881651 – sys-kernel/gentoo-kernel doesn't sign modules during installation (if MODULE_SIG_* is set)

Bug 881651 - sys-kernel/gentoo-kernel doesn't sign modules during installation (if MODULE_SIG_* is set)

Summary: sys-kernel/gentoo-kernel doesn't sign modules during installation (if MODULE_...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Distribution Kernel Project

URL:
Whiteboard:
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2022-11-17 12:55 UTC by Mirko Guenther
Modified:	2023-06-20 18:57 UTC (History)
CC List:	4 users (show)

See Also:	447352 881641 814344 https://github.com/gentoo/gentoo/pull/31358
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mirko Guenther 2022-11-17 12:55:27 UTC

sys-kernel/gentoo-kernel doesn't sign modules during installation even, if "MODULE_SIG_*" is set. If "CONFIG_MODULE_SIG" is set, this prevents the kernel to load the modules.

I guess the same will be happen with set 'CONFIG_MODULE_COMPRESS_*'. The modules will not compressed during installation.

Reproducible: Always

Comment 1 Sam James archtester

2022-11-18 04:16:19 UTC

(fwiw my modules are indeed compressed.)

Comment 2 Larry the Git Cow gentoo-dev

2023-06-20 18:57:52 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=09a8adc582e55ffc4521376c17ee8ad745a1fda0

commit 09a8adc582e55ffc4521376c17ee8ad745a1fda0
Author: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
AuthorDate: 2023-06-15 09:50:10 +0000
Commit: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
CommitDate: 2023-06-20 18:57:33 +0000

kernel-build.eclass: add IUSE="strip", install generated keys

- Let the kernel build system handle stripping of the modules.
This is necessary for successfully signing and compressing modules.
Inspired by linux-mod-r1.eclass.

- If the build system has generated keys or certificates, install them.
This is required to successfully sign external kernel modules.

Closes: https://bugs.gentoo.org/814344
Closes: https://bugs.gentoo.org/881651
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>

eclass/kernel-build.eclass | 26 +++++++++++++++++++++++---
1 file changed, 23 insertions(+), 3 deletions(-)

Additionally, it has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bcd3103426971497f634ddf12d535b3010e9138b

commit bcd3103426971497f634ddf12d535b3010e9138b
Author: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
AuthorDate: 2023-06-15 19:10:02 +0000
Commit: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
CommitDate: 2023-06-20 18:57:34 +0000

kernel-build.eclass: add IUSE="modules-sign"

- Enable module signing configure options if requested by the user.

- Define the user variables MODULES_SIGN_HASH and MODULES_SIGN_KEY.
For controlling the used hashing algorithm and allowing the use of
external keys. These variables are the same as in linux-mod-r1.eclass

- Warn the user if we are letting the kernel build system generate the signing
key. This key will end up binary packages. Plus external modules will have to
be resigned if gentoo-kernel is re-emerged (i.e. a new key was generated).

Bug: https://bugs.gentoo.org/814344
Bug: https://bugs.gentoo.org/881651
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>

eclass/kernel-build.eclass | 90 +++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 89 insertions(+), 1 deletion(-)