eclass/coreos-kernel,sys-kernel/coreos-modules:

Move module signing key to /tmp, so that it stays in RAM. Disable shredding signing key after coreos-modules finishes, but rather shred it after coreos-kernel finishes, so that out of tree modules (like ZFS from upstream portage) can also use the key before it is shreded.
flatcar · Feb 13, 2025 · 935efe2 · 935efe2
1 parent 4ee3c33
commit 935efe2
Show file tree

Hide file tree

Showing 7 changed files with 72 additions and 16 deletions.
diff --git a/run_sdk_container b/run_sdk_container
@@ -151,6 +151,7 @@ if [[ -z ${stat} ]] ; then
         --network host
         -e SDK_USER_ID="$(id -u)"
         -e SDK_GROUP_ID="$(id -g)"
+	-e MODULE_SIGNING_KEY_DIR="/tmp/$(uuidgen)"
         --name="${name}"
         --hostname="${hostname}"
         --entrypoint /bin/bash

diff --git a/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass b/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass
@@ -136,20 +136,44 @@ getconfig() {
 	echo "${value}"
 }
 
+get_sig_key() {
+	local sig_key="$(getconfig MODULE_SIG_KEY)"
+
+	if [ "$sig_key" == "${sig_key#/}" ]
+	then
+		echo "build/$sig_key"
+	else
+		echo $sig_key
+	fi
+}
+
 # Generate the module signing key for this build.
 setup_keys() {
 	local sig_hash sig_key
 	sig_hash=$(getconfig MODULE_SIG_HASH)
-	sig_key="build/$(getconfig MODULE_SIG_KEY)"
+	sig_key="$(get_sig_key)"
+
+	echo "Preparing keys at $sig_key"
 
 	if [[ "${sig_key}" == "build/certs/signing_key.pem" ]]; then
 		die "MODULE_SIG_KEY is using the default value"
 	fi
 
-	mkdir -p certs "${sig_key%/*}" || die
+	if [ "$sig_key" == "${sig_key#/tmp/}" ]
+	then
+		die "Refusing to generate the key outside of /tmp, so that it stays in RAM only."
+	fi
+	if [ "$sig_key" != "${MODULES_SIGN_KEY}" ]
+	then
+		die "MODULES_SIGN_KEY variable is different than MODULE_SIG_KEY in kernel config."
+	fi
 
+	mkdir -p $MODULE_SIGNING_KEY_DIR
+	pushd $MODULE_SIGNING_KEY_DIR
+
+	mkdir -p gen_certs || die
 	# based on the default config the kernel auto-generates
-	cat >certs/modules.cnf <<-EOF
+	cat >gen_certs/modules.cnf <<-EOF
 		[ req ]
 		default_bits = 4096
 		distinguished_name = req_distinguished_name
@@ -169,19 +193,25 @@ setup_keys() {
 	EOF
 	openssl req -new -nodes -utf8 -days 36500 -batch -x509 \
 		"-${sig_hash}" -outform PEM \
-		-config certs/modules.cnf \
-		-out certs/modules.pub.pem \
-		-keyout certs/modules.key.pem \
+		-config gen_certs/modules.cnf \
+		-out gen_certs/modules.pub.pem \
+		-keyout gen_certs/modules.key.pem \
 		|| die "Generating module signing key failed"
-	cat certs/modules.pub.pem certs/modules.key.pem > "${sig_key}"
+
+	# copy the cert/key to desired location
+	mkdir -p "${MODULES_SIGN_CERT%/*}" "${MODULES_SIGN_KEY%/*}" || die
+	cat gen_certs/modules.pub.pem gen_certs/modules.key.pem > "$MODULES_SIGN_KEY" || die
+	cp gen_certs/modules.pub.pem $MODULES_SIGN_CERT || die
+
+	shred -u gen_certs/* || die
+	rmdir gen_certs || die
+
+	popd
 }
 
 # Discard the module signing key but keep public certificate.
 shred_keys() {
-	local sig_key
-	sig_key="build/$(getconfig MODULE_SIG_KEY)"
-	shred -u certs/modules.key.pem "${sig_key}" || die
-	cp certs/modules.pub.pem "${sig_key}" || die
+	shred -u "${MODULES_SIGN_KEY}" || die
 }
 
 # Populate /lib/modules/$(uname -r)/{build,source}

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
@@ -124,3 +124,10 @@ CGO_ENABLED=1
 
 # Keep using old binary format for now.
 BINPKG_FORMAT=xpak
+
+# move signing key and cert to /tmp so that the ephemeral key is not stored on a disk
+MODULES_SIGN_KEY="/tmp/certs/modules.pem"
+MODULES_SIGN_CERT="/tmp/certs/modules.pub.pem"
+
+# enable signing kernel modules from portage
+USE="${USE} modules-sign"
diff --git a/...ainer/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.76.ebuild b/...ainer/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.76.ebuild
@@ -61,9 +61,21 @@ src_prepare() {
 	# Pull in the config and public module signing key
 	KV_OUT_DIR="${SYSROOT%/}/lib/modules/${COREOS_SOURCE_NAME#linux-}/build"
 	cp -v "${KV_OUT_DIR}/.config" build/ || die
+
 	local sig_key="$(getconfig MODULE_SIG_KEY)"
-	mkdir -p "build/${sig_key%/*}" || die
-	cp -v "${KV_OUT_DIR}/${sig_key}" "build/${sig_key}" || die
+
+	if [ "$sig_key" == "${sig_key#/tmp/}" ]
+	then
+		die "Refusing to use module key stored outside of /tmp."
+	fi
+
+	# keeping the old logic here for now, unreacheble due to the previous condition
+	if [ "$sig_key" == "${sig_key#/}" ]
+	then
+		# sig_key is a relative path
+		mkdir -p "build/${sig_key%/*}" || die
+		cp -v "${KV_OUT_DIR}/${sig_key}" "build/${sig_key}" || die
+	fi
 
 	# Symlink to bootengine.cpio so we can stick with relative paths in .config
 	ln -sv "${SYSROOT%/}"/usr/share/bootengine/bootengine.cpio build/ || die

diff --git a/...ner/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.6.76.ebuild b/...ner/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-6.6.76.ebuild
@@ -16,7 +16,7 @@ src_prepare() {
 		local archconfig="$(find_archconfig)"
 		local commonconfig="$(find_commonconfig)"
 		elog "Building using config ${archconfig} and ${commonconfig}"
-		cat "${archconfig}" "${commonconfig}" >> build/.config || die
+		cat "${archconfig}" "${commonconfig}" | envsubst '$MODULE_SIGNING_KEY_DIR' >> build/.config || die
 	fi
 	cpio -ov </dev/null >build/bootengine.cpio
 
@@ -52,7 +52,6 @@ src_install() {
 	rm "${D}/usr/lib/debug/usr/lib/modules/${KV_FULL}/build" || die
 
 	# Clean up the build tree
-	shred_keys
 	kmake clean
 	find "build/" -type d -empty -delete || die
 	rm "build/.config.old" || die

diff --git a/...container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.6 b/...container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.6
@@ -459,7 +459,7 @@ CONFIG_MMC_SDHCI_PCI=m
 CONFIG_MODULES=y
 CONFIG_MODULE_COMPRESS_XZ=y
 CONFIG_MODULE_SIG=y
-CONFIG_MODULE_SIG_KEY="certs/modules.pem"
+CONFIG_MODULE_SIG_KEY="${MODULE_SIGNING_KEY_DIR}/certs/modules.pem"
 CONFIG_MODULE_SIG_SHA256=y
 CONFIG_MODULE_UNLOAD=y
 CONFIG_MOUSE_PS2=m

diff --git a/sdk_lib/sdk_entry.sh b/sdk_lib/sdk_entry.sh
@@ -49,6 +49,13 @@ sed -i -r '/^masters =/s/\bcoreos(\s|$)/coreos-overlay\1/g' /usr/local/portage/c
     fi
 )
 
+# SDK container is launched in another shell, so we need to smuggle the variables inside
+grep -q 'export MODULE_SIGNING_KEY_DIR' /home/sdk/.bashrc || {
+    echo "export MODULE_SIGNING_KEY_DIR='$MODULE_SIGNING_KEY_DIR'" >> /home/sdk/.bashrc
+    echo "export MODULES_SIGN_KEY='${MODULE_SIGNING_KEY_DIR}/certs/modules.pem'" >> /home/sdk/.bashrc
+    echo "export MODULES_SIGN_CERT='${MODULE_SIGNING_KEY_DIR}/certs/modules.pub.pem'" >> /home/sdk/.bashrc
+}
+
 # This is ugly.
 #   We need to sudo su - sdk -c so the SDK user gets a fresh login.
 #    'sdk' is member of multiple groups, and plain docker USER only