From 9621f095471d943af3956b2d9d8da14ef0677465 Mon Sep 17 00:00:00 2001
From: Michael Marineau <michael.marineau@coreos.com>
Date: Thu, 6 Nov 2014 13:43:59 -0800
Subject: [PATCH] coreos-kernel: enable module and kexec signature verification

The module verification is in permissive mode by default, loading
unsigned modules will simply taint the kernel. The kexec verification
doesn't directly impact us right now since we are not using the newer
file based syscall right now.
---
 .../coreos-overlay/eclass/cros-kernel2.eclass | 28 +++++++++++++---
 ....ebuild => coreos-kernel-3.17.2-r2.ebuild} |  0
 .../files/x86_64_defconfig-3.17.2             | 33 +++++++++++++------
 3 files changed, 47 insertions(+), 14 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-3.17.2-r1.ebuild => coreos-kernel-3.17.2-r2.ebuild} (100%)

diff --git a/sdk_container/src/third_party/coreos-overlay/eclass/cros-kernel2.eclass b/sdk_container/src/third_party/coreos-overlay/eclass/cros-kernel2.eclass
index d7f771c080..eb78cf3696 100644
--- a/sdk_container/src/third_party/coreos-overlay/eclass/cros-kernel2.eclass
+++ b/sdk_container/src/third_party/coreos-overlay/eclass/cros-kernel2.eclass
@@ -15,7 +15,7 @@ DEPEND="sys-apps/debianutils
 "
 
 IUSE="-source symlink-usr"
-RESTRICT="binchecks"
+RESTRICT="binchecks strip"
 STRIP_MASK="/usr/lib/debug/lib/modules/*/vmlinux"
 
 # Build out-of-tree and incremental by default, but allow an ebuild inheriting
@@ -146,6 +146,15 @@ kmake() {
 		"$@"
 }
 
+# Discard the module signing key, we use new keys for each build.
+shred_keys() {
+	local build_dir="$(cros-workon_get_build_dir)"
+	if [[ -e "${build_dir}"/signing_key.priv ]]; then
+		shred -u "${build_dir}"/signing_key.* || die
+		rm -f "${build_dir}"/x509.genkey || die
+	fi
+}
+
 cros-kernel2_src_unpack() {
 	local srclocal="${CROS_WORKON_LOCALDIR[0]}/${CROS_WORKON_LOCALNAME[0]}"
 	local srcpath="${CROS_WORKON_SRCROOT}/${srclocal}"
@@ -165,6 +174,9 @@ cros-kernel2_src_unpack() {
 	# onto the kernel image itself.
 	cp "${ROOT}"/usr/share/bootengine/bootengine.cpio \
 		"$(cros-workon_get_build_dir)" || die "copy of dracut cpio failed."
+
+	# make sure no keys are cached from a previous build
+	shred_keys
 }
 
 cros-kernel2_src_configure() {
@@ -199,7 +211,11 @@ cros-kernel2_src_install() {
 	kmake INSTALL_PATH="${D}/usr/boot" install
 	# Install firmware to a temporary (bogus) location.
 	# The linux-firmware package will be used instead.
-	kmake INSTALL_MOD_PATH="${D}" INSTALL_FW_PATH="${T}/fw" modules_install
+	# Stripping must be done here, not portage, to preserve sigs.
+	kmake INSTALL_MOD_PATH="${D}" \
+		  INSTALL_MOD_STRIP="--strip-unneeded" \
+		  INSTALL_FW_PATH="${T}/fw" \
+		  modules_install
 
 	local version=$(kernelversion)
 	dosym "vmlinuz-${version}" /usr/boot/vmlinuz
@@ -209,8 +225,10 @@ cros-kernel2_src_install() {
 	fi
 
 	# Install uncompressed kernel for debugging purposes.
-	insinto /usr/lib/debug/lib/modules/${version}/
-	doins "$(cros-workon_get_build_dir)/vmlinux"
+	# XXX: we haven't been using this, also we are not keeping module symbols
+	# right now. Revisit both of these if we need to beef up debugging tools.
+	#insinto /usr/lib/debug/lib/modules/${version}/
+	#doins "$(cros-workon_get_build_dir)/vmlinux"
 
 	if use source; then
 		install_kernel_sources
@@ -218,6 +236,8 @@ cros-kernel2_src_install() {
 		# Remove invalid symlinks when source isn't installed
 		rm -f "${D}/lib/modules/${version}/"{build,source}
 	fi
+
+	shred_keys
 }
 
 EXPORT_FUNCTIONS src_unpack src_configure src_compile src_install
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-3.17.2-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-3.17.2-r2.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-3.17.2-r1.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-3.17.2-r2.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/x86_64_defconfig-3.17.2 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/x86_64_defconfig-3.17.2
index 8a8cec9e47..9d5bad9b4a 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/x86_64_defconfig-3.17.2
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/x86_64_defconfig-3.17.2
@@ -295,7 +295,15 @@ CONFIG_MODULE_UNLOAD=y
 # CONFIG_MODULE_FORCE_UNLOAD is not set
 # CONFIG_MODVERSIONS is not set
 # CONFIG_MODULE_SRCVERSION_ALL is not set
-# CONFIG_MODULE_SIG is not set
+CONFIG_MODULE_SIG=y
+# CONFIG_MODULE_SIG_FORCE is not set
+CONFIG_MODULE_SIG_ALL=y
+# CONFIG_MODULE_SIG_SHA1 is not set
+# CONFIG_MODULE_SIG_SHA224 is not set
+CONFIG_MODULE_SIG_SHA256=y
+# CONFIG_MODULE_SIG_SHA384 is not set
+# CONFIG_MODULE_SIG_SHA512 is not set
+CONFIG_MODULE_SIG_HASH="sha256"
 CONFIG_STOP_MACHINE=y
 CONFIG_BLOCK=y
 CONFIG_BLK_DEV_BSG=y
@@ -341,7 +349,7 @@ CONFIG_DEFAULT_CFQ=y
 # CONFIG_DEFAULT_NOOP is not set
 CONFIG_DEFAULT_IOSCHED="cfq"
 CONFIG_PREEMPT_NOTIFIERS=y
-CONFIG_ASN1=m
+CONFIG_ASN1=y
 CONFIG_UNINLINE_SPIN_UNLOCK=y
 CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
 CONFIG_INLINE_READ_UNLOCK=y
@@ -516,6 +524,9 @@ CONFIG_HZ_1000=y
 CONFIG_HZ=1000
 CONFIG_SCHED_HRTICK=y
 CONFIG_KEXEC=y
+CONFIG_KEXEC_FILE=y
+CONFIG_KEXEC_VERIFY_SIG=y
+CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
 CONFIG_CRASH_DUMP=y
 CONFIG_KEXEC_JUMP=y
 CONFIG_PHYSICAL_START=0x1000000
@@ -3659,7 +3670,7 @@ CONFIG_CRYPTO_SHA1=m
 CONFIG_CRYPTO_SHA1_SSSE3=m
 CONFIG_CRYPTO_SHA256_SSSE3=m
 # CONFIG_CRYPTO_SHA512_SSSE3 is not set
-CONFIG_CRYPTO_SHA256=m
+CONFIG_CRYPTO_SHA256=y
 # CONFIG_CRYPTO_SHA512 is not set
 # CONFIG_CRYPTO_TGR192 is not set
 # CONFIG_CRYPTO_WP512 is not set
@@ -3722,11 +3733,13 @@ CONFIG_CRYPTO_HW=y
 # CONFIG_CRYPTO_DEV_PADLOCK is not set
 # CONFIG_CRYPTO_DEV_CCP is not set
 # CONFIG_CRYPTO_DEV_QAT_DH895xCC is not set
-CONFIG_ASYMMETRIC_KEY_TYPE=m
-CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=m
-CONFIG_PUBLIC_KEY_ALGO_RSA=m
-CONFIG_X509_CERTIFICATE_PARSER=m
-# CONFIG_PKCS7_MESSAGE_PARSER is not set
+CONFIG_ASYMMETRIC_KEY_TYPE=y
+CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
+CONFIG_PUBLIC_KEY_ALGO_RSA=y
+CONFIG_X509_CERTIFICATE_PARSER=y
+CONFIG_PKCS7_MESSAGE_PARSER=y
+# CONFIG_PKCS7_TEST_KEY is not set
+CONFIG_SIGNED_PE_FILE_VERIFICATION=y
 CONFIG_HAVE_KVM=y
 CONFIG_HAVE_KVM_IRQCHIP=y
 CONFIG_HAVE_KVM_IRQFD=y
@@ -3816,8 +3829,8 @@ CONFIG_AVERAGE=y
 CONFIG_CLZ_TAB=y
 # CONFIG_CORDIC is not set
 # CONFIG_DDR is not set
-CONFIG_MPILIB=m
-CONFIG_OID_REGISTRY=m
+CONFIG_MPILIB=y
+CONFIG_OID_REGISTRY=y
 CONFIG_UCS2_STRING=y
 CONFIG_FONT_SUPPORT=y
 # CONFIG_FONTS is not set