modules_sign
+modules_sign:
+	$(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modsign
+endif
+
 else # CONFIG_MODULES
 
 # Modules not configured
diff --git a/scripts/Makefile.modsign b/scripts/Makefile.modsign
new file mode 100644
index 0000000..3ee7d3a
--- /dev/null
+++ b/scripts/Makefile.modsign
@@ -0,0 +1,98 @@
+# ==========================================================================
+# Signing modules
+# ==========================================================================
+
+PHONY := __modsign
+__modsign:
+
+include scripts/Kbuild.include
+
+__modules := $(sort $(shell grep -h '\.ko' /dev/null $(wildcard $(MODVERDIR)/*.mod)))
+modules := $(patsubst %.o,%.ko,$(wildcard $(__modules:.ko=.o)))
+
+PHONY += $(modules)
+__modsign: $(modules)
+	@:
+
+MODSECKEY = ./modsign.sec
+MODPUBKEY = ./modsign.pub
+KEYFLAGS = --no-default-keyring --secret-keyring $(MODSECKEY) --keyring $(MODPUBKEY) --no-default-keyring --homedir . --no-options --no-auto-check-trustdb --no-permission-warning
+
+ifdef CONFIG_MODULE_SIG_SHA1
+KEYFLAGS += --digest-algo=SHA1
+else
+ifdef CONFIG_MODULE_SIG_SHA224
+KEYFLAGS += --digest-algo=SHA224
+else
+ifdef CONFIG_MODULE_SIG_SHA256
+KEYFLAGS += --digest-algo=SHA256
+else
+ifdef CONFIG_MODULE_SIG_SHA384
+KEYFLAGS += --digest-algo=SHA384
+else
+ifdef CONFIG_MODULE_SIG_SHA512
+KEYFLAGS += --digest-algo=SHA512
+else
+endif
+endif
+endif
+endif
+endif
+
+ifdef MODKEYNAME
+KEYFLAGS += --default-key $(MODKEYNAME)
+endif
+
+ifeq ($(wildcard $(MODSECKEY))+$(wildcard $(MODPUBKEY)),$(MODSECKEY)+$(MODPUBKEY))
+ifeq ($(KBUILD_SRC),)
+       # no O= is being used
+       SCRIPTS_DIR := scripts
+else
+       SCRIPTS_DIR := $(KBUILD_SRC)/scripts
+endif
+SIGN_MODULES := 1
+else
+SIGN_MODULES := 0
+endif
+
+# only sign if it's an in-tree module
+ifneq ($(KBUILD_EXTMOD),)
+SIGN_MODULES := 0
+endif
+
+ifeq ($(SIGN_MODULES),1)
+KEYRING_DEP := modsign.sec modsign.pub
+quiet_cmd_sign_ko = SIGN [M] $(2)/$(notdir $@)
+      cmd_sign_ko = \
+		rm -f $(2)/$(notdir $@).sig && \
+		gpg --batch --no-greeting $(KEYFLAGS) -b $(2)/$(notdir $@) && \
+		( \
+			cat $(2)/$(notdir $@) $(2)/$(notdir $@).sig && \
+			stat --printf %-5s $(2)/$(notdir $@).sig && \
+			echo -n "This Is A Crypto Signed Module" \
+		) >$(2)/$(notdir $@).signed && \
+		mv $(2)/$(notdir $@).signed $(2)/$(notdir $@) && \
+		rm -f $(2)/$(notdir $@).sig
+else
+KEYRING_DEP :=
+quiet_cmd_sign_ko = NO SIGN [M] $@
+      cmd_sign_ko = \
+		true
+endif
+
+#quiet_cmd_modules_sign = SIGN $@
+#      cmd_modules_sign = mkdir -p $(2); cp $@ $(2) ; $(mod_strip_cmd) $(2)/$(notdir $@)
+
+# Modules built outside the kernel source tree go into extra by default
+INSTALL_MOD_DIR ?= extra
+ext-mod-dir = $(INSTALL_MOD_DIR)$(subst $(patsubst %/,%,$(KBUILD_EXTMOD)),,$(@D))
+
+modinst_dir = $(if $(KBUILD_EXTMOD),$(ext-mod-dir),kernel/$(@D))
+
+$(modules):
+	$(call cmd,sign_ko,$(MODLIB)/$(modinst_dir))
+
+# Declare the contents of the .PHONY variable as phony.  We keep that
+# # information in a variable se we can use it in if_changed and friends.
+
+.PHONY: $(PHONY)
-- 
1.7.11.4
_______________________________________________
kernel mailing list
kernel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/kernel
[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Tux]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [USB]     [Asterisk PBX]

  Powered by Linux