mirror of
https://gitlab.alpinelinux.org/alpine/aports.git
synced 2026-05-05 12:26:52 +02:00
main/abuild: add support for kernel signing key generation
ref https://gitlab.alpinelinux.org/alpine/aports/-/issues/14873
This commit is contained in:
Natanael Copa
parent
a57bf8f0e4
commit
e2dd40a3cd
@ -0,0 +1,166 @@
|
||||
From f2978eb33fcf961412169cbca757d42386899955 Mon Sep 17 00:00:00 2001
|
||||
From: Natanael Copa <ncopa@alpinelinux.org>
|
||||
Date: Fri, 5 May 2023 12:03:01 +0200
|
||||
Subject: [PATCH] abuild-keygen: add support for creating kernel signing key
|
||||
|
||||
We need to have a key that can be used to sign kernel modules and
|
||||
specifically 3rd party kernel modules. Add support for creating this key
|
||||
in abuild-keygen.
|
||||
|
||||
ref: https://gitlab.alpinelinux.org/alpine/aports/-/issues/14873
|
||||
---
|
||||
abuild-keygen.in | 44 +++++++++++++++++++++++++++++++++++++++-
|
||||
tests/abuild_keygen_test | 14 ++++++++++++-
|
||||
tests/bin/openssl | 17 +++++++++++++++-
|
||||
3 files changed, 72 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/abuild-keygen.in b/abuild-keygen.in
|
||||
index d9ac0bc..1d1c775 100644
|
||||
--- a/abuild-keygen.in
|
||||
+++ b/abuild-keygen.in
|
||||
@@ -90,6 +90,41 @@ do_keygen() {
|
||||
msg ""
|
||||
}
|
||||
|
||||
+do_kernel_key() {
|
||||
+ mkdir -p "$ABUILD_USERDIR"
|
||||
+ pem="$ABUILD_USERDIR"/kernel_signing_key.pem
|
||||
+ (
|
||||
+ umask 0007
|
||||
+ # https://www.kernel.org/doc/html/v6.1/admin-guide/module-signing.html#generating-signing-keys
|
||||
+ openssl req -verbose -new -nodes -utf8 -sha256 -days 36500 -batch -x509 \
|
||||
+ -outform PEM -out "$pem" \
|
||||
+ -keyout "$pem" -config - <<-EOF
|
||||
+ [ req ]
|
||||
+ default_bits = 4096
|
||||
+ distinguished_name = req_distinguished_name
|
||||
+ prompt = no
|
||||
+ string_mask = utf8only
|
||||
+ x509_extensions = myexts
|
||||
+
|
||||
+ [ req_distinguished_name ]
|
||||
+ O = alpinelinux.org
|
||||
+ CN = Alpine Linux kernel key
|
||||
+ #emailAddress = unspecified.user@unspecified.company
|
||||
+
|
||||
+ [ myexts ]
|
||||
+ basicConstraints=critical,CA:FALSE
|
||||
+ keyUsage=digitalSignature
|
||||
+ subjectKeyIdentifier=hash
|
||||
+ authorityKeyIdentifier=keyid
|
||||
+ EOF
|
||||
+ )
|
||||
+ msg "Kernel signing key was created: $pem"
|
||||
+ if ! grep -q "^KERNEL_SIGNING_KEY=" "$ABUILD_USERCONF" 2>/dev/null; then
|
||||
+ echo "KERNEL_SIGNING_KEY='$pem'" >> "$ABUILD_USERCONF"
|
||||
+ fi
|
||||
+ msg "KERNEL_SIGNING_KEY='$pem' was added to $ABUILD_USERCONF"
|
||||
+}
|
||||
+
|
||||
usage() {
|
||||
cat <<-__EOF__
|
||||
$program $program_version - generate signing keys
|
||||
@@ -100,6 +135,7 @@ usage() {
|
||||
|
||||
-i, --install Install public key into /etc/apk/keys using doas
|
||||
-n Non-interactive. Use defaults
|
||||
+ --kernel Generate a key for kernel modules
|
||||
-b, --numbits [BITS] The size of the private key to generate in bits.
|
||||
-q, --quiet
|
||||
-h, --help Show this help
|
||||
@@ -116,8 +152,9 @@ install_pubkey=
|
||||
interactive=1
|
||||
numbits=4096
|
||||
quiet=
|
||||
+kernel_key=
|
||||
|
||||
-args=$(getopt -o ab:inqh --long append,numbits:,install,quiet,help -n "$program" -- "$@")
|
||||
+args=$(getopt -o ab:inqh --long append,numbits:,install,quiet,help,kernel -n "$program" -- "$@")
|
||||
if [ $? -ne 0 ]; then
|
||||
usage
|
||||
exit 2
|
||||
@@ -127,6 +164,7 @@ while true; do
|
||||
case $1 in
|
||||
-a|--append) append_config=1;;
|
||||
-i|--install) install_pubkey=1;;
|
||||
+ --kernel) kernel_key=1;;
|
||||
-n) unset interactive ;;
|
||||
-b|--numbits) numbits="$2"; shift 1;;
|
||||
-q|--quiet) quiet=1;; # suppresses msg
|
||||
@@ -141,4 +179,8 @@ if [ $# -ne 0 ]; then
|
||||
exit 2
|
||||
fi
|
||||
|
||||
+if [ -n "$kernel_key" ]; then
|
||||
+ do_kernel_key
|
||||
+ exit
|
||||
+fi
|
||||
do_keygen
|
||||
diff --git a/tests/abuild_keygen_test b/tests/abuild_keygen_test
|
||||
index 09026a5..be266fb 100755
|
||||
--- a/tests/abuild_keygen_test
|
||||
+++ b/tests/abuild_keygen_test
|
||||
@@ -11,7 +11,8 @@ init_tests \
|
||||
abuild_keygen_install_without_sudo \
|
||||
abuild_keygen_install_interactive \
|
||||
abuild_keygen_install_non_interactive \
|
||||
- abuild_keygen_install_doas
|
||||
+ abuild_keygen_install_doas \
|
||||
+ abuild_keygen_kernel \
|
||||
|
||||
export ABUILD_SHAREDIR="$SRCDIR"/..
|
||||
export GIT=false
|
||||
@@ -103,3 +104,14 @@ abuild_keygen_install_doas_body() {
|
||||
abuild-keygen --install -n
|
||||
}
|
||||
|
||||
+abuild_keygen_kernel_body() {
|
||||
+ atf_check -s exit:0 \
|
||||
+ -e match:"(Generating|writing) RSA" \
|
||||
+ -e match:"signing key was created:.*kernel_signing_key.pem" \
|
||||
+ -e match:"KERNEL_SIGNING_KEY=.*was added to.*abuild.conf" \
|
||||
+ abuild-keygen --kernel
|
||||
+ grep '^KERNEL_SIGNING_KEY=.*' "$HOME"/.abuild/abuild.conf \
|
||||
+ || atf_fail 'KERNEL_SIGNING_KEY not set in abuild.conf'
|
||||
+ test -f "$HOME"/.abuild/kernel_signing_key.pem \
|
||||
+ || atf_fail '$HOME/.abuild/kernel_signing_key.pem was not created'
|
||||
+}
|
||||
diff --git a/tests/bin/openssl b/tests/bin/openssl
|
||||
index 231bad4..e0b4049 100755
|
||||
--- a/tests/bin/openssl
|
||||
+++ b/tests/bin/openssl
|
||||
@@ -3,9 +3,13 @@
|
||||
# fake openssl
|
||||
while [ $# -gt 0 ]; do
|
||||
case "$1" in
|
||||
- genrsa|rsa)
|
||||
+ genrsa|rsa|req)
|
||||
cmd="$1"
|
||||
;;
|
||||
+ -config)
|
||||
+ shift
|
||||
+ config="$1"
|
||||
+ ;;
|
||||
-out)
|
||||
shift
|
||||
outfile="$1"
|
||||
@@ -25,5 +29,16 @@ case "$cmd" in
|
||||
echo "writing RSA key" >&2
|
||||
cat "$FAKEKEYPUB" > "$outfile"
|
||||
;;
|
||||
+ req)
|
||||
+ echo "Using configuration from $config" >&2
|
||||
+ echo "Generating RSA key with 4096 bits" >&2
|
||||
+ echo "Writing private key to '$outfile'" >&2
|
||||
+ cat "$FAKEKEY" "$FAKEKEYPUB" > "$outfile"
|
||||
+ ;;
|
||||
+ *)
|
||||
+ echo "unimplemented fake openssl command: $cmd" >&2
|
||||
+ exit 1
|
||||
+ ;;
|
||||
+
|
||||
esac
|
||||
|
||||
--
|
||||
2.40.1
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
pkgname=abuild
|
||||
pkgver=3.11.0_rc13
|
||||
_ver=${pkgver%_git*}
|
||||
pkgrel=0
|
||||
pkgrel=1
|
||||
pkgdesc="Script to build Alpine Packages"
|
||||
url="https://git.alpinelinux.org/cgit/abuild/"
|
||||
arch="all"
|
||||
@ -28,6 +28,7 @@ options="suid"
|
||||
pkggroups="abuild"
|
||||
source="https://gitlab.alpinelinux.org/alpine/abuild/-/archive/$pkgver/abuild-$pkgver.tar.gz
|
||||
0001-functions-set-sharedir-properly.patch
|
||||
0001-abuild-keygen-add-support-for-creating-kernel-signin.patch
|
||||
"
|
||||
builddir="$srcdir"/abuild-$pkgver
|
||||
|
||||
@ -92,4 +93,5 @@ _rootbld() {
|
||||
sha512sums="
|
||||
a097e21aa79035b75386f644aa9b43200a7e4d5e8f48227230b4d7bd2d4c97b2eb38915890163cef59100623f6bb117a6e1550557cf2a7edbf16e9f40c95ed2c abuild-3.11.0_rc13.tar.gz
|
||||
5c6b5564d41dd450a508ecda54c8582de96e7c0bc812ff64809928ba3cf98cfdb180acc9a97d18c32d7948d473064821eec8a625caeb781c391462aab4660045 0001-functions-set-sharedir-properly.patch
|
||||
105bcc0343639067ce661413ae983fec494012697c6c59918c95a4e638d9a62b57037a1ccfbff66730509a947be82e4eacac9572a2a1eed413aab123284f6483 0001-abuild-keygen-add-support-for-creating-kernel-signin.patch
|
||||
"
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user