Created attachment 897315 [details] rEFInd build log When emerging rEFInd with the "secureboot" flag, the build does not properly handle the user prompt to enter their PEM passphrase. This occurs with both versions in the repository. There are two issues of note here: 2. If the "--quiet-build" option is used in the emerge command, then the user passphrase prompt is never shown, although it does seem to wait for input. This is obviously confusing, and the user prompt should be forced to show, even if the "--quiet-build" option is used 3. When the user is prompted for their passphrase, the input field is broken/mishandled. It shows the user's input in plain text, rather than the expected behavior of what should be a sensitive input field; and pressing the "Enter" key also fails to complete the input. It just adds new lines, and there is no way to complete this step. As a result of the second issue, it is impossible to proceed past the PEM passphrase input step, and the build process hangs. The only way to return the terminal to a usable state is to manually terminate the process, e.g. with ctrl+c. Portage 3.0.63 (python 3.12.3-final-0, default/linux/amd64/23.0/desktop/plasma, gcc-13, glibc-2.39-r6, 6.9.7-gentoo-dist x86_64) ================================================================= System Settings ================================================================= System uname: Linux-6.9.7-gentoo-dist-x86_64-AMD_Ryzen_7_7840HS_w-_Radeon_780M_Graphics-with-glibc2.39 KiB Mem: 32143848 total, 25765480 free KiB Swap: 0 total, 0 free Timestamp of repository gentoo: Sat, 06 Jul 2024 08:00:00 +0000 Head commit of repository gentoo: a70c423efda550137d70ffe367697931b3952b96 sh bash 5.2_p26-r6 ld GNU ld (Gentoo 2.42 p3) 2.42.0 app-misc/pax-utils: 1.3.7::gentoo app-shells/bash: 5.2_p26-r6::gentoo dev-build/autoconf: 2.13-r8::gentoo, 2.71-r7::gentoo dev-build/automake: 1.16.5-r2::gentoo dev-build/cmake: 3.28.5::gentoo dev-build/libtool: 2.4.7-r4::gentoo dev-build/make: 4.4.1-r1::gentoo dev-build/meson: 1.4.1::gentoo dev-lang/perl: 5.38.2-r3::gentoo dev-lang/python: 3.11.9-r1::gentoo, 3.12.3-r1::gentoo dev-lang/rust-bin: 1.77.1::gentoo sys-apps/baselayout: 2.15::gentoo sys-apps/openrc: 0.54.2::gentoo sys-apps/sandbox: 2.38::gentoo sys-devel/binutils: 2.42-r1::gentoo sys-devel/binutils-config: 5.5::gentoo sys-devel/clang: 17.0.6::gentoo sys-devel/gcc: 13.2.1_p20240210::gentoo sys-devel/gcc-config: 2.11::gentoo sys-devel/lld: 17.0.6::gentoo sys-devel/llvm: 17.0.6::gentoo sys-kernel/linux-headers: 6.6-r1::gentoo (virtual/os-headers) sys-libs/glibc: 2.39-r6::gentoo Repositories: gentoo location: /var/db/repos/gentoo sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 volatile: False sync-rsync-verify-jobs: 1 sync-rsync-verify-max-age: 3 sync-rsync-verify-metamanifest: yes sync-rsync-extra-opts: Binary Repositories: gentoobinhost priority: 1 sync-uri: https://distfiles.gentoo.org/releases/amd64/binpackages/23.0/x86-64 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/var/cache/distfiles" ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GDK_PIXBUF_MODULE_FILE GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR XDG_STATE_HOME" FCFLAGS="-march=native -O2 -pipe" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs binpkg-multi-instance buildpkg-live config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync merge-wait multilib-strict network-sandbox news parallel-fetch pid-sandbox pkgdir-index-trusted preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-march=native -O2 -pipe" GENTOO_MIRRORS="https://gentoo.osuosl.org/ http://gentoo.osuosl.org/ https://mirrors.rit.edu/gentoo/ http://mirrors.rit.edu/gentoo/ ftp://mirrors.rit.edu/gentoo/ rsync://mirrors.rit.edu/gentoo/" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,-z,pack-relative-relocs" LEX="flex" PKGDIR="/var/cache/binpkgs" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" RUSTFLAGS="-C target-cpu=native -C opt-level=3" SHELL="/bin/zsh" USE="X a52 aac acl acpi activities alsa amd64 bluetooth branding bzip2 cairo cdda cdr cet crypt cups dbus declarative dist-kernel dri dts dvd dvdr elogind encode exif flac gdbm gif gpm gui iconv icu ipv6 jpeg kde kf6compat kwallet lcms libnotify libtirpc mad mng modules-sign mp3 mp4 mpeg multilib ncurses networkmanager nls ogg opengl openmp pam pango pcre pdf pipewire plasma png policykit ppds pulseaudio qml qt5 readline screencast sdl seccomp secureboot semantic-desktop sound spell ssl startup-notification svg test-rust tiff truetype udev udisks unicode upower usb vorbis vulkan wayland widgets wxwidgets x264 xattr xcb xft xml xv xvid zlib │" ABI_X86="64" ADA_TARGET="gcc_12" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_anon authn_dbm authn_file authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir env expires ext_filter file_cache filter headers include info log_config logio mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2 aes avx avx2 avx512_bf16 avx512_bitalg avx512_vbmi2 avx512_vnni avx512_vpopcntdq avx512bw avx512cd avx512dq avx512f avx512ifma avx512vbmi avx512vl f16c fma3 pclmul popcnt rdrand sha sse3 sse4_1 sse4_2 sse4a ssse3 vpclmulqdq" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 ntrip navcom oceanserver oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 tsip tripmate tnt ublox" GRUB_PLATFORMS="efi-64" INPUT_DEVICES="libinput" KERNEL="linux" LCD_DEVICES="bayrad cfontz glk hd44780 lb216 lcdm001 mtxorb text" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php8-2" POSTGRES_TARGETS="postgres15" PYTHON_SINGLE_TARGET="python3_12" PYTHON_TARGETS="python3_12" RUBY_TARGETS="ruby31 ruby32" VIDEO_CARDS="amdgpu fbdev intel nouveau radeon radeonsi vesa dummy" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipp2p iface geoip fuzzy condition tarpit sysrq proto logmark ipmark dhcpmac delude chaos account" Unset: ADDR2LINE, AR, ARFLAGS, AS, ASFLAGS, CC, CCLD, CONFIG_SHELL, CPP, CPPFLAGS, CTARGET, CXX, CXXFILT, ELFEDIT, EMERGE_DEFAULT_OPTS, EXTRA_ECONF, F77FLAGS, FC, GCOV, GPROF, INSTALL_MASK, LC_ALL, LD, LFLAGS, LIBTOOL, LINGUAS, MAKE, MAKEFLAGS, MAKEOPTS, NM, OBJCOPY, OBJDUMP, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PYTHONPATH, RANLIB, READELF, SIZE, STRINGS, STRIP, YACC, YFLAGS
I suspect secureboot.eclass is not really meant to be used with password-protected keys.
The problem is openssl/sbsign not playing nicely with the sandbox. Not really something we can fix in the eclass, though there are two workarounds: - Pass the passkey in the SECUREBOOT_SIGN_KEY variable via pkcs11 Uri (not very secure) - Disable the pid-sandbox (if I remember correctly that is the one that causes the problem). I.e. set FEATURES="-pid-sandbox" in make.conf (more secure) Please let me know if that does indeed resolve your problem, then I'll document the workaround somewhere on the wiki. As a side note, AFAIK you'll run into the exact same problem when trying to sign the kernels modules (USE=modules-sign) with a key protected by a passphrase. My personal opinion is that keys with passphrases are very unpractical for use in this kind of automation anyway. A better alternative could be to use for example a key without passphrase protected via the TPM instead which you couod then access via pkcs11 Uri in SECUREBOOT_SIGN_KEY. I have never tried this myself though because I don't have a working TPM. Another relatively secure way would be to have the key on some removable token.
With regards to --quiet. That is Bug 288202 (i.e. PROPERTIES=interactive is a blunt instrument that forces the entire emerge session to be --jobs=1 so we do not use it here)
I applied FEATURES="-pid-sandbox" to my make.conf as you suggested, and that indeed resulted in the password-prompt field working properly. The build was successful. Regarding there being better solutions to achieving this kind of security which don't involve manually entering a password, I would very much be happy to go that route, but this is admittedly an arena I am very new in, and have simply been following guides to try and achieve a working secure boot environment. I'll look into what you suggested and see if I can get some support on that, since I'm a bit lost in understanding how to follow through with your suggestions there. Thanks!
CC'ing portage and openssl maintainers. Does anyone know of a better solution/workaround for this problem.
I know pid-sandbox messes with the controlling terminal, which might cause an issue here. Does the behavior improve if you set PROPERTIES="interactive" in the ebuild? I ask because there is some code that redirects stdin to /dev/null when this is not set. https://gitweb.gentoo.org/proj/portage.git/tree/lib/_emerge/AbstractEbuildProcess.py?h=portage-3.0.65#n140
Running sbsign under strace reveals that it reads the password by opening/reading /dev/tty. In other words, it reads from the controlling terminal. In Portage's pid-ns-init helper, we call setsid(2) to establish a new session. As a side effect, this detaches it from the controlling terminal. The process later calls ioctl(stdout, TIOCSCTTY, 0) to reestablish a controlling terminal. stdout is a separate pty device that Portage sets up in _emerge.SpawnProcess. Reading through tty_ioctl(2), it isn't possible for 2 sessions to share the same controlling terminal. Perhaps we could build some logic into Portage to forward input from the original terminal device to the SpawnProcess pty?
(In reply to Mike Gilbert from comment #7) > Perhaps we could build some logic into Portage to forward input from the > original terminal device to the SpawnProcess pty? Yeah that sounds reasonable. but we can only do that for one job at a time so we also need to implement bug 288202.
sys-boot/grub with secureboot flag is also affected. grub is unable to sign its packages because openssl is called inside secureboot.eclass when the user uses SECUREBOOT_SIGN_KEY as encrypted private key. The input field is broken as the author of the topic wrote.
One more note. When installing sys-kernel/gentoo-kernel, installkernel is called. sys-kernel/installkernel with dracut and uki flags and uefi_secureboot options inside dracut.conf builds an signed UKI. There is the same scenario with entering the password, but this problem does not occur there. Why is there no problem in this case? After all, sys-kernel/gentoo-kernel is probably also run with the pid-ns-init mod, right? I don't know the technical details, but maybe it will help in some way and it can be implemented as in the case of sys-kernel/gentoo-kernel?
(In reply to linuxnormaluser from comment #10) > One more note. When installing sys-kernel/gentoo-kernel, installkernel is > called. sys-kernel/installkernel with dracut and uki flags and > uefi_secureboot options inside dracut.conf builds an signed UKI. There is > the same scenario with entering the password, but this problem does not > occur there. > > Why is there no problem in this case? After all, sys-kernel/gentoo-kernel is > probably also run with the pid-ns-init mod, right? Because installkernel is called in the pkg_postinst phase (whereas secureboot signing and module signing occurs in the src_install phase). The pkg_* phases run with more privileges compared to the src_* phases. Unfortunately it is not an option to move the signing to a pkg_* phase because we want the signed files to be part of the binpkgs.
