Re: RFC: sign kernel modules on all archs in Fedora (now with patches)

Thorsten Leemhuis <fedora@xxxxxxxxxxxxx> · Sat, 2 Jan 2016 11:50:49 +0100

On 02.01.2016 11:48, Thorsten Leemhuis wrote:
> On 10.12.2015 20:59, Josh Boyer wrote(¹):
>> […]
>
> Find attached two patches to go down that route.

Here they are inline -- they were attached, but mailman removed them afaics :-/ Sorry

>From 75a2022f3b326e04897165d0eb8b7a15d07ecd1e Mon Sep 17 00:00:00 2001
From: Thorsten Leemhuis <fedora@xxxxxxxxxxxxx>
Date: Fri, 1 Jan 2016 17:28:51 +0100
Subject: [PATCH 1/2] add signkernel macro to make signing kernel and signing
 modules independent from each other

---
 kernel.spec | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/kernel.spec b/kernel.spec
index e0af033..a56f071 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -11,9 +11,11 @@ Summary: The Linux kernel
 # Sign modules on x86.  Make sure the config files match this setting if more
 # architectures are added.
 %ifarch %{ix86} x86_64
+%global signkernel 1
 %global signmodules 1
 %global zipmodules 1
 %else
+%global signkernel 0
 %global signmodules 0
 %global zipmodules 0
 %endif
@@ -393,7 +395,7 @@ BuildRequires: rpm-build, elfutils
 BuildRequires: openssl openssl-devel
 %endif
 
-%if %{signmodules}
+%if %{signkernel}
 BuildRequires: pesign >= 0.10-4
 %endif
 
@@ -1321,7 +1323,7 @@ BuildKernel() {
     make -s mrproper
     cp configs/$Config .config
 
-    %if %{signmodules}
+    %if %{signkernel}%{signmodules}
     cp %{SOURCE11} certs/.
     %endif
 
@@ -1358,7 +1360,7 @@ BuildKernel() {
       cp arch/$Arch/boot/zImage.stub $RPM_BUILD_ROOT/%{image_install_path}/zImage.stub-$KernelVer || :
       cp arch/$Arch/boot/zImage.stub $RPM_BUILD_ROOT/lib/modules/$KernelVer/zImage.stub-$KernelVer || :
     fi
-    %if %{signmodules}
+    %if %{signkernel}
     # Sign the image if we're using EFI
     %pesign -s -i $KernelImage -o vmlinuz.signed
     if [ ! -s vmlinuz.signed ]; then
@@ -2062,6 +2064,10 @@ fi
 #
 # 
 %changelog
+* Fri Jan 01 2016 Thorsten Leemhuis <fedora@xxxxxxxxxxxxx>
+- add signkernel macro to make signing kernel and signing modules 
+  independent from each other
+
 * Sun Dec 27 2015 Peter Robinson <pbrobinson@xxxxxxxxxxxxxxxxx>
 - Minor ARMv7/aarch64/ppc/s390 config cleanups
 - Enable rk3368 aarch64 platforms
-- 
1.8.3.1

>From 17e367ab5d2f5bb54be6c072adade4384fb4431d Mon Sep 17 00:00:00 2001
From: Thorsten Leemhuis <fedora@xxxxxxxxxxxxx>
Date: Fri, 1 Jan 2016 17:45:08 +0100
Subject: [PATCH 2/2] sign modules on all archs

---
 config-generic     | 17 ++++++++++++++---
 config-x86-generic | 13 +------------
 kernel.spec        |  9 ++++-----
 3 files changed, 19 insertions(+), 20 deletions(-)

diff --git a/config-generic b/config-generic
index 6c999c5..d36dede 100644
--- a/config-generic
+++ b/config-generic
@@ -5761,11 +5761,22 @@ CONFIG_POWERCAP=y
 
 # CONFIG_CPUFREQ_DT is not set
 
-# CONFIG_MODULE_SIG is not set
+CONFIG_MODULE_SIG=y
+CONFIG_MODULE_SIG_ALL=y
+# CONFIG_MODULE_SIG_SHA1 is not set
+CONFIG_MODULE_SIG_SHA256=y
+# CONFIG_MODULE_SIG_FORCE is not set
+CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
+CONFIG_SYSTEM_TRUSTED_KEYS=""
+CONFIG_PKCS7_MESSAGE_PARSER=y
+# CONFIG_PKCS7_TEST_KEY is not set
+CONFIG_SIGNED_PE_FILE_VERIFICATION=y
+CONFIG_SYSTEM_TRUSTED_KEYRING=y
+CONFIG_SYSTEM_BLACKLIST_KEYRING=y
+# CONFIG_MODULE_SIG_UEFI is not set
+# CONFIG_EFI_SIGNATURE_LIST_PARSER is not set
 # FIXME: Revisit this to see if we can use it instead of the spec file stuff
 # CONFIG_MODULE_COMPRESS is not set
-# CONFIG_SYSTEM_TRUSTED_KEYRING is not set
-# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set
 
 # CONFIG_RTC_DRV_EFI is not set
 # CONFIG_NET_XGENE is not set
diff --git a/config-x86-generic b/config-x86-generic
index 83254f3..50dc2fc 100644
--- a/config-x86-generic
+++ b/config-x86-generic
@@ -568,18 +568,7 @@ CONFIG_MOUSE_PS2_VMMOUSE=y
 CONFIG_XZ_DEC_X86=y
 
 CONFIG_MPILIB=y
-CONFIG_PKCS7_MESSAGE_PARSER=y
-# CONFIG_PKCS7_TEST_KEY is not set
-CONFIG_SIGNED_PE_FILE_VERIFICATION=y
-CONFIG_SYSTEM_TRUSTED_KEYRING=y
-CONFIG_SYSTEM_BLACKLIST_KEYRING=y
-CONFIG_MODULE_SIG=y
-CONFIG_MODULE_SIG_ALL=y
-# CONFIG_MODULE_SIG_SHA1 is not set
-CONFIG_MODULE_SIG_SHA256=y
-# CONFIG_MODULE_SIG_FORCE is not set
-CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
-CONFIG_SYSTEM_TRUSTED_KEYS=""
+
 CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y
 CONFIG_EFI_SIGNATURE_LIST_PARSER=y
 
diff --git a/kernel.spec b/kernel.spec
index a56f071..e9a7358 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -16,7 +16,7 @@ Summary: The Linux kernel
 %global zipmodules 1
 %else
 %global signkernel 0
-%global signmodules 0
+%global signmodules 1
 %global zipmodules 0
 %endif
 
@@ -390,14 +390,12 @@ BuildRequires: rpm-build, elfutils
 %define debuginfo_args --strict-build-id -r
 %endif
 
-%ifarch %{ix86} x86_64
-# MODULE_SIG is enabled in config-x86-generic and needs these:
+%if %{signkernel}%{signmodules}
 BuildRequires: openssl openssl-devel
-%endif
-
 %if %{signkernel}
 BuildRequires: pesign >= 0.10-4
 %endif
+%endif
 
 %if %{with_cross}
 BuildRequires: binutils-%{_build_arch}-linux-gnu, gcc-%{_build_arch}-linux-gnu
@@ -2067,6 +2065,7 @@ fi
 * Fri Jan 01 2016 Thorsten Leemhuis <fedora@xxxxxxxxxxxxx>
 - add signkernel macro to make signing kernel and signing modules 
   independent from each other
+- sign modules on all archs
 
 * Sun Dec 27 2015 Peter Robinson <pbrobinson@xxxxxxxxxxxxxxxxx>
 - Minor ARMv7/aarch64/ppc/s390 config cleanups
-- 
1.8.3.1
_______________________________________________
kernel mailing list
kernel@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/kernel@xxxxxxxxxxxxxxxxxxxxxxx







