Merge pull request #952 from marineam/secure

Enable kernel module signing
2025-08-20 14:01:36 +02:00 · 2014-11-07 08:28:08 -08:00 · 2014-11-07 08:28:08 -08:00 · 057f2ace49
commit 057f2ace49
parent 4b0875fe1b 9621f09547
7 changed files with 47 additions and 7527 deletions
--- a/sdk_container/src/third_party/coreos-overlay/eclass/cros-kernel2.eclass
+++ b/sdk_container/src/third_party/coreos-overlay/eclass/cros-kernel2.eclass
@ -15,7 +15,7 @@ DEPEND="sys-apps/debianutils
 "

 IUSE="-source symlink-usr"
-RESTRICT="binchecks"
+RESTRICT="binchecks strip"
 STRIP_MASK="/usr/lib/debug/lib/modules/*/vmlinux"

 # Build out-of-tree and incremental by default, but allow an ebuild inheriting
@ -146,6 +146,15 @@ kmake() {
 		"$@"
 }

+# Discard the module signing key, we use new keys for each build.
+shred_keys() {
+	local build_dir="$(cros-workon_get_build_dir)"
+	if [[ -e "${build_dir}"/signing_key.priv ]]; then
+		shred -u "${build_dir}"/signing_key.* || die
+		rm -f "${build_dir}"/x509.genkey || die
+	fi
+}
+
 cros-kernel2_src_unpack() {
 	local srclocal="${CROS_WORKON_LOCALDIR[0]}/${CROS_WORKON_LOCALNAME[0]}"
 	local srcpath="${CROS_WORKON_SRCROOT}/${srclocal}"
@ -165,6 +174,9 @@ cros-kernel2_src_unpack() {
 	# onto the kernel image itself.
 	cp "${ROOT}"/usr/share/bootengine/bootengine.cpio \
 		"$(cros-workon_get_build_dir)" || die "copy of dracut cpio failed."
+
+	# make sure no keys are cached from a previous build
+	shred_keys
 }

 cros-kernel2_src_configure() {
@ -199,7 +211,11 @@ cros-kernel2_src_install() {
 	kmake INSTALL_PATH="${D}/usr/boot" install
 	# Install firmware to a temporary (bogus) location.
 	# The linux-firmware package will be used instead.
-	kmake INSTALL_MOD_PATH="${D}" INSTALL_FW_PATH="${T}/fw" modules_install
+	# Stripping must be done here, not portage, to preserve sigs.
+	kmake INSTALL_MOD_PATH="${D}" \
+		  INSTALL_MOD_STRIP="--strip-unneeded" \
+		  INSTALL_FW_PATH="${T}/fw" \
+		  modules_install

 	local version=$(kernelversion)
 	dosym "vmlinuz-${version}" /usr/boot/vmlinuz
@ -209,8 +225,10 @@ cros-kernel2_src_install() {
 	fi

 	# Install uncompressed kernel for debugging purposes.
-	insinto /usr/lib/debug/lib/modules/${version}/
-	doins "$(cros-workon_get_build_dir)/vmlinux"
+	# XXX: we haven't been using this, also we are not keeping module symbols
+	# right now. Revisit both of these if we need to beef up debugging tools.
+	#insinto /usr/lib/debug/lib/modules/${version}/
+	#doins "$(cros-workon_get_build_dir)/vmlinux"

 	if use source; then
 		install_kernel_sources
@ -218,6 +236,8 @@ cros-kernel2_src_install() {
 		# Remove invalid symlinks when source isn't installed
 		rm -f "${D}/lib/modules/${version}/"{build,source}
 	fi
+
+	shred_keys
 }

 EXPORT_FUNCTIONS src_unpack src_configure src_compile src_install
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-3.15.8-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-3.15.8-r2.ebuild
@ -1,17 +0,0 @@
-# Copyright 1999-2013 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/vanilla-sources/vanilla-sources-3.7.5.ebuild,v 1.1 2013/01/28 13:18:54 ago Exp $
-
-EAPI=5
-CROS_WORKON_COMMIT="edfabbd4dfaeb376ff6a6a58d5b23ae84b8b4167" # v3.15.8
-CROS_WORKON_REPO="git://github.com"
-CROS_WORKON_PROJECT="coreos/linux"
-CROS_WORKON_LOCALNAME="linux"
-inherit cros-workon cros-kernel2
-
-DESCRIPTION="CoreOS kernel"
-HOMEPAGE="http://www.kernel.org"
-SRC_URI=""
-
-KEYWORDS="amd64"
-IUSE=""
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-3.16.2-r8.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-3.16.2-r8.ebuild
@ -1,17 +0,0 @@
-# Copyright 1999-2013 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/vanilla-sources/vanilla-sources-3.7.5.ebuild,v 1.1 2013/01/28 13:18:54 ago Exp $
-
-EAPI=5
-CROS_WORKON_COMMIT="62de88e8e65811010deac5375f8f0d8b14dc4d94" # v3.16.2
-CROS_WORKON_REPO="git://github.com"
-CROS_WORKON_PROJECT="coreos/linux"
-CROS_WORKON_LOCALNAME="linux"
-inherit cros-workon cros-kernel2
-
-DESCRIPTION="CoreOS kernel"
-HOMEPAGE="http://www.kernel.org"
-SRC_URI=""
-
-KEYWORDS="amd64"
-IUSE=""
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-3.17.2-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-3.17.2-r2.ebuild
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/x86_64_defconfig-3.15.8
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/x86_64_defconfig-3.15.8
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/x86_64_defconfig-3.16.2
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/x86_64_defconfig-3.16.2
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/x86_64_defconfig-3.17.2
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/x86_64_defconfig-3.17.2
@ -295,7 +295,15 @@ CONFIG_MODULE_UNLOAD=y
 # CONFIG_MODULE_FORCE_UNLOAD is not set
 # CONFIG_MODVERSIONS is not set
 # CONFIG_MODULE_SRCVERSION_ALL is not set
-# CONFIG_MODULE_SIG is not set
+CONFIG_MODULE_SIG=y
+# CONFIG_MODULE_SIG_FORCE is not set
+CONFIG_MODULE_SIG_ALL=y
+# CONFIG_MODULE_SIG_SHA1 is not set
+# CONFIG_MODULE_SIG_SHA224 is not set
+CONFIG_MODULE_SIG_SHA256=y
+# CONFIG_MODULE_SIG_SHA384 is not set
+# CONFIG_MODULE_SIG_SHA512 is not set
+CONFIG_MODULE_SIG_HASH="sha256"
 CONFIG_STOP_MACHINE=y
 CONFIG_BLOCK=y
 CONFIG_BLK_DEV_BSG=y
@ -341,7 +349,7 @@ CONFIG_DEFAULT_CFQ=y
 # CONFIG_DEFAULT_NOOP is not set
 CONFIG_DEFAULT_IOSCHED="cfq"
 CONFIG_PREEMPT_NOTIFIERS=y
-CONFIG_ASN1=m
+CONFIG_ASN1=y
 CONFIG_UNINLINE_SPIN_UNLOCK=y
 CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
 CONFIG_INLINE_READ_UNLOCK=y
@ -516,6 +524,9 @@ CONFIG_HZ_1000=y
 CONFIG_HZ=1000
 CONFIG_SCHED_HRTICK=y
 CONFIG_KEXEC=y
+CONFIG_KEXEC_FILE=y
+CONFIG_KEXEC_VERIFY_SIG=y
+CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
 CONFIG_CRASH_DUMP=y
 CONFIG_KEXEC_JUMP=y
 CONFIG_PHYSICAL_START=0x1000000
@ -3659,7 +3670,7 @@ CONFIG_CRYPTO_SHA1=m
 CONFIG_CRYPTO_SHA1_SSSE3=m
 CONFIG_CRYPTO_SHA256_SSSE3=m
 # CONFIG_CRYPTO_SHA512_SSSE3 is not set
-CONFIG_CRYPTO_SHA256=m
+CONFIG_CRYPTO_SHA256=y
 # CONFIG_CRYPTO_SHA512 is not set
 # CONFIG_CRYPTO_TGR192 is not set
 # CONFIG_CRYPTO_WP512 is not set
@ -3722,11 +3733,13 @@ CONFIG_CRYPTO_HW=y
 # CONFIG_CRYPTO_DEV_PADLOCK is not set
 # CONFIG_CRYPTO_DEV_CCP is not set
 # CONFIG_CRYPTO_DEV_QAT_DH895xCC is not set
-CONFIG_ASYMMETRIC_KEY_TYPE=m
-CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=m
-CONFIG_PUBLIC_KEY_ALGO_RSA=m
-CONFIG_X509_CERTIFICATE_PARSER=m
-# CONFIG_PKCS7_MESSAGE_PARSER is not set
+CONFIG_ASYMMETRIC_KEY_TYPE=y
+CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
+CONFIG_PUBLIC_KEY_ALGO_RSA=y
+CONFIG_X509_CERTIFICATE_PARSER=y
+CONFIG_PKCS7_MESSAGE_PARSER=y
+# CONFIG_PKCS7_TEST_KEY is not set
+CONFIG_SIGNED_PE_FILE_VERIFICATION=y
 CONFIG_HAVE_KVM=y
 CONFIG_HAVE_KVM_IRQCHIP=y
 CONFIG_HAVE_KVM_IRQFD=y
@ -3816,8 +3829,8 @@ CONFIG_AVERAGE=y
 CONFIG_CLZ_TAB=y
 # CONFIG_CORDIC is not set
 # CONFIG_DDR is not set
-CONFIG_MPILIB=m
-CONFIG_OID_REGISTRY=m
+CONFIG_MPILIB=y
+CONFIG_OID_REGISTRY=y
 CONFIG_UCS2_STRING=y
 CONFIG_FONT_SUPPORT=y
 # CONFIG_FONTS is not set