[Bug 1930454] [NEW] support for .ko.hash signatures or .o -> ko -> detached signatures

Dimitri John Ledkov 1930454 at bugs.launchpad.net
Tue Jun 1 18:22:18 UTC 2021 

Public bug reported:

support for .ko.hash signatures

Sometimes we would like to sign .ko kernel modules, that we cannot
redistribute (i.e. linked nvidia .ko).

At the moment we attempt to sign them in private ppa builds only, then
extract detached signatures and whip those along with unlinked .o object
files that one can put together into a signed .ko.

It would be nice, if we could generate a signing tarball with just
hashes of the .ko objects we'd like to sign without including .ko
objects themselves.

something like module.ko.sha512 which is simply the sha512 hash of the
ko module to sign. Then do openssl API gymnastics in kmodsign to
convince it to produce a CMS signature without being able to actually
the has the file, just sign the hash we ask for and produce detached
signature.

Alternatively we could put .o objects in the signing tarball and then
ask kmodsign to link them all, then sign, then detach signature, throw
away the .ko.

The above things are complicated, but if implemented, it would greatly
simplify signing non-redistributable kernel modules in launchpad.

** Affects: launchpad
     Importance: Undecided
         Status: New

** Affects: sbsigntool (Ubuntu)
     Importance: Undecided
         Status: New

** Also affects: sbsigntool (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sbsigntool in Ubuntu.
https://bugs.launchpad.net/bugs/1930454

Title:
  support for .ko.hash signatures  or .o -> ko -> detached signatures

Status in Launchpad itself:
  New
Status in sbsigntool package in Ubuntu:
  New

Bug description:
  support for .ko.hash signatures

  Sometimes we would like to sign .ko kernel modules, that we cannot
  redistribute (i.e. linked nvidia .ko).

  At the moment we attempt to sign them in private ppa builds only, then
  extract detached signatures and whip those along with unlinked .o
  object files that one can put together into a signed .ko.

  It would be nice, if we could generate a signing tarball with just
  hashes of the .ko objects we'd like to sign without including .ko
  objects themselves.

  something like module.ko.sha512 which is simply the sha512 hash of the
  ko module to sign. Then do openssl API gymnastics in kmodsign to
  convince it to produce a CMS signature without being able to actually
  the has the file, just sign the hash we ask for and produce detached
  signature.

  Alternatively we could put .o objects in the signing tarball and then
  ask kmodsign to link them all, then sign, then detach signature, throw
  away the .ko.

  The above things are complicated, but if implemented, it would greatly
  simplify signing non-redistributable kernel modules in launchpad.

To manage notifications about this bug go to:
https://bugs.launchpad.net/launchpad/+bug/1930454/+subscriptions

More information about the foundations-bugs mailing list