Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Akmods does not sign compiled module when using rpm-ostree #499

Open
travier opened this issue Oct 20, 2023 · 4 comments
Open

Akmods does not sign compiled module when using rpm-ostree #499

travier opened this issue Oct 20, 2023 · 4 comments
Labels
enhancement New feature or request kinoite Also affect Fedora Kinoite

Comments

@travier
Copy link
Member

travier commented Oct 20, 2023
edited by miabbott
Loading

This issue is re-created from old content of #272, which has been removed from GitHub following the author's request (no details) according to GitHub support.

See the (old) archive at: https://web.archive.org/web/20220531094412/https://github.com/fedora-silverblue/issue-tracker/issues/272

Describe the bug

When using rpm-ostree, akmods does not sign compiled module with keys found in /etc/pki/akmods.

To Reproduce

  • # /usr/sbin/kmodgenca
  • # mokutil --import /etc/pki/akmods/certs/public_key.der
  • Reboot and enroll
  • Overlay an akmods module package(like nvidia driver)
  • Reboot

Expected behavior

Modules will get signed with the keys, just like when I run akmods manually.

OS version:

BootedDeployment:
● fedora:fedora/36/x86_64/silverblue
                   Version: 36.20220511.0 (2022-05-11T00:48:12Z)
                BaseCommit: 5c70836453ffbd07757cabeb4c1de5389b95d45d7ec6fe8d2397084e1587fcd7
              GPGSignature: Valid signature by 53DED2CB922D8B8D9E63FD18999F7CBF38AB71F4
           LayeredPackages: fish nvidia-driver
@travier travier added enhancement New feature or request f37 Related to Fedora 37 f36 Related to Fedora 36 kinoite Also affect Fedora Kinoite f38 Related to Fedora 38 f39 Related to Fedora 39 f40 Related to Fedora 40 labels Oct 20, 2023
@travier
Copy link
Member Author

travier commented Oct 20, 2023

This is due to the fact that rpm-ostree install commands run a in fresh deployment and do not share the keys from the host /etc/ to sign the modules.

Workarounds:

@travier
Copy link
Member Author

travier commented Oct 20, 2023

Updated the doc in fedora-silverblue/silverblue-docs#161

@travier travier removed f37 Related to Fedora 37 f36 Related to Fedora 36 labels Nov 24, 2023
@OptimoSupreme
Copy link

Just out of curiosity, is there a plan for this issue to be resolved?

@TheHooly TheHooly mentioned this issue Apr 23, 2024
Closed
@travier travier removed f38 Related to Fedora 38 f39 Related to Fedora 39 f40 Related to Fedora 40 labels Apr 29, 2024
@zevlee
Copy link

zevlee commented Aug 5, 2024

May I ask what the technical limitation is which prevents this issue from being resolved? I saw @travier mention some potential solutions from user suggestions.

store those keys into the kernel keyring and then request them while building the module during the rpm-ostree transaction.

add special client side "secret" handling that would bind mount some files into places during client side composes to share secrets.

use the kernel to store keys and use them to sign things during client side composes.

Is there discussion taking place regarding which (if any) of these solutions should be implemented?

@westurner westurner mentioned this issue Aug 29, 2024
Open
2 tasks
@westurner westurner mentioned this issue Dec 22, 2024
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request kinoite Also affect Fedora Kinoite
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zevlee @travier @OptimoSupreme