Conversation
chewi
left a comment
chewi
left a comment
There was a problem hiding this comment.
I mentioned this on Teams, so perhaps you've initially taken a shortcut, but using a deterministic path in /tmp is dangerous. We should generate a random one with mktemp and set an environment variable.
danzatt
force-pushed
the
danzatt/oot-modules-sign
branch
from
a1ce873 to
935efe2
Compare
sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass
Outdated
Show resolved
Hide resolved
sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass
Outdated
Show resolved
Hide resolved
sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass
Outdated
Show resolved
Hide resolved
...ontainer/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.76.ebuild
Outdated
Show resolved
Hide resolved
sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass
Outdated
Show resolved
Hide resolved
...ontainer/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.76.ebuild
Outdated
Show resolved
Hide resolved
danzatt
force-pushed
the
danzatt/oot-modules-sign
branch
from
935efe2 to
17589ba
Compare
...ontainer/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.6.76.ebuild
Outdated
Show resolved
Hide resolved
danzatt
force-pushed
the
danzatt/oot-modules-sign
branch
from
17589ba to
06cda22
Compare
|
I've rebased the PR and added new function which just verifies the conditions (that the key is in |
chewi
left a comment
chewi
left a comment
There was a problem hiding this comment.
Arrgh, sorry, just noticed one more thing. It isn't enough for /tmp/$(uuidgen) to be random. It actually needs to be created with mktemp in order to be safe. Hopefully that isn't a problem.
danzatt
force-pushed
the
danzatt/oot-modules-sign
branch
from
06cda22 to
f5f7fb2
Compare
danzatt
force-pushed
the
danzatt/oot-modules-sign
branch
from
f5f7fb2 to
729d83c
Compare
I fixed this now |
|
Build action triggered: https://github.com/flatcar/scripts/actions/runs/14757631459 |
chewi
left a comment
chewi
left a comment
There was a problem hiding this comment.
The shell quoting is still a bit wonky, so please use shellcheck in future. It's good enough though. Thanks!
Move module signing key to /tmp, so that it stays in RAM. Disable shredding signing key after coreos-modules finishes, but rather shred it after coreos-kernel finishes, so that out of tree modules (like ZFS from upstream portage) can also use the key before it is shreded.
danzatt
force-pushed
the
danzatt/oot-modules-sign
branch
from
729d83c to
bfb5ec7
Compare
|
Can you please create PR for changelog or add an entry with the nvidia sysext PR? |
3 participants
[Title: describe the change in one sentence]
For out of tree modules (like ZFS or NVIDIA) to work with secureboot, they need to be signed by the ephemeral kernel modules key. This key is shredded after the upstream-included kernel modules are built, therefore it can't be reused during ZFS module build. This PR moves the key to /tmp, so that it stays in RAM and can be reused by out of tree modules. Moreover, by moving the key to
/tmpwe improve the security of the ephemeral module signing key (previously we wrote it to disk and then shredded it, but it might still stay in the disk or software cache, compromising the secure boot model).Currently, this PR works when the packages are built manually in the order coreos-modules, zfs-kmod and coreos-kernel. We need to fix the dependecies, so that we enforce this order.
[ describe the change in 1 - 3 paragraphs ]
How to use
[ describe what reviewers need to do in order to validate this PR ]
Testing done
[Describe the testing you have done before submitting this PR. Please include both the commands you issued as well as the output you got.]
changelog/directory (user-facing change, bug fix, security fix, update)/bootand/usrsize, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.