Hi Justin! Please consider merging the two patches I'll send as reply to this mail. They are basically a rebase of the patches I send two months ago: http://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org/...
To quote myself:
On 10.12.2015 20:59, Josh Boyer wrote(¹):
[…] Thinking about it some, there isn't really a reason CONFIG_MODULE_SIG couldn't be enabled on other architectures. Signed modules are independent of UEFI secure boot support. If we did that, we might want to come up with something that maps arches which have it enabled to a single RPM macro.
Anyway, that's likely future work.
Find attached two patches to go down that route.
The first creates a new macro in the spec file to make "signing modules" and "signing kernels for UEFI secure boot" independent from each other. This is pretty straightforward and could be applied as is, as afterwards it if more obvious what happens. I fired a scratch build to verify mod-sign and pesign are still called just like before on %{ix86} x86_64. Results can be found via http://koji.fedoraproject.org/koji/taskinfo?taskID=12376294 The arm build log shows that mod-sign and pesign are still not called.
The second patch enables module signing for all archs. Scratch builds for primary archs: http://koji.fedoraproject.org/koji/taskinfo?taskID=12376883 Scratch build for ppc: http://ppc.koji.fedoraproject.org/koji/taskinfo?taskID=3033583 I for now didn't run any of those kernels to verify if things still work as I'm unsure what we want to do (hence the RFC in the Subject): On which archs do we want to enable module signing? Are there any reasons to not enable it on some archs? Is the overhead considered to big for armv7? Does it work everywhere?
Peter on IRC said the overhead for armv7 is no problem from is point of view and Josh seems to be fine with the whole idea as well. Here is a fresh scratch build to show that the stuff still builds on x86-32, x86-64 and armv7: http://koji.fedoraproject.org/koji/taskinfo?taskID=13251682
CU, knurd
On 07.03.2016 07:40, Thorsten Leemhuis wrote:
Hi Justin! Please consider merging the two patches I'll send as reply to this mail.
From 231a1930cec3ba799b606128e63d5a9e556ffcc0 Mon Sep 17 00:00:00 2001 From: Thorsten Leemhuis fedora@leemhuis.info Date: Sun, 6 Mar 2016 20:19:02 +0100 Subject: [PATCH 1/2] add signkernel macro to make signing kernel and signing modules independent from each other
--- kernel.spec | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/kernel.spec b/kernel.spec index 6783bb3..6081458 100644 --- a/kernel.spec +++ b/kernel.spec @@ -11,9 +11,11 @@ Summary: The Linux kernel # Sign modules on x86. Make sure the config files match this setting if more # architectures are added. %ifarch %{ix86} x86_64 +%global signkernel 1 %global signmodules 1 %global zipmodules 1 %else +%global signkernel 0 %global signmodules 0 %global zipmodules 0 %endif @@ -396,7 +398,7 @@ BuildRequires: rpm-build, elfutils BuildRequires: openssl openssl-devel %endif
-%if %{signmodules} +%if %{signkernel} BuildRequires: pesign >= 0.10-4 %endif
@@ -1335,7 +1337,7 @@ BuildKernel() { make -s mrproper cp configs/$Config .config
- %if %{signmodules} + %if %{signkernel}%{signmodules} cp %{SOURCE11} certs/. %endif
@@ -1372,7 +1374,7 @@ BuildKernel() { cp arch/$Arch/boot/zImage.stub $RPM_BUILD_ROOT/%{image_install_path}/zImage.stub-$KernelVer || : cp arch/$Arch/boot/zImage.stub $RPM_BUILD_ROOT/lib/modules/$KernelVer/zImage.stub-$KernelVer || : fi - %if %{signmodules} + %if %{signkernel} # Sign the image if we're using EFI %pesign -s -i $KernelImage -o vmlinuz.signed if [ ! -s vmlinuz.signed ]; then @@ -2144,6 +2146,10 @@ fi - Fix ethernet naming on Armada 38x devices - Serial console fixes for Tegra
+* Sat Mar 5 2016 Thorsten Leemhuis fedora@leemhuis.info +- add signkernel macro to make signing kernel and signing modules + independent from each other + * Fri Mar 04 2016 Justin M. Forbes jforbes@fedoraproject.org - 4.5.0-0.rc6.git3.1 - Linux v4.5-rc6-41-ge3c2ef4
On 07.03.2016 07:40, Thorsten Leemhuis wrote:
Hi Justin! Please consider merging the two patches I'll send as reply to this mail.
From 73643da91a47992f42616875984baec116667511 Mon Sep 17 00:00:00 2001 From: Thorsten Leemhuis fedora@leemhuis.info Date: Fri, 1 Jan 2016 17:45:08 +0100 Subject: [PATCH 2/2] sign modules on all archs
--- config-generic | 17 ++++++++++++++--- config-x86-generic | 13 +------------ kernel.spec | 9 ++++----- 3 files changed, 19 insertions(+), 20 deletions(-)
diff --git a/config-generic b/config-generic index 30f00b2..0e8f192 100644 --- a/config-generic +++ b/config-generic @@ -5855,11 +5855,22 @@ CONFIG_POWERCAP=y
# CONFIG_CPUFREQ_DT is not set
-# CONFIG_MODULE_SIG is not set +CONFIG_MODULE_SIG=y +CONFIG_MODULE_SIG_ALL=y +# CONFIG_MODULE_SIG_SHA1 is not set +CONFIG_MODULE_SIG_SHA256=y +# CONFIG_MODULE_SIG_FORCE is not set +CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" +CONFIG_SYSTEM_TRUSTED_KEYS="" +CONFIG_PKCS7_MESSAGE_PARSER=y +# CONFIG_PKCS7_TEST_KEY is not set +CONFIG_SIGNED_PE_FILE_VERIFICATION=y +CONFIG_SYSTEM_TRUSTED_KEYRING=y +CONFIG_SYSTEM_BLACKLIST_KEYRING=y +# CONFIG_MODULE_SIG_UEFI is not set +# CONFIG_EFI_SIGNATURE_LIST_PARSER is not set # FIXME: Revisit this to see if we can use it instead of the spec file stuff # CONFIG_MODULE_COMPRESS is not set -# CONFIG_SYSTEM_TRUSTED_KEYRING is not set -# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set
# CONFIG_RTC_DRV_EFI is not set # CONFIG_NET_XGENE is not set diff --git a/config-x86-generic b/config-x86-generic index 33b55f3..4815913 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -583,18 +583,7 @@ CONFIG_MOUSE_PS2_VMMOUSE=y CONFIG_XZ_DEC_X86=y
CONFIG_MPILIB=y -CONFIG_PKCS7_MESSAGE_PARSER=y -# CONFIG_PKCS7_TEST_KEY is not set -CONFIG_SIGNED_PE_FILE_VERIFICATION=y -CONFIG_SYSTEM_TRUSTED_KEYRING=y -CONFIG_SYSTEM_BLACKLIST_KEYRING=y -CONFIG_MODULE_SIG=y -CONFIG_MODULE_SIG_ALL=y -# CONFIG_MODULE_SIG_SHA1 is not set -CONFIG_MODULE_SIG_SHA256=y -# CONFIG_MODULE_SIG_FORCE is not set -CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" -CONFIG_SYSTEM_TRUSTED_KEYS="" + CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y CONFIG_EFI_SIGNATURE_LIST_PARSER=y
diff --git a/kernel.spec b/kernel.spec index 6081458..ad3fd42 100644 --- a/kernel.spec +++ b/kernel.spec @@ -16,7 +16,7 @@ Summary: The Linux kernel %global zipmodules 1 %else %global signkernel 0 -%global signmodules 0 +%global signmodules 1 %global zipmodules 0 %endif
@@ -393,14 +393,12 @@ BuildRequires: rpm-build, elfutils %define debuginfo_args --strict-build-id -r %endif
-%ifarch %{ix86} x86_64 -# MODULE_SIG is enabled in config-x86-generic and needs these: +%if %{signkernel}%{signmodules} BuildRequires: openssl openssl-devel -%endif - %if %{signkernel} BuildRequires: pesign >= 0.10-4 %endif +%endif
%if %{with_cross} BuildRequires: binutils-%{_build_arch}-linux-gnu, gcc-%{_build_arch}-linux-gnu @@ -2149,6 +2147,7 @@ fi * Sat Mar 5 2016 Thorsten Leemhuis fedora@leemhuis.info - add signkernel macro to make signing kernel and signing modules independent from each other +- sign modules on all archs
* Fri Mar 04 2016 Justin M. Forbes jforbes@fedoraproject.org - 4.5.0-0.rc6.git3.1 - Linux v4.5-rc6-41-ge3c2ef4
This was applied today with rc7-git1
Thanks, Justin
On Mon, Mar 7, 2016 at 12:42 AM, Thorsten Leemhuis fedora@leemhuis.info wrote:
On 07.03.2016 07:40, Thorsten Leemhuis wrote:
Hi Justin! Please consider merging the two patches I'll send as reply to this mail.
From 73643da91a47992f42616875984baec116667511 Mon Sep 17 00:00:00 2001 From: Thorsten Leemhuis fedora@leemhuis.info Date: Fri, 1 Jan 2016 17:45:08 +0100 Subject: [PATCH 2/2] sign modules on all archs
config-generic | 17 ++++++++++++++--- config-x86-generic | 13 +------------ kernel.spec | 9 ++++----- 3 files changed, 19 insertions(+), 20 deletions(-)
diff --git a/config-generic b/config-generic index 30f00b2..0e8f192 100644 --- a/config-generic +++ b/config-generic @@ -5855,11 +5855,22 @@ CONFIG_POWERCAP=y
# CONFIG_CPUFREQ_DT is not set
-# CONFIG_MODULE_SIG is not set +CONFIG_MODULE_SIG=y +CONFIG_MODULE_SIG_ALL=y +# CONFIG_MODULE_SIG_SHA1 is not set +CONFIG_MODULE_SIG_SHA256=y +# CONFIG_MODULE_SIG_FORCE is not set +CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" +CONFIG_SYSTEM_TRUSTED_KEYS="" +CONFIG_PKCS7_MESSAGE_PARSER=y +# CONFIG_PKCS7_TEST_KEY is not set +CONFIG_SIGNED_PE_FILE_VERIFICATION=y +CONFIG_SYSTEM_TRUSTED_KEYRING=y +CONFIG_SYSTEM_BLACKLIST_KEYRING=y +# CONFIG_MODULE_SIG_UEFI is not set +# CONFIG_EFI_SIGNATURE_LIST_PARSER is not set # FIXME: Revisit this to see if we can use it instead of the spec file stuff # CONFIG_MODULE_COMPRESS is not set -# CONFIG_SYSTEM_TRUSTED_KEYRING is not set -# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set
# CONFIG_RTC_DRV_EFI is not set # CONFIG_NET_XGENE is not set diff --git a/config-x86-generic b/config-x86-generic index 33b55f3..4815913 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -583,18 +583,7 @@ CONFIG_MOUSE_PS2_VMMOUSE=y CONFIG_XZ_DEC_X86=y
CONFIG_MPILIB=y -CONFIG_PKCS7_MESSAGE_PARSER=y -# CONFIG_PKCS7_TEST_KEY is not set -CONFIG_SIGNED_PE_FILE_VERIFICATION=y -CONFIG_SYSTEM_TRUSTED_KEYRING=y -CONFIG_SYSTEM_BLACKLIST_KEYRING=y -CONFIG_MODULE_SIG=y -CONFIG_MODULE_SIG_ALL=y -# CONFIG_MODULE_SIG_SHA1 is not set -CONFIG_MODULE_SIG_SHA256=y -# CONFIG_MODULE_SIG_FORCE is not set -CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" -CONFIG_SYSTEM_TRUSTED_KEYS=""
CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y CONFIG_EFI_SIGNATURE_LIST_PARSER=y
diff --git a/kernel.spec b/kernel.spec index 6081458..ad3fd42 100644 --- a/kernel.spec +++ b/kernel.spec @@ -16,7 +16,7 @@ Summary: The Linux kernel %global zipmodules 1 %else %global signkernel 0 -%global signmodules 0 +%global signmodules 1 %global zipmodules 0 %endif
@@ -393,14 +393,12 @@ BuildRequires: rpm-build, elfutils %define debuginfo_args --strict-build-id -r %endif
-%ifarch %{ix86} x86_64 -# MODULE_SIG is enabled in config-x86-generic and needs these: +%if %{signkernel}%{signmodules} BuildRequires: openssl openssl-devel -%endif
%if %{signkernel} BuildRequires: pesign >= 0.10-4 %endif +%endif
%if %{with_cross} BuildRequires: binutils-%{_build_arch}-linux-gnu, gcc-%{_build_arch}-linux-gnu @@ -2149,6 +2147,7 @@ fi
- Sat Mar 5 2016 Thorsten Leemhuis fedora@leemhuis.info
- add signkernel macro to make signing kernel and signing modules independent from each other
+- sign modules on all archs
- Fri Mar 04 2016 Justin M. Forbes jforbes@fedoraproject.org -
4.5.0-0.rc6.git3.1
- Linux v4.5-rc6-41-ge3c2ef4
-- 1.8.3.1
kernel@lists.fedoraproject.org
-
Justin Forbes -
Thorsten Leemhuis