On Tue, 29 Jul 2014, Pat Riehecky wrote:
> On 07/29/2014 09:53 AM, Stephan Wiesand wrote:
>> On Jul 25, 2014, at 19:04 , Pat Riehecky wrote:
>>
>>> For secure boot kmods, it looks like there may be some odd work to be
>>> done....
>> Thanks for the hint. I hadn't thought of that yet. Sure, our modules should
>> be signed. I believe this has potential benefits even without UEFI or
>> secure boot.
>>
>>> I was pointed here for an example:
>>>
>>> https://messinet.com/rpms/browser/dahdi-linux-kmod/dahdi-linux-kmod.spec
>>
>> I didn't find that resource particularly helpful. But upstream
>> documentation suggests it's fairly trivial: According to the "signing
>> kernel modules for secure boot" section of the system administrators guide,
>> all it takes is this:
>>
>> perl /usr/src/kernels/%{kernel}/scripts/sign-file \
>> sha256 \
>> SL_signing_key.priv \
>> SL_signing_key_pub.der \
>> openafs.ko
>>
>> The only question is where to find the keys. And, academically, why do they
>> need the public key for creating the signature?
>>
>> A first proposal: If the build is initiated with "rpmbuild ... --define
>> 'module_key /path/to/SL_key.priv', the spec will attempt to sign the
>> modules with that private key and the corresponding /path/to/SL_key_pub.der
>> as the public key. If module_key is not defined, the modules won't be
>> signed.
>>
>> Obviously, this proposal could be adapted to whatever scheme you have
>> decided on for naming your key files, or we could have separate %defines
>> for the two files.
>>
>> - Stephan
>>
>
> Our exact secure boot process is still evolving a bit as we wait for our hard
> token.
>
> The folks over at ELRepo (thanks Phil Perry, Akemi Yagi, and Alan Bartlett)
> emailed me their kmod template for EL7. I've attached it here as a useful
> resource in the whole conversation.
>
> My main worry is stripping debuginfo breaking the signature. Typically the
> strip is run after %install which gives us some 'issues'.
Yes the signing has to be done after "strips" have been done other wise
strip will strip the signatures.
>
> The dahdi spec has one workaround (lines 61-107), but it is huge and somewhat
> messy looking
> The ELRepo spec is clean and simple yet seems a bit more aggressive (lines
> 28; 51-52), it leaves us without debuginfo
>
> /usr/lib/rpm/find-debuginfo.sh only strips executable files.
>
> As for macros:
> I'd love to keep the macros compatible with pesign's expectations mostly to
> keep things simple on the build host.
> It might be nice if the kmod was signed with a dummy key in the event of 'no
> key found'. I believe the kernel does that. It doesn't really provide any
> additional assurances, but it may make the spec easier to maintain and test
> on arbitrary systems.
>
> Beyond that, I think I'll have to punt to Connie as she is heading up or
> Secure Boot stuff. If I'm off base ignore me.
>
> Pat
>
>
-connie
|