Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP/RFC] OOT modules sign #2636

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

[WIP/RFC] OOT modules sign #2636

wants to merge 2 commits into from

Conversation

danzatt
Copy link

@danzatt danzatt commented Feb 5, 2025

[Title: describe the change in one sentence]

For out of tree modules (like ZFS or NVIDIA) to work with secureboot, they need to be signed by the ephemeral kernel modules key. This key is shredded after the upstream-included kernel modules are built, therefore it can't be reused during ZFS module build. This PR moves the key to /tmp, so that it stays in RAM and can be reused by out of tree modules. Moreover, by moving the key to /tmp we improve the security of the ephemeral module signing key (previously we wrote it to disk and then shredded it, but it might still stay in the disk or software cache, compromising the secure boot model).

Currently, this PR works when the packages are built manually in the order coreos-modules, zfs-kmod and coreos-kernel. We need to fix the dependecies, so that we enforce this order.

[ describe the change in 1 - 3 paragraphs ]

How to use

[ describe what reviewers need to do in order to validate this PR ]

Testing done

[Describe the testing you have done before submitting this PR. Please include both the commands you issued as well as the output you got.]

  • Changelog entries added in the respective changelog/ directory (user-facing change, bug fix, security fix, update)
  • Inspected CI output for image differences: /boot and /usr size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.

@danzatt danzatt marked this pull request as draft February 6, 2025 14:20
chewi
chewi requested changes Feb 6, 2025
View reviewed changes
Copy link
Contributor

@chewi chewi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mentioned this on Teams, so perhaps you've initially taken a shortcut, but using a deterministic path in /tmp is dangerous. We should generate a random one with mktemp and set an environment variable.

@danzatt danzatt force-pushed the danzatt/oot-modules-sign branch from a1ce873 to 935efe2 Compare February 13, 2025 11:50
chewi
chewi requested changes Feb 13, 2025
View reviewed changes
chewi
chewi reviewed Feb 13, 2025
View reviewed changes
@danzatt danzatt force-pushed the danzatt/oot-modules-sign branch from 935efe2 to 17589ba Compare February 13, 2025 14:02
@danzatt
run_sdk_container: mount tmpfs on /tmp
a272863
@danzatt
eclass/coreos-kernel,sys-kernel/coreos-modules:
06cda22 
Move module signing key to /tmp, so that it stays in RAM. Disable
shredding signing key after coreos-modules finishes, but rather shred it
after coreos-kernel finishes, so that out of tree modules (like ZFS from
upstream portage) can also use the key before it is shreded.
@danzatt danzatt force-pushed the danzatt/oot-modules-sign branch from 17589ba to 06cda22 Compare February 20, 2025 12:59
@danzatt
Copy link
Author

danzatt commented Feb 20, 2025

I've rebased the PR and added new function which just verifies the conditions (that the key is in /tmp).

chewi
chewi requested changes Feb 20, 2025
View reviewed changes
Copy link
Contributor

@chewi chewi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Arrgh, sorry, just noticed one more thing. It isn't enough for /tmp/$(uuidgen) to be random. It actually needs to be created with mktemp in order to be safe. Hopefully that isn't a problem.

@github-actions github-actions bot mentioned this pull request Feb 22, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chewi chewi chewi requested changes

@sayanchowdhury sayanchowdhury Awaiting requested review from sayanchowdhury

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@danzatt @chewi