Looks like a good workaround!

Acked-by: Ping Cheng <ping.ch...@wacom.com>

I assume you had someone tested the patch for you. Can you get a test-by
from them?

Thank you for your effor.
Ping

On Fri, Nov 30, 2018 at 10:38 AM Jason Gerecke <killert...@gmail.com> wrote:

> It is becoming more common for systems to only allow signed kernel modules
> to be loaded (e.g. because the kernel is in "lockdown mode" due to secure
> boot policies). Users who follow the standard configure / make / install
> process find that the driver does not work after rebooting and often don't
> know what is wrong.
>
> This commit teaches the configure script and Makefiles a few new tricks:
>
>   * Detection of when module signing is required by the system
>   * Detection of existing key and cert used for module signing (Ubuntu
>     only)
>   * Ability to manually specify key, cert, and hash algorithm to be
>     used for module signing
>   * Abort configure if signing is required but not possible
>   * New makefile target to add the signature prior to installing
>
> Module signing is opportunistic by default. If a key and cert can be
> found (or are provided to the configure script), the modules will be
> signed -- even if not otherwise required. If a key and cert aren't
> available then we will try to build an unsigned driver instead. If
> the system is set up to require signed modules, we will cowardly
> error out of the configure script unless the user explicitly requests
> the driver to be left unsigned.
>
> A phony "signature" Makefile target is provided which is called by
> `make install` and which is available for developers who want/need
> to sign the module without actually installing it. Users can use
> `make && sudo make install` while developers can use `make && sudo
> make signature`. If module signing is disabled the "signature"
> target does nothing.
> ---
>  2.6.32/Makefile.in | 12 +++++-
>  2.6.38/Makefile.in | 12 +++++-
>  3.17/Makefile.in   | 12 +++++-
>  3.7/Makefile.in    | 12 +++++-
>  4.5/Makefile.in    | 12 +++++-
>  configure.ac       | 96 ++++++++++++++++++++++++++++++++++++++++++++++
>  6 files changed, 151 insertions(+), 5 deletions(-)
>
> diff --git a/2.6.32/Makefile.in b/2.6.32/Makefile.in
> index 38876be..6290771 100644
> --- a/2.6.32/Makefile.in
> +++ b/2.6.32/Makefile.in
> @@ -20,6 +20,9 @@ PWD  := $(shell pwd)
>  WCM_KERNEL_DIR := @WCM_KERNEL_DIR@
>  MODUTS := @MODUTS@
>  WCM_KERNEL_VER := @WCM_KERNEL_VER@
> +MODSIGN_HASHALGO := @MODSIGN_HASHALGO@
> +MODSIGN_PRIVFILE := @MODSIGN_PRIVFILE@
> +MODSIGN_CERTFILE := @MODSIGN_CERTFILE@
>
>  all:
>         @echo '    Building input-wacom drivers for $(WCM_KERNEL_VER)
> kernel.'
> @@ -28,7 +31,13 @@ all:
>  clean:
>         $(MAKE) -C $(WCM_KERNEL_DIR) M=$(PWD) clean
>
> -install modules_install:
> +signature: all
> +       if test -n "$(MODSIGN_HASHALGO)" -a -n "$(MODSIGN_PRIVFILE)" -a -n
> "$(MODSIGN_CERTFILE)"; then \
> +           $(WCM_KERNEL_DIR)/scripts/sign-file "$(MODSIGN_HASHALGO)"
> "$(MODSIGN_PRIVFILE)" "$(MODSIGN_CERTFILE)" wacom.ko; \
> +           $(WCM_KERNEL_DIR)/scripts/sign-file "$(MODSIGN_HASHALGO)"
> "$(MODSIGN_PRIVFILE)" "$(MODSIGN_CERTFILE)" wacom_w8001.ko; \
> +       fi
> +
> +install modules_install: signature
>         $(MAKE) -C $(WCM_KERNEL_DIR) M=$(PWD) modules_install
>         mkdir -p /etc/depmod.d
>         echo "override wacom * extra" > /etc/depmod.d/input-wacom.conf
> @@ -59,5 +68,6 @@ distdir:
>
>  EMPTY_AUTOMAKE_TARGETS = install-data install-exec uninstall install-info
>  EMPTY_AUTOMAKE_TARGETS += installdirs check dvi pdf ps info html tags
> ctags mostlyclean maintainer-clean
> +EMPTY_AUTOMAKE_TARGETS += signature
>  .PHONY: $(EMPTY_AUTOMAKE_TARGETS)
>         $(EMPTY_AUTOMAKE_TARGETS):
> diff --git a/2.6.38/Makefile.in b/2.6.38/Makefile.in
> index da131dc..4779420 100644
> --- a/2.6.38/Makefile.in
> +++ b/2.6.38/Makefile.in
> @@ -20,6 +20,9 @@ PWD  := $(shell pwd)
>  WCM_KERNEL_DIR := @WCM_KERNEL_DIR@
>  MODUTS := @MODUTS@
>  WCM_KERNEL_VER := @WCM_KERNEL_VER@
> +MODSIGN_HASHALGO := @MODSIGN_HASHALGO@
> +MODSIGN_PRIVFILE := @MODSIGN_PRIVFILE@
> +MODSIGN_CERTFILE := @MODSIGN_CERTFILE@
>
>  all:
>         @echo '    Building input-wacom drivers for $(WCM_KERNEL_VER)
> kernel.'
> @@ -28,7 +31,13 @@ all:
>  clean:
>         $(MAKE) -C $(WCM_KERNEL_DIR) M=$(PWD) clean
>
> -install modules_install:
> +signature: all
> +       if test -n "$(MODSIGN_HASHALGO)" -a -n "$(MODSIGN_PRIVFILE)" -a -n
> "$(MODSIGN_CERTFILE)"; then \
> +           $(WCM_KERNEL_DIR)/scripts/sign-file "$(MODSIGN_HASHALGO)"
> "$(MODSIGN_PRIVFILE)" "$(MODSIGN_CERTFILE)" wacom.ko; \
> +           $(WCM_KERNEL_DIR)/scripts/sign-file "$(MODSIGN_HASHALGO)"
> "$(MODSIGN_PRIVFILE)" "$(MODSIGN_CERTFILE)" wacom_w8001.ko; \
> +       fi
> +
> +install modules_install: signature
>         $(MAKE) -C $(WCM_KERNEL_DIR) M=$(PWD) modules_install
>         mkdir -p /etc/depmod.d
>         echo "override wacom * extra" > /etc/depmod.d/input-wacom.conf
> @@ -59,5 +68,6 @@ distdir:
>
>  EMPTY_AUTOMAKE_TARGETS = install-data install-exec uninstall install-info
>  EMPTY_AUTOMAKE_TARGETS += installdirs check dvi pdf ps info html tags
> ctags mostlyclean maintainer-clean
> +EMPTY_AUTOMAKE_TARGETS += signature
>  .PHONY: $(EMPTY_AUTOMAKE_TARGETS)
>         $(EMPTY_AUTOMAKE_TARGETS):
> diff --git a/3.17/Makefile.in b/3.17/Makefile.in
> index b3683b7..7077d8c 100644
> --- a/3.17/Makefile.in
> +++ b/3.17/Makefile.in
> @@ -29,6 +29,9 @@ DRACUT := $(shell command -v dracut 2>/dev/null)
>  WCM_KERNEL_DIR := @WCM_KERNEL_DIR@
>  MODUTS := @MODUTS@
>  WCM_KERNEL_VER := @WCM_KERNEL_VER@
> +MODSIGN_HASHALGO := @MODSIGN_HASHALGO@
> +MODSIGN_PRIVFILE := @MODSIGN_PRIVFILE@
> +MODSIGN_CERTFILE := @MODSIGN_CERTFILE@
>
>  all:
>         @echo '    Building input-wacom drivers for $(WCM_KERNEL_VER)
> kernel.'
> @@ -37,7 +40,13 @@ all:
>  clean:
>         $(MAKE) -C $(WCM_KERNEL_DIR) M=$(PWD) clean
>
> -install modules_install:
> +signature: all
> +       if test -n "$(MODSIGN_HASHALGO)" -a -n "$(MODSIGN_PRIVFILE)" -a -n
> "$(MODSIGN_CERTFILE)"; then \
> +           $(WCM_KERNEL_DIR)/scripts/sign-file "$(MODSIGN_HASHALGO)"
> "$(MODSIGN_PRIVFILE)" "$(MODSIGN_CERTFILE)" wacom.ko; \
> +           $(WCM_KERNEL_DIR)/scripts/sign-file "$(MODSIGN_HASHALGO)"
> "$(MODSIGN_PRIVFILE)" "$(MODSIGN_CERTFILE)" wacom_w8001.ko; \
> +       fi
> +
> +install modules_install: signature
>         $(MAKE) -C $(WCM_KERNEL_DIR) M=$(PWD) modules_install
>         mkdir -p /etc/depmod.d
>         echo "override wacom * extra" > /etc/depmod.d/input-wacom.conf
> @@ -78,5 +87,6 @@ distdir:
>
>  EMPTY_AUTOMAKE_TARGETS = install-data install-exec uninstall install-info
>  EMPTY_AUTOMAKE_TARGETS += installdirs check dvi pdf ps info html tags
> ctags mostlyclean maintainer-clean
> +EMPTY_AUTOMAKE_TARGETS += signature
>  .PHONY: $(EMPTY_AUTOMAKE_TARGETS)
>         $(EMPTY_AUTOMAKE_TARGETS):
> diff --git a/3.7/Makefile.in b/3.7/Makefile.in
> index f313ca1..7b3290a 100644
> --- a/3.7/Makefile.in
> +++ b/3.7/Makefile.in
> @@ -21,6 +21,9 @@ DRACUT := $(shell command -v dracut 2>/dev/null)
>  WCM_KERNEL_DIR := @WCM_KERNEL_DIR@
>  MODUTS := @MODUTS@
>  WCM_KERNEL_VER := @WCM_KERNEL_VER@
> +MODSIGN_HASHALGO := @MODSIGN_HASHALGO@
> +MODSIGN_PRIVFILE := @MODSIGN_PRIVFILE@
> +MODSIGN_CERTFILE := @MODSIGN_CERTFILE@
>
>  all:
>         @echo '    Building input-wacom drivers for $(WCM_VERSION_VER)
> kernel.'
> @@ -29,7 +32,13 @@ all:
>  clean:
>         $(MAKE) -C $(WCM_KERNEL_DIR) M=$(PWD) clean
>
> -install modules_install:
> +signature: all
> +       if test -n "$(MODSIGN_HASHALGO)" -a -n "$(MODSIGN_PRIVFILE)" -a -n
> "$(MODSIGN_CERTFILE)"; then \
> +           $(WCM_KERNEL_DIR)/scripts/sign-file "$(MODSIGN_HASHALGO)"
> "$(MODSIGN_PRIVFILE)" "$(MODSIGN_CERTFILE)" wacom.ko; \
> +           $(WCM_KERNEL_DIR)/scripts/sign-file "$(MODSIGN_HASHALGO)"
> "$(MODSIGN_PRIVFILE)" "$(MODSIGN_CERTFILE)" wacom_w8001.ko; \
> +       fi
> +
> +install modules_install: signature
>         $(MAKE) -C $(WCM_KERNEL_DIR) M=$(PWD) modules_install
>         mkdir -p /etc/depmod.d
>         echo "override wacom * extra" > /etc/depmod.d/input-wacom.conf
> @@ -63,5 +72,6 @@ distdir:
>
>  EMPTY_AUTOMAKE_TARGETS = install-data install-exec uninstall install-info
>  EMPTY_AUTOMAKE_TARGETS += installdirs check dvi pdf ps info html tags
> ctags mostlyclean maintainer-clean
> +EMPTY_AUTOMAKE_TARGETS += signature
>  .PHONY: $(EMPTY_AUTOMAKE_TARGETS)
>         $(EMPTY_AUTOMAKE_TARGETS):
> diff --git a/4.5/Makefile.in b/4.5/Makefile.in
> index 438229b..dd89344 100644
> --- a/4.5/Makefile.in
> +++ b/4.5/Makefile.in
> @@ -22,6 +22,9 @@ DRACUT := $(shell command -v dracut 2>/dev/null)
>  WCM_KERNEL_DIR := @WCM_KERNEL_DIR@
>  MODUTS := @MODUTS@
>  WCM_KERNEL_VER := @WCM_KERNEL_VER@
> +MODSIGN_HASHALGO := @MODSIGN_HASHALGO@
> +MODSIGN_PRIVFILE := @MODSIGN_PRIVFILE@
> +MODSIGN_CERTFILE := @MODSIGN_CERTFILE@
>
>  all:
>         @echo '    Building input-wacom drivers for $(WCM_KERNEL_VER)
> kernel.'
> @@ -30,7 +33,13 @@ all:
>  clean:
>         $(MAKE) -C $(WCM_KERNEL_DIR) M=$(PWD) clean
>
> -install modules_install:
> +signature: all
> +       if test -n "$(MODSIGN_HASHALGO)" -a -n "$(MODSIGN_PRIVFILE)" -a -n
> "$(MODSIGN_CERTFILE)"; then \
> +           $(WCM_KERNEL_DIR)/scripts/sign-file "$(MODSIGN_HASHALGO)"
> "$(MODSIGN_PRIVFILE)" "$(MODSIGN_CERTFILE)" wacom.ko; \
> +           $(WCM_KERNEL_DIR)/scripts/sign-file "$(MODSIGN_HASHALGO)"
> "$(MODSIGN_PRIVFILE)" "$(MODSIGN_CERTFILE)" wacom_w8001.ko; \
> +       fi
> +
> +install modules_install: signature
>         $(MAKE) -C $(WCM_KERNEL_DIR) M=$(PWD) modules_install
>         mkdir -p /etc/depmod.d
>         echo "override wacom * extra" > /etc/depmod.d/input-wacom.conf
> @@ -70,5 +79,6 @@ distdir:
>
>  EMPTY_AUTOMAKE_TARGETS = install-data install-exec uninstall install-info
>  EMPTY_AUTOMAKE_TARGETS += installdirs check dvi pdf ps info html tags
> ctags mostlyclean maintainer-clean
> +EMPTY_AUTOMAKE_TARGETS += signature
>  .PHONY: $(EMPTY_AUTOMAKE_TARGETS)
>         $(EMPTY_AUTOMAKE_TARGETS):
> diff --git a/configure.ac b/configure.ac
> index e4afd11..64413c8 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -6,6 +6,7 @@ AC_CONFIG_SRCDIR([Makefile.am])
>  AC_CONFIG_HEADERS([config.h])
>
>  AM_INIT_AUTOMAKE([dist-bzip2 no-dist-gzip foreign])
> +AM_EXTRA_RECURSIVE_TARGETS([signature])
>  AM_MAINTAINER_MODE
>
>  AC_PROG_CC
> @@ -232,6 +233,98 @@ if test "$RHEL7_RELEASE" -ge "4"; then
>          WCM_KERNEL_VER="3.17"
>  fi
>
> +dnl =======================================================
> +dnl Module signing
> +
> +AC_MSG_CHECKING(kernel sig_enforce parameter)
> +SIG_KERNEL=$(cat /sys/module/module/parameters/sig_enforce 2>/dev/null ||
> echo "(unknown)")
> +AC_MSG_RESULT([$SIG_KERNEL])
> +
> +AC_MSG_CHECKING(mokutil sb-state)
> +SIG_MOK=$(mokutil --sb-state 2>/dev/null || echo "(unknown)")
> +AC_MSG_RESULT([$SIG_MOK])
> +
> +SIG_REQUIRED=$(( $(echo "$SIG_KERNEL" | grep -q "Y" && echo "1" || echo
> "0") + \
> +                 $(echo "$SIG_MOK" | grep -q "enabled" && echo "1" ||
> echo "0") \
> +              ))
> +
> +MODSIGN_ENABLE=default
> +MODSIGN_HASHALGO=
> +MODSIGN_PRIVFILE=
> +MODSIGN_CERTFILE=
> +
> +AC_ARG_ENABLE(module-signing,
> +       AS_HELP_STRING([--disable-module-signing], [Disable automatic
> module signing]),
> +       [MODSIGN_ENABLE="$enableval"])
> +AC_ARG_WITH(hash-algorithm,
> +       AS_HELP_STRING([--with-hash-algorithm=<alg>], [Specify module
> signing hash algorithm]),
> +       [MODSIGN_HASHALGO="$withval"])
> +AC_ARG_WITH(signing-key,
> +       AS_HELP_STRING([--with-signing-key=<trusted.priv>], [Specify
> module signing key location]),
> +       [MODSIGN_PRIVFILE="$withval"])
> +AC_ARG_WITH(signing-cert,
> +       AS_HELP_STRING([--with-signing-cert=<trusted.der>], [Specify
> module signing cert location]),
> +       [MODSIGN_CERTFILE="$withval"])
> +
> +if test "$MODSIGN_ENABLE" = "yes" -o "$MODSIGN_ENABLE" = "default"; then
> +       if test "$MODSIGN_HASHALGO" = "yes" -o -z "$MODSIGN_HASHALGO"; then
> +               MODSIGN_HASHALGO="sha512"
> +       fi
> +
> +       # There is no standard location for storing kernel signing keys
> +       # and certificates. The kernel itself has CONFIG_MODULE_SIG_KEY
> +       # (which contains a key and cert) which likely points to a file
> +       # that doesn't exist unless you built the kernel yourself. Most
> +       # distributions use the "shim" bootloader which allows "machine
> +       # owner keys" (MOK) to be enrolled by the end-user, but only
> +       # Ubuntu provides a tool to automatically generate these keys
> +       # (`update-secureboot-policy --new-key`); other distros rely on
> +       # the user generating the key/cert themselves and keeping it in a
> +       # suitably-safe location.
> +       #
> +       # The kernel should automatically try to sign modules as part of
> +       # the `make modules_install` step, so that covers the first case.
> +       # In the second case the best we can do is try Ubuntu's location.
> +
> +       if test "$MODSIGN_PRIVFILE" = "yes" -o -z "$MODSIGN_PRIVFILE"; then
> +               MODSIGN_PRIVFILE=$(ls /var/lib/shim-signed/mok/MOK.priv
> 2>/dev/null || echo "$MODSIGN_PRIVFILE")
> +       fi
> +       if test "$MODSIGN_CERTFILE" = "yes" -o -z "$MODSIGN_CERTFILE"; then
> +               MODSIGN_CERTFILE=$(ls /var/lib/shim-signed/mok/MOK.der
> 2>/dev/null || echo "$MODSIGN_CERTFILE")
> +       fi
> +
> +       AC_MSG_CHECKING(for module signing hash algorithm)
> +       AC_MSG_RESULT([$MODSIGN_HASHALGO])
> +       AC_MSG_CHECKING(for module signing key)
> +       AC_MSG_RESULT([$MODSIGN_PRIVFILE])
> +       AC_MSG_CHECKING(for module signing certificate)
> +       AC_MSG_RESULT([$MODSIGN_CERTFILE])
> +
> +       if test ! -f "$MODSIGN_PRIVFILE" -o ! -f "$MODSIGN_CERTFILE"; then
> +               AC_MSG_WARN([Module signing key and/or certificate
> missing.])
> +
> +               if test "$MODSIGN_ENABLE" = "yes"; then
> +                       AC_MSG_ERROR([Unable to honor explicit request for
> module signing.])
> +               fi
> +
> +               if test "$SIG_REQUIRED" -gt 0; then
> +                       AC_MSG_ERROR([Kernel is configured to only load dnl
> +signed modules but we are unable to produce a signed module. Either (1)
> dnl
> +re-run configure with the options '--with-signing-key=<key>' and dnl
> +'--with-signing-cert=<cert>' set, (2) indicate you will sign the modules
> dnl
> +yourself by re-running configure with the '--disable-module-signing' dnl
> +option set, or (3) disable the kernel's signed module requirement (e.g.
> dnl
> +disable secure boot).])
> +               fi
> +       fi
> +else
> +       # Make sure we don't pass these along via AC_SUBST
> +       MODSIGN_HASHALGO=
> +       MODSIGN_PRIVFILE=
> +       MODSIGN_CERTFILE=
> +fi
> +
> +
>  dnl Separate test output from file-generation output
>  echo
>
> @@ -240,6 +333,9 @@ AC_SUBST(WCM_KERNEL_DIR)
>  AC_SUBST(WCM_KERNEL_VER)
>  AC_SUBST(RHEL7_RELEASE)
>  AC_SUBST(MODUTS)
> +AC_SUBST(MODSIGN_HASHALGO)
> +AC_SUBST(MODSIGN_PRIVFILE)
> +AC_SUBST(MODSIGN_CERTFILE)
>
>  AC_CONFIG_FILES([Makefile
>                   2.6.32/Makefile
> --
> 2.19.2
>
>
_______________________________________________
Linuxwacom-devel mailing list
Linuxwacom-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linuxwacom-devel

Reply via email to