Re: Alternate approaches to signed module packaging

To: debian-kernel@lists.debian.org
Subject: Re: Alternate approaches to signed module packaging
From: Ben Hutchings <ben@decadent.org.uk>
Date: Tue, 07 Jun 2016 19:06:44 +0100
Message-id: <[🔎] 1465322804.3529.45.camel@decadent.org.uk>
In-reply-to: <1464525520.2762.80.camel@decadent.org.uk>
References: <1464525520.2762.80.camel@decadent.org.uk>

On Sun, 2016-05-29 at 13:38 +0100, Ben Hutchings wrote:
[...]
> So I think I have to abandon my current approach and instead do one of:
> 
> 1. Attach module signatures at installation time, in a subdirectory.
>    Change kmod to prefer this subdirectory (this is purely a
>    configuration change).  It would also be possible to check during
>    installation that signatures match the installed unsigned modules,
>    and if not then abort and leave any older signed modules in place.
> 
> 2. Attach module signatures at package build time, making the
>    linux-image-signed packages provide/conflict/replace the
>    corresponding linux-image packages.  For architectures with
>    signed modules, udebs would be built from linux-signed and not
>    from linux.
[...]

I'm now implementing the second approach above.

In preparation for that, I moved most of the complexity of the linux-
image maintainer scripts into two new commands in linux-base and
rewrote them as shell scripts.  This reduced the total size of the
script templates from 711 to 67 (non-blank, non-comment) lines.  I
think they're now simple enough that duplicating them in linux-image-
signed is acceptable.

(Now that I think about it, we could duplicate the maintainer scripts
at build time using 'dpkg-query --control-show'.  Anyway, we now have
much more readable scripts and the new commands could be used by
packages generated by 'make deb-pkg' and make-kpkg in future.)

Duplicating the contents of linux-image and attaching signatures at
build time is simple and runs quickly.  It's also necessary to
duplicate the package relations and the description (with minor edits);
this was actually the hard part of the changes to linux-signed because
multiline values need to be escaped in substvars.

I think there are three steps left::

1. Move udeb generation for configurations with module signing enabled
   from linux to linux-signed.  (This is in progress.)
2. (Optional) Remove the '-signed' suffix from signed packages and add
   a '-unsigned' suffix to unsigned linux-image packages built with
   module signing enabled.  Adjust the Conflicts/Replaces/Provides
   fields accordingly.
3. Change the signing script to use an HSM.

Ben.

-- 
Ben Hutchings
When in doubt, use brute force. - Ken Thompson

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Re: Alternate approaches to signed module packaging
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Bug#826617: Aw: Re: Bug#826617: initramfs-tools: intel microcode: 149 EOF on update
Next by Date: Bug#826617: Aw: Re: Bug#826617: Re: Bug#826617: initramfs-tools: intel microcode: 149 EOF on update
Previous by thread: Bug#666021: no "page allocation failure"s any more
Next by thread: Re: Alternate approaches to signed module packaging
Index(es):
- Date
- Thread