[WIP/RFC] OOT modules sign #2636
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
chewi
requested changes
Feb 6, 2025
danzatt
force-pushed
the
danzatt/oot-modules-sign
branch
from
a1ce873 to
935efe2
Compare
chewi
requested changes
Feb 13, 2025
sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass
Outdated
Show resolved
Hide resolved
sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass
Outdated
Show resolved
Hide resolved
sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass
Outdated
Show resolved
Hide resolved
...ontainer/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.76.ebuild
Outdated
Show resolved
Hide resolved
sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass
Outdated
Show resolved
Hide resolved
...ontainer/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.76.ebuild
Outdated
Show resolved
Hide resolved
chewi
reviewed
Feb 13, 2025
Move module signing key to /tmp, so that it stays in RAM. Disable shredding signing key after coreos-modules finishes, but rather shred it after coreos-kernel finishes, so that out of tree modules (like ZFS from upstream portage) can also use the key before it is shreded.
danzatt
force-pushed
the
danzatt/oot-modules-sign
branch
from
935efe2 to
17589ba
Compare
chewi
reviewed
Feb 13, 2025
| @@ -61,9 +61,8 @@ src_prepare() { | |||
| # Pull in the config and public module signing key | |||
| KV_OUT_DIR="${SYSROOT%/}/lib/modules/${COREOS_SOURCE_NAME#linux-}/build" | |||
| cp -v "${KV_OUT_DIR}/.config" build/ || die | |||
|
|
|||
| local sig_key="$(getconfig MODULE_SIG_KEY)" | |||
There was a problem hiding this comment.
I said you could call get_sig_key here, but now it's not actually used below, so this line should go. I'm not sure whether you need something in its place. I guess it builds the modules first and will reuse the config from that, so you don't need to call envsubst again.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[Title: describe the change in one sentence]
For out of tree modules (like ZFS or NVIDIA) to work with secureboot, they need to be signed by the ephemeral kernel modules key. This key is shredded after the upstream-included kernel modules are built, therefore it can't be reused during ZFS module build. This PR moves the key to /tmp, so that it stays in RAM and can be reused by out of tree modules. Moreover, by moving the key to
/tmpwe improve the security of the ephemeral module signing key (previously we wrote it to disk and then shredded it, but it might still stay in the disk or software cache, compromising the secure boot model).Currently, this PR works when the packages are built manually in the order coreos-modules, zfs-kmod and coreos-kernel. We need to fix the dependecies, so that we enforce this order.
[ describe the change in 1 - 3 paragraphs ]
How to use
[ describe what reviewers need to do in order to validate this PR ]
Testing done
[Describe the testing you have done before submitting this PR. Please include both the commands you issued as well as the output you got.]
changelog/directory (user-facing change, bug fix, security fix, update)/bootand/usrsize, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.