Add kernel module signing on x86

Leave enforcing disabled for now, so unsigned modules can still load.  This
can be switched by adding "enforcemodulesig=1" to the kernel command line.
This commit is contained in:
Josh Boyer 2012-03-06 16:09:57 -05:00
parent 8247ca06d4
commit c2a12cd16f
5 changed files with 7435 additions and 2 deletions

View File

@ -3842,7 +3842,7 @@ CONFIG_CRYPTO_SEED=m
CONFIG_CRYPTO_SEQIV=m CONFIG_CRYPTO_SEQIV=m
CONFIG_CRYPTO_SERPENT=m CONFIG_CRYPTO_SERPENT=m
CONFIG_CRYPTO_SHA1=y CONFIG_CRYPTO_SHA1=y
CONFIG_CRYPTO_SHA256=m CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_SHA512=m CONFIG_CRYPTO_SHA512=m
CONFIG_CRYPTO_TEA=m CONFIG_CRYPTO_TEA=m
CONFIG_CRYPTO_TGR192=m CONFIG_CRYPTO_TGR192=m
@ -4392,3 +4392,8 @@ CONFIG_INTEL_MID_PTI=m
CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_SUPPORT=y
# CONFIG_PM_DEVFREQ is not set # CONFIG_PM_DEVFREQ is not set
# CONFIG_MODULE_SIG is not set
# CONFIG_MODULE_VERIFY_ELF is not set
# CONFIG_CRYPTO_KEY_TYPE is not set
# CONFIG_PGP_LIBRARY is not set
# CONFIG_PGP_PRELOAD is not set

View File

@ -403,3 +403,8 @@ CONFIG_DRM_GMA500=m
# Maybe enable in debug kernels? # Maybe enable in debug kernels?
# CONFIG_DEBUG_NMI_SELFTEST is not set # CONFIG_DEBUG_NMI_SELFTEST is not set
CONFIG_MPILIB=y
CONFIG_MODULE_SIG=y
# CONFIG_MODULE_SIG_SHA1 is not set
CONFIG_MODULE_SIG_SHA256=y
# CONFIG_MODULE_SIG_FORCE is not set

8
genkey Normal file
View File

@ -0,0 +1,8 @@
%pubring kernel.pub
%secring kernel.sec
Key-Type: RSA
Key-Length: 2048
Name-Real: Fedora Project
Name-Comment: Kernel Module GPG key
%commit

View File

@ -8,6 +8,14 @@ Summary: The Linux kernel
# be 0. # be 0.
%global released_kernel 0 %global released_kernel 0
# Sign modules on x86. Make sure the config files match this setting if more
# architectures are added.
%ifarch %{ix86} x86_64
%global signmodules 1
%else
%global signmodules 0
%endif
# Save original buildid for later if it's defined # Save original buildid for later if it's defined
%if 0%{?buildid:1} %if 0%{?buildid:1}
%global orig_buildid %{buildid} %global orig_buildid %{buildid}
@ -54,7 +62,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and # For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
# #
%global baserelease 2 %global baserelease 3
%global fedora_build %{baserelease} %global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching # base_sublevel is the kernel version we're starting with and patching
@ -573,9 +581,17 @@ BuildRequires: rpm-build >= 4.9.0-1, elfutils >= elfutils-0.153-1
%define debuginfo_args --strict-build-id -r %define debuginfo_args --strict-build-id -r
%endif %endif
%if %{signmodules}
BuildRequires: gnupg
%endif
Source0: ftp://ftp.kernel.org/pub/linux/kernel/v3.0/linux-%{kversion}.tar.xz Source0: ftp://ftp.kernel.org/pub/linux/kernel/v3.0/linux-%{kversion}.tar.xz
Source1: compat-wireless-%{cwversion}.tar.bz2 Source1: compat-wireless-%{cwversion}.tar.bz2
%if %{signmodules}
Source11: genkey
%endif
Source15: merge.pl Source15: merge.pl
Source16: mod-extra.list Source16: mod-extra.list
@ -696,6 +712,7 @@ Patch700: linux-2.6-e1000-ich9-montevina.patch
Patch800: linux-2.6-crash-driver.patch Patch800: linux-2.6-crash-driver.patch
# crypto/ # crypto/
Patch900: modsign-20111207.patch
# virt + ksm patches # virt + ksm patches
Patch1555: fix_xen_guest_on_old_EC2.patch Patch1555: fix_xen_guest_on_old_EC2.patch
@ -1430,6 +1447,7 @@ ApplyPatch linux-2.6-crash-driver.patch
ApplyPatch linux-2.6-e1000-ich9-montevina.patch ApplyPatch linux-2.6-e1000-ich9-montevina.patch
# crypto/ # crypto/
ApplyPatch modsign-20111207.patch
# Assorted Virt Fixes # Assorted Virt Fixes
ApplyPatch fix_xen_guest_on_old_EC2.patch ApplyPatch fix_xen_guest_on_old_EC2.patch
@ -1556,6 +1574,30 @@ done
# remove unnecessary SCM files # remove unnecessary SCM files
find . -name .gitignore -exec rm -f {} \; >/dev/null find . -name .gitignore -exec rm -f {} \; >/dev/null
%if %{signmodules}
cat <<EOF
###
### Now generating a PGP key pair to be used for signing modules.
###
### If this takes a long time, you might wish to run rngd in the background to
### keep the supply of entropy topped up. It needs to be run as root, and
### should use a hardware random number generator if one is available, eg:
###
### rngd -r /dev/hwrandom
###
### If one isn't available, the pseudo-random number generator can be used:
###
### rngd -r /dev/urandom
###
EOF
gpg --homedir . --batch --gen-key %{SOURCE11}
cat <<EOF
###
### Key pair generated.
###
EOF
%endif
cd .. cd ..
%if %{with_backports} %if %{with_backports}
@ -1581,6 +1623,7 @@ cd ..
# get rid of unwanted files resulting from patch fuzz # get rid of unwanted files resulting from patch fuzz
find . \( -name "*.orig" -o -name "*~" \) -exec rm -f {} \; >/dev/null find . \( -name "*.orig" -o -name "*~" \) -exec rm -f {} \; >/dev/null
### ###
### build ### build
### ###
@ -1679,6 +1722,14 @@ BuildKernel() {
# Override $(mod-fw) because we don't want it to install any firmware # Override $(mod-fw) because we don't want it to install any firmware
# we'll get it from the linux-firmware package and we don't want conflicts # we'll get it from the linux-firmware package and we don't want conflicts
make -s ARCH=$Arch INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_install KERNELRELEASE=$KernelVer mod-fw= make -s ARCH=$Arch INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_install KERNELRELEASE=$KernelVer mod-fw=
%if %{signmodules}
if [ -z "$(readelf -n $(find fs/ -name \*.ko | head -n 1) | grep module.sig)" ]; then
echo "ERROR: modules are NOT signed" >&2;
exit 1;
fi
%endif
%ifarch %{vdso_arches} %ifarch %{vdso_arches}
make -s ARCH=$Arch INSTALL_MOD_PATH=$RPM_BUILD_ROOT vdso_install KERNELRELEASE=$KernelVer make -s ARCH=$Arch INSTALL_MOD_PATH=$RPM_BUILD_ROOT vdso_install KERNELRELEASE=$KernelVer
if [ ! -s ldconfig-kernel.conf ]; then if [ ! -s ldconfig-kernel.conf ]; then
@ -2377,6 +2428,9 @@ fi
# ||----w | # ||----w |
# || || # || ||
%changelog %changelog
* Wed Mar 07 2012 Josh Boyer <jwboyer@redhat.com>
- Add modsign for x86 builds
* Wed Mar 07 2012 Dave Jones <davej@redhat.com> - 3.3.0-0.rc6.git2.2 * Wed Mar 07 2012 Dave Jones <davej@redhat.com> - 3.3.0-0.rc6.git2.2
- Disable debugging options. - Disable debugging options.

7361
modsign-20111207.patch Normal file

File diff suppressed because it is too large Load Diff