brp-sign-kmodules: Sign kernel modules after kernel build

Try to work similar to `CONFIG_MODULE_SIG_ALL=y'.
This commit is contained in:
Виталий Чикунов 2020-11-03 12:01:04 +03:00
parent dfc381d732
commit 8b68c147ee
3 changed files with 135 additions and 1 deletions

View File

@ -925,6 +925,7 @@ AC_OUTPUT([ Doxyfile Makefile rpmrc macros platform rpmpopt
scripts/brp-cleanup
scripts/brp-compress
scripts/brp-debuginfo
scripts/brp-sign-kmodules
scripts/brp-fix-perms
scripts/brp-fixup
scripts/brp-verify_elf

View File

@ -7,7 +7,7 @@ EXTRA_DIST = \
debuginfo.req debuginfo.req.files debuginfo.prov debuginfo.prov.files \
functions find-package .provides.sh \
find-debuginfo-files process-debuginfo \
find-scriptlet-requires \
find-scriptlet-requires brp-sign-kmodules \
brp-adjust_libraries brp-alt brp-bytecompile_python \
brp-check_contents brp-cleanup brp-compress brp-debuginfo \
brp-fix-perms brp-fixup brp-hardlink_pyo_pyc \
@ -78,6 +78,7 @@ install-data-local:
$(INSTALL) -m755 brp-verify-info $(DESTDIR)$(configdir)/brp.d/040-verify-info.brp
$(INSTALL) -m755 brp-adjust_libraries $(DESTDIR)$(configdir)/brp.d/048-adjust_libraries.brp
$(INSTALL) -m755 brp-debuginfo $(DESTDIR)$(configdir)/brp.d/056-debuginfo.brp
$(INSTALL) -m755 brp-sign-kmodules $(DESTDIR)$(configdir)/brp.d/057-brp-sign-kmodules.brp
$(INSTALL) -m755 process-debuginfo $(DESTDIR)$(configdir)/process-debuginfo
$(INSTALL) -m755 brp-verify_elf $(DESTDIR)$(configdir)/brp.d/064-verify_elf.brp
$(INSTALL) -m755 brp-bytecompile_python $(DESTDIR)$(configdir)/brp.d/072-bytecompile_python.brp

132
scripts/brp-sign-kmodules.in Executable file
View File

@ -0,0 +1,132 @@
#!/bin/sh -e
#
# brp-sign-kmodules - sign Linux kernel modules
#
# Copyright (C) 2020 Vitaly Chikunov <vt@altlinux.org>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
. @RPMCONFIGDIR@/functions
ValidateBuildRoot
cd "$RPM_BUILD_ROOT" || exit
# We need modules and kernel tree to work.
[ -d lib/modules ] || exit 0
[ -d boot ] || exit 0
# Find kernel build root.
kbuilddir=$(find "$RPM_BUILD_DIR" -depth -maxdepth 3 -type f -name MAINTAINERS -print -quit)
kbuilddir=${kbuilddir%/*}
if [ -z "$kbuilddir" ]; then
Warning "Kernel source directory not found."
exit 0
fi
# Determine build time `.config'. Allow 2 levels for builds in O=subdir.
kconfig=$(find "$kbuilddir" -depth -maxdepth 2 -type f -name .config -print -quit)
if [ -z "$kconfig" ]; then
Warning "Kernel build output directory not found."
exit 0
fi
# Kernel output dir (from O=)
koutput=${kconfig%/.config}
# Working requirement.
if [ ! -x "$koutput/scripts/sign-file" ]; then
Warning "scripts/sign-file executable not found."
exit 0
fi
get_config() {
"$kbuilddir/scripts/config" --file "$kconfig" -s "$1"
}
MODULE_SIG_ALL=$( get_config MODULE_SIG_ALL)
MODULE_SIG_HASH=$(get_config MODULE_SIG_HASH)
MODULE_SIG_KEY=$( get_config MODULE_SIG_KEY)
MODULE_SIG_CERT=certs/signing_key.x509
if [ "$MODULE_SIG_ALL" != "y" ]; then
Warning "Module signing is not enabled (CONFIG_MODULE_SIG_ALL=$MODULE_SIG_ALL)"
exit 0
fi
if [ -z "$MODULE_SIG_HASH" ] || [ "$MODULE_SIG_HASH" = undef ]; then
Warning "Module signing hash is not set (CONFIG_MODULE_SIG_HASH)"
exit 0
fi
if [ -z "$MODULE_SIG_KEY" ] || [ "$MODULE_SIG_KEY" = undef ]; then
Warning "Module signing key is not set (CONFIG_MODULE_SIG_KEY)"
exit 0
fi
sig_key=$koutput/$MODULE_SIG_KEY
if [ ! -f "$sig_key" ]; then
Warning "Signing key not found (CONFIG_MODULE_SIG_KEY=\"$MODULE_SIG_KEY\")"
exit 0
fi
sig_cert=$koutput/$MODULE_SIG_CERT
if [ ! -f "$sig_cert" ]; then
Warning "Signing cert not found (expected $MODULE_SIG_CERT)"
exit 0
fi
find "$RPM_BUILD_ROOT/lib/modules" -name '*.ko*' > .kmodules
num=$(wc -l < .kmodules)
if [ $num -eq 0 ]; then
Warning "No kernel modules found for singing."
exit 0
fi
# Verify that singing is working to avoid flooding with errors later.
cd "$koutput"
t=$(mktemp)
if ! scripts/sign-file "$MODULE_SIG_HASH" "$MODULE_SIG_KEY" "$MODULE_SIG_CERT" "$t"; then
Warning "Test signing failed (scripts/sign-file error)."
exit 0
fi
rm "$t"
cd "$RPM_BUILD_ROOT"
# Determine if we should uncompress.
read f < .kmodules
rezip=
if [ -z "${f#*.ko.[gx]z}" ]; then
rezip=${f##*.}
rezip=${rezip/gz/gzip}
fi
if [ -n "$rezip" ]; then
Info "Uncompress ($rezip) $num modules before signing."
xargs -P$(nproc) $rezip --decompress < .kmodules
fi
cd "$koutput"
Info "Signing $num modules in $RPM_BUILD_ROOT (hash $MODULE_SIG_HASH key $MODULE_SIG_KEY)"
sed 's/\.ko\.[xg]z$/.ko/' < "$RPM_BUILD_ROOT/.kmodules" \
| xargs -P$(nproc) -n1 scripts/sign-file "$MODULE_SIG_HASH" "$MODULE_SIG_KEY" "$MODULE_SIG_CERT"
cd "$RPM_BUILD_ROOT"
if [ -n "$rezip" ]; then
Info "Compress ($rezip) $num modules after signing."
sed 's/\.ko\.[xg]z$/.ko/' < .kmodules | xargs -P$(nproc) $rezip
fi
rm .kmodules