Alternate approaches to signed module packaging

To: Debian kernel maintainers <debian-kernel@lists.debian.org>
Subject: Alternate approaches to signed module packaging
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 29 May 2016 13:38:40 +0100
Message-id: <[🔎] 1464525520.2762.80.camel@decadent.org.uk>

The approach I have been pursuing in Debian for packaging signed kernel
modules is to instal the module signatures as separate files and to
update module tools (kmod, initramfs-tools, etc.) to work with these.

This is blocked on upstream acceptance in kmod, and it's not clear
whether that's ever going to happen.

In the interim, while I've used my own build of kmod, I've noticed some
problems with it:

- Since Debian still hasn't implemented reproducible builds - in
  particular, auto-builders don't use stable build directories -
  an exact-versioned package dependency still isn't strong enough to
  ensure that the installed module signatures match the installed
  modules.  This isn't a practical problem for most people, but I often
  install a kernel binary package that I built locally and did not
  upload.

- While the versioned dependencies ensures that apt will try to
  upgrade linux-image-(version) and linux-imge-(version)-signed
  together, the upgrade still might be aborted half-way through (e.g.
  due to lack of disk space), also resulting in invalid signatures.

So I think I have to abandon my current approach and instead do one of:

1. Attach module signatures at installation time, in a subdirectory.
   Change kmod to prefer this subdirectory (this is purely a
   configuration change).  It would also be possible to check during
   installation that signatures match the installed unsigned modules,
   and if not then abort and leave any older signed modules in place.

2. Attach module signatures at package build time, making the
   linux-image-signed packages provide/conflict/replace the
   corresponding linux-image packages.  For architectures with
   signed modules, udebs would be built from linux-signed and not
   from linux.

I intend to withdraw my proposed changes to kmod and dracut and to
revert the change I already made in initramfs-tools.

I don't think either of these approaches requires any changes in
initramfs-tools or dracut.  They will require some changes in kernel
udeb building, possibly in kernel-wedge or possibly only in linux and
linux-signed..

Ben.

-- Ben Hutchings
Editing code like this is akin to sticking plasters on the bleeding stump
of a severed limb. - me, 29 June 1999

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Prev by Date: Bug#824941: linux-image-4.5.0-2-armmp-lpae: please enable PWM for ODROID boards
Next by Date: Bug#824941: linux-image-4.5.0-2-armmp-lpae: please enable PWM for ODROID boards
Previous by thread: Processed: Cloning to initramfs-tools
Next by thread: Processing of linux-tools_4.4.6-1~bpo8+1_i386.changes
Index(es):
- Date
- Thread