Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

PKCS#11 for Kernel Module Signing on Gentoo Kernel
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
mirthical
n00b
n00b


Joined: 18 Dec 2024
Posts: 1
PostPosted: Wed Dec 18, 2024 6:52 pm    Post subject: PKCS#11 for Kernel Module Signing on Gentoo Kernel Reply with quote
Hello Gentoo community,

This is my first post here, and I’m seeking guidance on an issue I’ve encountered while trying to use PKCS#11 for signing kernel modules during the build/install process of the sys-kernel/gentoo-kernel package.

Current Setup:

  • Kernel version: 6.12.5
  • dev-libs/openssl-3.3.2-r1
  • Signing mechanism: PKCS#11


The Problem:
In order to successfully use PKCS#11 for signing kernel modules, I’ve had to revert the extract-cert.c and sign-file.c files to their versions from kernel 6.11.11. Without doing this, signing with PKCS#11 fails during the kernel compilation or installation process. I get a bunch of errors like this:
Quote:

...
SSL error:12800067:DSO support routines::could not load the shared library: ../openssl-3.3.2/crypto/dso/dso_dlfcn.c:118 kernel
...
could not bind to the requested symbol name: ../openssl-3.3.2/crypto/dso/dso_dlfcn.c


Additionally, reverting these files alone is not sufficient. I’ve previously had to:

  • Define the environment variable KBUILD_SIGN_PIN with the necessary PIN for the PKCS#11 token.
  • Comment the my line MODULES_SIGN_KEY="pkcs11:token=MyVerySecretKernel" at /etc/portage/make.conf only to uncomment after merging (so that other emerge can sign with it, e.g. nvidia-drivers)
  • Set CONFIG_MODULE_SIG_KEY="pkcs11:token=MyVerySecretKernel" in my savedconfig file


What I Need Help With:

  • Is there a better or proper way to achieve PKCS#11-based signing for kernel modules?
  • I currently have the full .config in my savedconfig, but it seems that there is a way to just have there the things that are different from the gentoo default, how can see that default so that I only keep the lines that are different? I'm getting a bunch of lines saying that fragment is redundant - not a problem but clearly there seems to have been an effort to make things cleaner.
  • Are the steps I’m taking (reverting files, applying patches, setting environment variables, commenting/uncommenting) the only way to get this working?
  • Why does specifying MODULES_SIGN_KEY in make.conf cause an error while the same value works fine with other packages?

Any suggestions or guidance to streamline this process would be highly appreciated.

Thank you in advance for your help! Let me know if more details are needed.
Back to top
View user's profile Send private message
Nowa
Developer
Developer


Joined: 25 Jun 2014
Posts: 449
Location: Nijmegen
PostPosted: Wed Dec 18, 2024 7:49 pm    Post subject: Re: PKCS#11 for Kernel Module Signing on Gentoo Kernel Reply with quote
mirthical wrote:

Additionally, reverting these files alone is not sufficient. I’ve previously had to:

  • Define the environment variable KBUILD_SIGN_PIN with the necessary PIN for the PKCS#11 token.
  • Comment the my line MODULES_SIGN_KEY="pkcs11:token=MyVerySecretKernel" at /etc/portage/make.conf only to uncomment after merging (so that other emerge can sign with it, e.g. nvidia-drivers)
  • Set CONFIG_MODULE_SIG_KEY="pkcs11:token=MyVerySecretKernel" in my savedconfig file



This sounds a lot like there is some bug in kernel-build.eclass, MODULES_SIGN_KEY should work fine, it should set the CONFIG_MODULE_SIG_KEY for you (though I am not sure how this interacts with USE=savedconfig). I would love to see the full build log to figure out where this is going wrong.

Quote:
I currently have the full .config in my savedconfig, but it seems that there is a way to just have there the things that are different from the gentoo default, how can see that default so that I only keep the lines that are different? I'm getting a bunch of lines saying that fragment is redundant - not a problem but clearly there seems to have been an effort to make things cleaner.
Are the steps I’m taking (reverting files, applying patches, setting environment variables, commenting/uncommenting) the only way to get this working?


What you are looking for is /etc/kernel/config.d, we have documented this here: https://wiki.gentoo.org/wiki/Project:Distribution_Kernel#Modifying_kernel_configuration The easiest way to find the current default is to emerge with USE=-savedconfig, and then to copy the resulting /usr/lib/modules/x.y.z-gentoo-dist/config. You can also extract it from the build directory after the configure phase has finished.
_________________
OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy