View previous topic :: View next topic |
Author |
Message |
mirthical n00b
Joined: 18 Dec 2024 Posts: 1
|
Posted: Wed Dec 18, 2024 6:52 pm Post subject: PKCS#11 for Kernel Module Signing on Gentoo Kernel |
|
|
Hello Gentoo community,
This is my first post here, and I’m seeking guidance on an issue I’ve encountered while trying to use PKCS#11 for signing kernel modules during the build/install process of the sys-kernel/gentoo-kernel package.
Current Setup:
- Kernel version: 6.12.5
- dev-libs/openssl-3.3.2-r1
- Signing mechanism: PKCS#11
The Problem:
In order to successfully use PKCS#11 for signing kernel modules, I’ve had to revert the extract-cert.c and sign-file.c files to their versions from kernel 6.11.11. Without doing this, signing with PKCS#11 fails during the kernel compilation or installation process. I get a bunch of errors like this:
Quote: |
...
SSL error:12800067:DSO support routines::could not load the shared library: ../openssl-3.3.2/crypto/dso/dso_dlfcn.c:118 kernel
...
could not bind to the requested symbol name: ../openssl-3.3.2/crypto/dso/dso_dlfcn.c |
Additionally, reverting these files alone is not sufficient. I’ve previously had to:
- Define the environment variable KBUILD_SIGN_PIN with the necessary PIN for the PKCS#11 token.
- Comment the my line MODULES_SIGN_KEY="pkcs11:token=MyVerySecretKernel" at /etc/portage/make.conf only to uncomment after merging (so that other emerge can sign with it, e.g. nvidia-drivers)
- Set CONFIG_MODULE_SIG_KEY="pkcs11:token=MyVerySecretKernel" in my savedconfig file
What I Need Help With:
- Is there a better or proper way to achieve PKCS#11-based signing for kernel modules?
- I currently have the full .config in my savedconfig, but it seems that there is a way to just have there the things that are different from the gentoo default, how can see that default so that I only keep the lines that are different? I'm getting a bunch of lines saying that fragment is redundant - not a problem but clearly there seems to have been an effort to make things cleaner.
- Are the steps I’m taking (reverting files, applying patches, setting environment variables, commenting/uncommenting) the only way to get this working?
- Why does specifying MODULES_SIGN_KEY in make.conf cause an error while the same value works fine with other packages?
Any suggestions or guidance to streamline this process would be highly appreciated.
Thank you in advance for your help! Let me know if more details are needed. |
|
Back to top |
|
|
Nowa Developer
Joined: 25 Jun 2014 Posts: 449 Location: Nijmegen
|
Posted: Wed Dec 18, 2024 7:49 pm Post subject: Re: PKCS#11 for Kernel Module Signing on Gentoo Kernel |
|
|
mirthical wrote: |
Additionally, reverting these files alone is not sufficient. I’ve previously had to:
- Define the environment variable KBUILD_SIGN_PIN with the necessary PIN for the PKCS#11 token.
- Comment the my line MODULES_SIGN_KEY="pkcs11:token=MyVerySecretKernel" at /etc/portage/make.conf only to uncomment after merging (so that other emerge can sign with it, e.g. nvidia-drivers)
- Set CONFIG_MODULE_SIG_KEY="pkcs11:token=MyVerySecretKernel" in my savedconfig file
|
This sounds a lot like there is some bug in kernel-build.eclass, MODULES_SIGN_KEY should work fine, it should set the CONFIG_MODULE_SIG_KEY for you (though I am not sure how this interacts with USE=savedconfig). I would love to see the full build log to figure out where this is going wrong.
Quote: | I currently have the full .config in my savedconfig, but it seems that there is a way to just have there the things that are different from the gentoo default, how can see that default so that I only keep the lines that are different? I'm getting a bunch of lines saying that fragment is redundant - not a problem but clearly there seems to have been an effort to make things cleaner.
Are the steps I’m taking (reverting files, applying patches, setting environment variables, commenting/uncommenting) the only way to get this working? |
What you are looking for is /etc/kernel/config.d, we have documented this here: https://wiki.gentoo.org/wiki/Project:Distribution_Kernel#Modifying_kernel_configuration The easiest way to find the current default is to emerge with USE=-savedconfig, and then to copy the resulting /usr/lib/modules/x.y.z-gentoo-dist/config. You can also extract it from the build directory after the configure phase has finished. _________________ OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400 |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|