Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 447352 - linux-mod.eclass: add support for module signing
Summary: linux-mod.eclass: add support for module signing
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Eclasses (show other bugs)
Hardware: AMD64 Linux
: Normal enhancement with 3 votes (vote)
Assignee: Gentoo Kernel Bug Wranglers and Kernel Maintainers
URL:
Whiteboard: http://www.gossamer-threads.com/lists...
Keywords: NeedPatch
: 447356 592170 599708 640216 (view as bug list)
Depends on:
Blocks:
 
Reported: 2012-12-15 13:21 UTC by Stefan Trenker
Modified: 2018-12-05 05:54 UTC (History)
15 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Trenker 2012-12-15 13:21:06 UTC
app-laptop/tp_smapi-0.41 modules fail to load on 3.7 kernel with CONFIG_MODULE_CONFIG_MODULE_SIG_FORCE=y set.

gucky ~ # modprobe tp_smapi 
FATAL: Error inserting tp_smapi (/lib/modules/3.7.0-gentoo/extra/tp_smapi.ko): Required key not available
Comment 1 Stefan Trenker 2012-12-15 13:23:44 UTC
Appologies for the messed up Description

I meant:


CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_FORCE=y
Comment 2 Pacho Ramos gentoo-dev 2012-12-31 19:02:53 UTC
@kernel team, I guess all external modules will need to check for that kernel option being disabled, or is there a way to sign them?
Comment 3 Pacho Ramos gentoo-dev 2013-03-02 19:24:19 UTC
(In reply to comment #2)
> @kernel team, I guess all external modules will need to check for that
> kernel option being disabled, or is there a way to sign them?

kernel team, ping!
Comment 4 Markos Chandras (RETIRED) gentoo-dev 2013-03-12 17:54:05 UTC
(In reply to comment #3)
> (In reply to comment #2)
> > @kernel team, I guess all external modules will need to check for that
> > kernel option being disabled, or is there a way to sign them?
> 
> kernel team, ping!

This does not block 458736. It is a separate problem
Comment 5 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2013-06-08 12:06:12 UTC
(In reply to Pacho Ramos from comment #2)
> @kernel team, I guess all external modules will need to check for that
> kernel option being disabled, or is there a way to sign them?

http://www.linuxjournal.com/article/7130

We can't sign them, I think, unless Gentoo is to be the authority that blesses them. If we would go for such practice, how would we determine when we can appropriately sign something and make the kernel check against us? I'm not sure which authority is actually in charge in this case, but I do expect that any signing would have to come from upstream.

Under the assumption that so sign is available and upstream might not be willing to do this, it would have to indeed check that the relevant kernel options are unset to allow the unsigned module to be installed and used.
Comment 6 Andrew Savchenko gentoo-dev 2013-07-09 00:12:00 UTC
What about asking user or adding some ACCEPT_MODULES_TO_BE_LICENSED keyword?

I usually have a few to zero external modules, so I sign them manually after each installation. Of course this is annoying, but there is no better way ATM.
Comment 7 Andrew Savchenko gentoo-dev 2013-07-09 00:16:22 UTC
There is a good patch to start with here:
http://www.gossamer-threads.com/lists/gentoo/dev/269169
Comment 8 jannis 2013-07-09 05:28:40 UTC
Could you please modify the title to not include "app-laptop/tp_smapi-0.41"? This is a general issue for all externally compiled kernel modules.
Comment 9 Maxim Kammerer 2013-08-20 23:50:13 UTC
Note that the kernel build system ignores MODSECKEY / MODPUBKEY when building kernel/modsign_certificate.o, which contains the bundled verification certificate(s).

See kernel/Makefile:
  kernel/modsign_certificate.o: signing_key.x509 extra_certificates
  signing_key.priv signing_key.x509: x509.genkey
  x509.genkey:

I have to do the following in order to use custom out-of-tree certificates:

if [ ! -e ${mainobj}/signing_key.x509 ]; then
    ln -s    ${sb_kmod}.der ${mainobj}/signing_key.x509
    ln -s    ${sb_kmod}.key ${mainobj}/signing_key.priv
    touch -d 1970-01-01     ${mainobj}/x509.genkey
    truncate -s 0           ${mainobj}/extra_certificates
fi

(mainobj=kernel build dir, sb_kmod=out-of-tree cert prefix)

Note also that the following commit is probably necessary for using custom certificates in pre-3.10 kernels:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=04b00bdb41d0fd8d9cf3b146e334369cc2b0acdc
Comment 10 Ben Kohler gentoo-dev 2013-10-03 19:49:27 UTC
*** Bug 447356 has been marked as a duplicate of this bug. ***
Comment 11 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2014-04-04 12:51:18 UTC
(In reply to Andrew Savchenko from comment #7)
> http://www.gossamer-threads.com/lists/gentoo/dev/269169

Has a revised version been posted since? CC'ing r3pek for comment.
Comment 12 Carlos Silva 2014-04-05 00:54:16 UTC
(In reply to Tom Wijsman (TomWij) from comment #11)
> (In reply to Andrew Savchenko from comment #7)
> > http://www.gossamer-threads.com/lists/gentoo/dev/269169
> 
> Has a revised version been posted since? CC'ing r3pek for comment.

No Tom, I did not work further on the patch.
Comment 13 Alex Xu (Hello71) 2016-08-31 02:01:03 UTC
*** Bug 592170 has been marked as a duplicate of this bug. ***
Comment 14 Mikhail Kurinnoi 2017-01-04 11:22:45 UTC
*** Bug 599708 has been marked as a duplicate of this bug. ***
Comment 15 Romain Perier 2018-04-20 06:33:13 UTC
Same as bug https://bugs.gentoo.org/show_bug.cgi?id=640216 ?  (see the patch)
Comment 16 Georgy Yakovlev gentoo-dev 2018-04-20 08:16:39 UTC
yup, working on it here:
https://archives.gentoo.org/gentoo-dev/message/4b15b1c851f379a1f802e2f2895cdfa8

hopefully it'll get approved sooner or later.
have been using it for a while now, it even works with forced signatures just fine.
Comment 17 Jeroen Roovers gentoo-dev 2018-04-20 12:51:51 UTC
*** Bug 640216 has been marked as a duplicate of this bug. ***