Skip to content

Commit

Permalink
Merge pull request #24 from petronio/support_external_module_signing
Browse files Browse the repository at this point in the history
Add support for automatically signing external modules
  • Loading branch information
sakaki- committed Apr 28, 2019
2 parents d15ae23 + 8097e3c commit c7b87ed
Show file tree
Hide file tree
Showing 4 changed files with 62 additions and 4 deletions.
32 changes: 31 additions & 1 deletion buildkernel
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ shopt -s nullglob
# ********************** variables *********************
PROGNAME="$(basename "${0}")"
CONFFILE="/etc/${PROGNAME}.conf"
VERSION="1.0.33"
VERSION="1.0.34"
ETCPROFILE="/etc/profile"
DEFAULTEFIBOOTFILE="bootx64.efi"
EFIBOOTFILE="${DEFAULTEFIBOOTFILE}"
Expand Down Expand Up @@ -109,6 +109,7 @@ GPGBUILDDIR="/root/tmpgpgbuild"
TMPGPGPATH="${GPGBUILDDIR}/usr/bin/gpg"
declare -i USINGUSBKEYFOREFI=0
declare -i BACKUPOLDKERNEL=1
declare -i BUILT_EXTERNAL_MODULES=1

EFIPARTNAME="EFI boot partition"
DEFAULTKEYMAP="us"
Expand Down Expand Up @@ -423,6 +424,29 @@ source_etc_conf_file() {
if [[ -v INITSYSTEM ]]; then
INITSYSTEM="${INITSYSTEM,,}"
fi
# perform checks on KERNEL_SIGNING_CERT and KERNEL_SIGNING_KEY
if [[ -v KERNEL_SIGNING_CERT ]]; then
if [[ ! -v KERNEL_SIGNING_KEY ]]; then
die "Cannot proceed; KERNEL_SIGNING_CERT is configured, but KERNEL_SIGNING_KEY is not."
fi
if [[ "${KERNEL_SIGNING_CERT}" == "auto" || "${KERNEL_SIGNING_KEY}" == "auto" ]]; then
if [[ "${KERNEL_SIGNING_CERT}" != "${KERNEL_SIGNING_KEY}" ]]; then
die "Cannot proceed; in automatic external module signing mode, both KERNEL_SIGNING_CERT and KERNEL_SIGNING_KEY must be set to \"auto\""
fi
KERNEL_SIGNING_CERT="${LINUXDIR}/certs/signing_key.x509"
KERNEL_SIGNING_KEY="${LINUXDIR}/certs/signing_key.pem"
else
if [[ ! -f "${KERNEL_SIGNING_CERT}" ]]; then
die "Cannot proceed; KERNEL_SIGNING_CERT is not a valid path to a file."
fi
if [[ ! -f "${KERNEL_SIGNING_KEY}" ]]; then
die "Cannot proceed; KERNEL_SIGNING_KEY is not a valid path to a file."
fi
fi
fi
if [[ -v KERNEL_SIGNING_KEY && ! -v KERNEL_SIGNING_CERT ]]; then
die "Cannot proceed; KERNEL_SIGNING_KEY is configured, but KERNEL_SIGNING_CERT is not."
fi
}
setup_final_variables() {
# post-processing once buildkernel.conf loaded
Expand Down Expand Up @@ -1818,8 +1842,14 @@ rebuild_external_modules_if_necessary() {
else
warning "Failed to complete emerge @module-rebuild due to error"
warning "Continuing..."
BUILT_EXTERNAL_MODULES=0
fi
fi
if [[ ${BUILT_EXTERNAL_MODULES}==1 && -v KERNEL_SIGNING_CERT ]] ; then
for EXTERNAL_MODULE in `find /lib/modules/${NEWVERSION#"linux-"}/* -type f -name '*.ko' -not -path '*/kernel/*'`; do
"${LINUXDIR}/scripts/sign-file" sha512 "${KERNEL_SIGNING_KEY}" "${KERNEL_SIGNING_CERT}" "${EXTERNAL_MODULE}"
done
fi
fi
}
create_initramfs_using_genkernel() {
Expand Down
4 changes: 2 additions & 2 deletions buildkernel.8
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
.TH BUILDKERNEL 8 "Version 1.0.33: October 2018"
.TH BUILDKERNEL 8 "Version 1.0.34: April 2019"
.SH NAME
buildkernel \- build secure boot kernel, save to EFI system partition
.SH SYNOPSIS
Expand Down Expand Up @@ -61,7 +61,7 @@ cleans the kernel tree (if you specify \fB--clean\fR; you will be asked whether
.IP \(bu 2
builds the kernel, and its modules, with the specified configuration; in this first pass, an empty initramfs is used (since it must be incorporated in the kernel, to be protected by UEFI secure boot, but we don't have everything necessary to include in it, yet!);
.IP \(bu 2
builds any external modules (such as those required for VirtualBox), using \fBemerge @module-rebuild\fR, if you so specify (using the option \fB--rebuild-external-modules\fR);
builds any external modules (such as those required for VirtualBox), using \fBemerge @module-rebuild\fR, if you so specify (using the option \fB--rebuild-external-modules\fR), and optionally signs them (if you have set up the variables \fBKERNEL_SIGNING_CERT\fR and \fBKERNEL_SIGNING_KEY\fR in \fI/etc/buildkernel.conf\fR);
.IP \(bu 2
creates a first cut of the initramfs using \fBgenkernel\fR(8) (see below for more details); this will contain \fBgenkernel\fR(8)'s \fBinit\fR(8) script, compiled modules, any necessary firmware (if you haven't deblobbed), and a minimal set of binaries; it does \fInot\fR at this point contain a static copy of \fBgpg\fR;
.IP \(bu 2
Expand Down
8 changes: 8 additions & 0 deletions buildkernel.conf
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,14 @@
# however, doing so should not be necessary.
#CMDLINE_ROOTFSTYPE="ext4"

# if you sign your kernel modules, configure the signing certificate and key
# paths to sign external modules as well once built. Setting the variables to
# "auto" will use the kernel's automatically generated certificate and key if
# you have configured it to generate them. By default the variable is unset and
# modules will not be signed.
#KERNEL_SIGNING_CERT="auto"
#KERNEL_SIGNING_KEY="auto"

# if you need to conform the config file for some reason, uncomment this
# hook function and fill it out to suit your requirements
# NB you should only really need to do this to override a setting forced
Expand Down
22 changes: 21 additions & 1 deletion buildkernel.conf.5
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
.TH BUILDKERNEL 5 "Version 1.0.33: October 2018"
.TH BUILDKERNEL 5 "Version 1.0.34: April 2019"
.SH NAME
buildkernel.conf \- a configuration file for \fBbuildkernel\fR(8)
.SH SYNOPSIS
Expand Down Expand Up @@ -194,6 +194,26 @@ automatically detect the filesystem type of \fBCMDLINE_REAL_ROOT\fR
(falling back to \fBext4\fR, in case of error).

Most users will not need to override the default.
.br
.TP
.BR KERNEL_SIGNING_CERT
If you sign your kernel modules, set this to the path for the signing
certificate so that your external modules are signed after being built.
Setting to \fBauto\fR uses the kernel's automatically generated signing
certificate if you have configured it to generate it.

By default this is not set and causes external modules to not be signed.
Requires that the \fBKERNEL_SIGNING_KEY\fR variable is set.
.br
.TP
.BR KERNEL_SIGNING_KEY
If you sign your kernel modules, set this to the path for the signing key so
that your external modules are signed after being built. Setting to \fBauto\fR
uses the kernel's automatically generated signing key if you have configured it
to generate it.

By default this is not set and causes external modules to not be signed.
Requires that the \fBKERNEL_SIGNING_CERT\fR variable is set.

.RE
.SH FUNCTIONS
Expand Down

0 comments on commit c7b87ed

Please sign in to comment.