Re: [PATCH v2] libkmod: Add support for detached module signatures
From: Lucas De Marchi <hidden>
Date: 2016-04-13 04:05:56
Hi, CC'ing Rusty On Mon, Apr 4, 2016 at 9:32 PM, Ben Hutchings [off-list ref] wrote:
Debian will not sign modules during the kernel package build, as this conflicts with the goal of reproducible builds. Instead, we will generate detached signatures offline and include them in a second package.
Is this a decision already? It doesn't look as a good reason - you would already need to provide a signing key (CONFIG_MODULE_SIG_KEY) anyway for this to work. How is leaving the module signature in another package be any better than just signing the module? If you have the signature, the build is just as reproducible as before.
We could attach the signatures when building this second package or at installation time, but that leads to duplication of all modules, either in the archive or on users' systems. To avoid this, add support to libkmod for concatenating modules with detached signatures (files with the '.sig' extension) at load time.
this has the drawback that finit_module() can't be used.
quoted hunk ↗ jump to hunk
Signed-off-by: Ben Hutchings <redacted> --- v2: Fix syntax error in the xz case Missed this because I didn't realise the Debian package disables gzip and xz support. Ben. libkmod/libkmod-file.c | 110 +++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 103 insertions(+), 7 deletions(-)diff --git a/libkmod/libkmod-file.c b/libkmod/libkmod-file.c index 5eeba6a912a2..cb1da3c9e2ae 100644 --- a/libkmod/libkmod-file.c +++ b/libkmod/libkmod-file.c
...
quoted hunk ↗ jump to hunk
@@ -292,12 +370,25 @@ struct kmod_file *kmod_file_open(const struct kmod_ctx *ctx, if (file == NULL) return NULL; + file->sig_fd = -1; + file->fd = open(filename, O_RDONLY|O_CLOEXEC); if (file->fd < 0) { err = -errno; goto error; } + /* Try to open a detached signature. If it's missing, that's OK. */ + if (asprintf(&sig_filename, "%s.sig", filename) < 0) { + err = -errno; + goto error; + } + file->sig_fd = open(sig_filename, O_RDONLY|O_CLOEXEC); + if (file->sig_fd < 0 && errno != ENOENT) { + err = -errno; + goto error; + }
This can't really work if the module is being loaded uncompressed (I think nowadays we can even add support for compressed modules... Rusty, any input here?). When the module is being directly loaded, the direct flag gets set so kmod_module_insert_module() knows it can try to use finit_module(). Since you have an external signature what would happen is that we would load the signature, but try to load the module in the kernel without it. I'm still not convinced the split module + signature is actually a good thing. Lucas De Marchi