Skip to content

Fix kernel module signing with ephemeral keys for official builds #3493

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
+51 −6
Open

Fix kernel module signing with ephemeral keys for official builds #3493

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1f10b51
sdk: Fix ephemeral key directory paths baked into container images
danzatt Nov 13, 2025
7e2c928
sdk_entry: use persistent module signing keys for unofficial builds
danzatt Nov 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 12 additions & 2 deletions sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -143,8 +143,12 @@ get_sig_key() {
die "MODULE_SIG_KEY is using the default value"
fi

if [[ ${sig_key} != /tmp/* ]]; then
die "Refusing to to continue with modules key outside of /tmp, so that it stays in RAM only."
# For official builds, enforce /tmp to keep keys in RAM only
# For unofficial builds, allow persistent directory
if [[ ${COREOS_OFFICIAL:-0} -eq 1 ]]; then
if [[ ${sig_key} != /tmp/* ]]; then
die "Refusing to continue with modules key outside of /tmp for official builds, so that it stays in RAM only."
fi
fi
if [ "$sig_key" != "${MODULES_SIGN_KEY}" ]; then
die "MODULES_SIGN_KEY variable is different than MODULE_SIG_KEY in kernel config."
Expand All @@ -165,6 +169,12 @@ setup_keys() {

echo "Preparing keys at $sig_key"

if [[ ${COREOS_OFFICIAL:-0} -eq 0 ]]; then
# Allow portage sandbox to write to the module signing key directory,
# which is in home for unofficial builds
addwrite "${MODULE_SIGNING_KEY_DIR}"
fi

mkdir -p $MODULE_SIGNING_KEY_DIR
pushd $MODULE_SIGNING_KEY_DIR

Expand Down
5 changes: 5 additions & 0 deletions sdk_lib/Dockerfile.sdk-build
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,8 @@ RUN /home/sdk/sdk_entry.sh ./build_packages --board="amd64-usr" --only_resolve_c

RUN rm /mnt/host/source/.env
RUN rm -rf /home/sdk/toolchain-pkgs

# Clean up ephemeral key directory variables that were added during build
RUN sed -i '/export MODULE_SIGNING_KEY_DIR/d' /home/sdk/.bashrc && \
sed -i '/export MODULES_SIGN_KEY/d' /home/sdk/.bashrc && \
sed -i '/export MODULES_SIGN_CERT/d' /home/sdk/.bashrc
Comment on lines +22 to +24
Copy link
Member

@krnowak krnowak Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could be a single sed invocation, and I'd add = to keys, see other comment below for details.

5 changes: 5 additions & 0 deletions sdk_lib/Dockerfile.sdk-import
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,4 +55,9 @@ RUN chmod 755 /home/sdk/sdk_entry.sh
# it's likely that scripts and SDK tarball are out of sync
RUN /home/sdk/sdk_entry.sh ./update_chroot --toolchain_boards="amd64-usr arm64-usr"

# Clean up ephemeral key directory variables that were added during build
RUN sed -i '/export MODULE_SIGNING_KEY_DIR/d' /home/sdk/.bashrc && \
sed -i '/export MODULES_SIGN_KEY/d' /home/sdk/.bashrc && \
sed -i '/export MODULES_SIGN_CERT/d' /home/sdk/.bashrc
Comment on lines +59 to +61
Copy link
Member

@krnowak krnowak Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could be a single sed invocation, and I'd add = to keys, see other comment below for details.


ENTRYPOINT ["/home/sdk/sdk_entry.sh"]
5 changes: 5 additions & 0 deletions sdk_lib/Dockerfile.sdk-update
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,8 @@ RUN /home/sdk/sdk_entry.sh ./setup_board --board="amd64-usr" --regen_configs
# Restore original .bashrc to remove sandbox disablement
RUN mv /home/sdk/.bashrc.bak /home/sdk/.bashrc
RUN chown sdk:sdk /home/sdk/.bashrc

# Clean up ephemeral key directory variables that were added during build
RUN sed -i '/export MODULE_SIGNING_KEY_DIR/d' /home/sdk/.bashrc && \
sed -i '/export MODULES_SIGN_KEY/d' /home/sdk/.bashrc && \
sed -i '/export MODULES_SIGN_CERT/d' /home/sdk/.bashrc
Comment on lines +24 to +26
Copy link
Member

@krnowak krnowak Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could be a single sed invocation, and I'd add = to keys, see other comment below for details.

28 changes: 24 additions & 4 deletions sdk_lib/sdk_entry.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,16 +52,36 @@ sed -i -r '/^masters =/s/\bcoreos(\s|$)/coreos-overlay\1/g' /usr/local/portage/c
# SDK container is launched using the su command below, which does not preserve environment
# moreover, if multiple shells are attached to the same container,
# we want all of them to share the same value of the variable, therefore we need to save it in .bashrc
grep -q 'export MODULE_SIGNING_KEY_DIR' /home/sdk/.bashrc || {
MODULE_SIGNING_KEY_DIR=$(su sdk -c "mktemp -d")
# Check if MODULE_SIGNING_KEY_DIR exists in .bashrc and if the directory actually exists
if grep -q 'export MODULE_SIGNING_KEY_DIR' /home/sdk/.bashrc; then
Copy link
Member

@krnowak krnowak Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if grep -q 'export MODULE_SIGNING_KEY_DIR' /home/sdk/.bashrc; then
if grep -q 'export MODULE_SIGNING_KEY_DIR=' /home/sdk/.bashrc; then

# Extract the existing path
EXISTING_DIR=$(grep 'export MODULE_SIGNING_KEY_DIR' /home/sdk/.bashrc | sed "s/.*MODULE_SIGNING_KEY_DIR='\(.*\)'/\1/")
Copy link
Member

@krnowak krnowak Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You probably could use cut like:

Suggested change
EXISTING_DIR=$(grep 'export MODULE_SIGNING_KEY_DIR' /home/sdk/.bashrc | sed "s/.*MODULE_SIGNING_KEY_DIR='\(.*\)'/\1/")
EXISTING_DIR=$(grep 'export MODULE_SIGNING_KEY_DIR=' /home/sdk/.bashrc | cut -f2- -d=)

# If directory doesn't exist (stale from image build), remove the old entries and recreate
if [[ ! -d "$EXISTING_DIR" ]]; then
Copy link
Member

@krnowak krnowak Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to quote variables inside double brackets in bash:

Suggested change
if [[ ! -d "$EXISTING_DIR" ]]; then
if [[ ! -d ${EXISTING_DIR} ]]; then

echo "Deleting stale module signing directory."
sed -i '/export MODULE_SIGNING_KEY_DIR/d' /home/sdk/.bashrc
sed -i '/export MODULES_SIGN_KEY/d' /home/sdk/.bashrc
sed -i '/export MODULES_SIGN_CERT/d' /home/sdk/.bashrc
Comment on lines +62 to +64
Copy link
Member

@krnowak krnowak Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could be a single invocation to sed, like:

(Also I'd add = to the keys to be sure we match the exact key, not like MODULE_SIGNING_KEY_DIR_HAHA_MY_OWN).

Suggested change
sed -i '/export MODULE_SIGNING_KEY_DIR/d' /home/sdk/.bashrc
sed -i '/export MODULES_SIGN_KEY/d' /home/sdk/.bashrc
sed -i '/export MODULES_SIGN_CERT/d' /home/sdk/.bashrc
sed -i -e '/export MODULE_SIGNING_KEY_DIR=/d' \
-e '/export MODULES_SIGN_KEY=/d' \
-e '/export MODULES_SIGN_CERT=/d' /home/sdk/.bashrc

fi
fi

# Create key directory if not already configured in .bashrc
if ! grep -q 'export MODULE_SIGNING_KEY_DIR' /home/sdk/.bashrc; then
Copy link
Member

@krnowak krnowak Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if ! grep -q 'export MODULE_SIGNING_KEY_DIR' /home/sdk/.bashrc; then
if ! grep -q 'export MODULE_SIGNING_KEY_DIR=' /home/sdk/.bashrc; then

# For official builds, use ephemeral keys. For unofficial builds, use persistent directory
if [[ ${COREOS_OFFICIAL:-0} -eq 1 ]]; then
MODULE_SIGNING_KEY_DIR=$(su sdk -c "mktemp -d")
else
MODULE_SIGNING_KEY_DIR="/home/sdk/.module-signing-keys"
su sdk -c "mkdir -p '$MODULE_SIGNING_KEY_DIR'"
Copy link
Member

@krnowak krnowak Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use quoting feature of bash (search for ${parameter@operator} in https://www.gnu.org/software/bash/manual/bash.html#Shell-Parameter-Expansion):

Suggested change
su sdk -c "mkdir -p '$MODULE_SIGNING_KEY_DIR'"
su sdk -c "mkdir -p ${MODULE_SIGNING_KEY_DIR@Q}"

fi
if [[ ! "$MODULE_SIGNING_KEY_DIR" || ! -d "$MODULE_SIGNING_KEY_DIR" ]]; then
echo "Failed to create temporary directory for secure boot keys."
echo "Failed to create directory for module signing keys."
else
echo "export MODULE_SIGNING_KEY_DIR='$MODULE_SIGNING_KEY_DIR'" >> /home/sdk/.bashrc
echo "export MODULES_SIGN_KEY='${MODULE_SIGNING_KEY_DIR}/certs/modules.pem'" >> /home/sdk/.bashrc
echo "export MODULES_SIGN_CERT='${MODULE_SIGNING_KEY_DIR}/certs/modules.pub.pem'" >> /home/sdk/.bashrc
fi
}
fi

# This is ugly.
# We need to sudo su - sdk -c so the SDK user gets a fresh login.
Expand Down