coreos-kernel: enable module and kexec signature verification

The module verification is in permissive mode by default, loading unsigned modules will simply taint the kernel. The kexec verification doesn't directly impact us right now since we are not using the newer file based syscall right now.
2025-08-21 06:21:08 +02:00 · 2014-11-06 13:43:59 -08:00 · 2014-11-06 13:43:59 -08:00 · 9621f09547
commit 9621f09547
parent 6ac92e93a0
3 changed files with 47 additions and 14 deletions
--- a/sdk_container/src/third_party/coreos-overlay/eclass/cros-kernel2.eclass
+++ b/sdk_container/src/third_party/coreos-overlay/eclass/cros-kernel2.eclass
@ -15,7 +15,7 @@ DEPEND="sys-apps/debianutils
 "
 IUSE="-source symlink-usr"
-RESTRICT="binchecks"
+RESTRICT="binchecks strip"
 STRIP_MASK="/usr/lib/debug/lib/modules/*/vmlinux"
 # Build out-of-tree and incremental by default, but allow an ebuild inheriting
@ -146,6 +146,15 @@ kmake() {
 		"$@"
 }
 # Discard the module signing key, we use new keys for each build.
 shred_keys() {
 	local build_dir="$(cros-workon_get_build_dir)"
 	if [[ -e "${build_dir}"/signing_key.priv ]]; then
 		shred -u "${build_dir}"/signing_key.* || die
 		rm -f "${build_dir}"/x509.genkey || die
 	fi
 }
 cros-kernel2_src_unpack() {
 	local srclocal="${CROS_WORKON_LOCALDIR[0]}/${CROS_WORKON_LOCALNAME[0]}"
 	local srcpath="${CROS_WORKON_SRCROOT}/${srclocal}"
@ -165,6 +174,9 @@ cros-kernel2_src_unpack() {
 	# onto the kernel image itself.
 	cp "${ROOT}"/usr/share/bootengine/bootengine.cpio \
 		"$(cros-workon_get_build_dir)" || die "copy of dracut cpio failed."
 	# make sure no keys are cached from a previous build
 	shred_keys
 }
 cros-kernel2_src_configure() {
@ -199,7 +211,11 @@ cros-kernel2_src_install() {
 	kmake INSTALL_PATH="${D}/usr/boot" install
 	# Install firmware to a temporary (bogus) location.
 	# The linux-firmware package will be used instead.
-	kmake INSTALL_MOD_PATH="${D}" INSTALL_FW_PATH="${T}/fw" modules_install
+	# Stripping must be done here, not portage, to preserve sigs.
 	kmake INSTALL_MOD_PATH="${D}" \
 		  INSTALL_MOD_STRIP="--strip-unneeded" \
 		  INSTALL_FW_PATH="${T}/fw" \
 		  modules_install
 	local version=$(kernelversion)
 	dosym "vmlinuz-${version}" /usr/boot/vmlinuz
@ -209,8 +225,10 @@ cros-kernel2_src_install() {
 	fi
 	# Install uncompressed kernel for debugging purposes.
-	insinto /usr/lib/debug/lib/modules/${version}/
+	# XXX: we haven't been using this, also we are not keeping module symbols
-	doins "$(cros-workon_get_build_dir)/vmlinux"
+	# right now. Revisit both of these if we need to beef up debugging tools.
 	#insinto /usr/lib/debug/lib/modules/${version}/
 	#doins "$(cros-workon_get_build_dir)/vmlinux"
 	if use source; then
 		install_kernel_sources
@ -218,6 +236,8 @@ cros-kernel2_src_install() {
 		# Remove invalid symlinks when source isn't installed
 		rm -f "${D}/lib/modules/${version}/"{build,source}
 	fi
 	shred_keys
 }
 EXPORT_FUNCTIONS src_unpack src_configure src_compile src_install
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-3.17.2-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-3.17.2-r2.ebuild
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/x86_64_defconfig-3.17.2
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/x86_64_defconfig-3.17.2
@ -295,7 +295,15 @@ CONFIG_MODULE_UNLOAD=y
 # CONFIG_MODULE_FORCE_UNLOAD is not set
 # CONFIG_MODVERSIONS is not set
 # CONFIG_MODULE_SRCVERSION_ALL is not set
-# CONFIG_MODULE_SIG is not set
+CONFIG_MODULE_SIG=y
 # CONFIG_MODULE_SIG_FORCE is not set
 CONFIG_MODULE_SIG_ALL=y
 # CONFIG_MODULE_SIG_SHA1 is not set
 # CONFIG_MODULE_SIG_SHA224 is not set
 CONFIG_MODULE_SIG_SHA256=y
 # CONFIG_MODULE_SIG_SHA384 is not set
 # CONFIG_MODULE_SIG_SHA512 is not set
 CONFIG_MODULE_SIG_HASH="sha256"
 CONFIG_STOP_MACHINE=y
 CONFIG_BLOCK=y
 CONFIG_BLK_DEV_BSG=y
@ -341,7 +349,7 @@ CONFIG_DEFAULT_CFQ=y
 # CONFIG_DEFAULT_NOOP is not set
 CONFIG_DEFAULT_IOSCHED="cfq"
 CONFIG_PREEMPT_NOTIFIERS=y
-CONFIG_ASN1=m
+CONFIG_ASN1=y
 CONFIG_UNINLINE_SPIN_UNLOCK=y
 CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
 CONFIG_INLINE_READ_UNLOCK=y
@ -516,6 +524,9 @@ CONFIG_HZ_1000=y
 CONFIG_HZ=1000
 CONFIG_SCHED_HRTICK=y
 CONFIG_KEXEC=y
 CONFIG_KEXEC_FILE=y
 CONFIG_KEXEC_VERIFY_SIG=y
 CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
 CONFIG_CRASH_DUMP=y
 CONFIG_KEXEC_JUMP=y
 CONFIG_PHYSICAL_START=0x1000000
@ -3659,7 +3670,7 @@ CONFIG_CRYPTO_SHA1=m
 CONFIG_CRYPTO_SHA1_SSSE3=m
 CONFIG_CRYPTO_SHA256_SSSE3=m
 # CONFIG_CRYPTO_SHA512_SSSE3 is not set
-CONFIG_CRYPTO_SHA256=m
+CONFIG_CRYPTO_SHA256=y
 # CONFIG_CRYPTO_SHA512 is not set
 # CONFIG_CRYPTO_TGR192 is not set
 # CONFIG_CRYPTO_WP512 is not set
@ -3722,11 +3733,13 @@ CONFIG_CRYPTO_HW=y
 # CONFIG_CRYPTO_DEV_PADLOCK is not set
 # CONFIG_CRYPTO_DEV_CCP is not set
 # CONFIG_CRYPTO_DEV_QAT_DH895xCC is not set
-CONFIG_ASYMMETRIC_KEY_TYPE=m
+CONFIG_ASYMMETRIC_KEY_TYPE=y
-CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=m
+CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
-CONFIG_PUBLIC_KEY_ALGO_RSA=m
+CONFIG_PUBLIC_KEY_ALGO_RSA=y
-CONFIG_X509_CERTIFICATE_PARSER=m
+CONFIG_X509_CERTIFICATE_PARSER=y
-# CONFIG_PKCS7_MESSAGE_PARSER is not set
+CONFIG_PKCS7_MESSAGE_PARSER=y
 # CONFIG_PKCS7_TEST_KEY is not set
 CONFIG_SIGNED_PE_FILE_VERIFICATION=y
 CONFIG_HAVE_KVM=y
 CONFIG_HAVE_KVM_IRQCHIP=y
 CONFIG_HAVE_KVM_IRQFD=y
@ -3816,8 +3829,8 @@ CONFIG_AVERAGE=y
 CONFIG_CLZ_TAB=y
 # CONFIG_CORDIC is not set
 # CONFIG_DDR is not set
-CONFIG_MPILIB=m
+CONFIG_MPILIB=y
-CONFIG_OID_REGISTRY=m
+CONFIG_OID_REGISTRY=y
 CONFIG_UCS2_STRING=y
 CONFIG_FONT_SUPPORT=y
 # CONFIG_FONTS is not set