lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAK7LNATG-kYuxGgzC7e-BbTPMnSH+MCAEVOXoQkdGYH9xLincA@mail.gmail.com>
Date: Mon, 22 Jul 2024 19:23:33 +0900
From: Masahiro Yamada <masahiroy@...nel.org>
To: Petr Pavlu <petr.pavlu@...e.com>
Cc: Luis Chamberlain <mcgrof@...nel.org>, Nathan Chancellor <nathan@...nel.org>, 
	Nicolas Schier <nicolas@...sle.eu>, linux-modules@...r.kernel.org, 
	linux-kbuild@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/2] module: Split modules_install compression and
 in-kernel decompression

On Mon, Jul 22, 2024 at 6:07 PM Petr Pavlu <petr.pavlu@...e.com> wrote:
>
> The kernel configuration allows specifying a module compression mode. If
> one is selected then each module gets compressed during
> 'make modules_install' and additionally one can also enable support for
> a respective direct in-kernel decompression support. This means that the
> decompression support cannot be enabled without the automatic compression.
>
> Some distributions, such as the (open)SUSE family, use a signer service for
> modules. A build runs on a worker machine but signing is done by a separate
> locked-down server that is in possession of the signing key. The build
> invokes 'make modules_install' to create a modules tree, collects
> information about the modules, asks the signer service for their signature,
> appends each signature to the respective module and compresses all modules.
>
> When using this arrangment, the 'make modules_install' step produces
> unsigned+uncompressed modules and the distribution's own build recipe takes
> care of signing and compression later.
>
> The signing support can be currently enabled without automatically signing
> modules during 'make modules_install'. However, the in-kernel decompression
> support can be selected only after first enabling automatic compression
> during this step.
>
> To allow only enabling the in-kernel decompression support without the
> automatic compression during 'make modules_install', separate the
> compression options similarly to the signing options, as follows:
>
> > Enable loadable module support
> [*] Module compression
>       Module compression type (GZIP)  --->
> [*]   Automatically compress all modules
> [ ]   Support in-kernel module decompression
>
> * "Module compression" (MODULE_COMPRESS) is a new main switch for the
>   compression/decompression support. It replaces MODULE_COMPRESS_NONE.
> * "Module compression type" (MODULE_COMPRESS_<type>) chooses the
>   compression type, one of GZ, XZ, ZSTD.
> * "Automatically compress all modules" (MODULE_COMPRESS_ALL) is a new
>   option to enable module compression during 'make modules_install'. It
>   defaults to Y.
> * "Support in-kernel module decompression" (MODULE_DECOMPRESS) enables
>   in-kernel decompression.
>
> Signed-off-by: Petr Pavlu <petr.pavlu@...e.com>
> ---



My preference is to add
 CONFIG_MODULE_DECOMPRESS_GZIP
 CONFIG_MODULE_DECOMPRESS_XZ
 CONFIG_MODULE_DECOMPRESS_ZSTD
instead of
 CONFIG_MODULE_COMPRESS_ALL.




For example,


if MODULE_DECOMPRESS

config MODULE_DECOMPRESS_GZIP
       bool "Support in-kernel GZIP decompression for module"
       default MODULE_COMPRESS_GZIP

config MODULE_DECOMPRESS_XZ
       bool "Support in-kernel XZ decompression for module"
       default MODULE_COMPRESS_XZ

config MODULE_DECOMPRESS_ZSTD
       bool "Support in-kernel ZSTD decompression for module"
       default MODULE_COMPRESS_ZSTD

endif





OR, maybe



config MODULE_DECOMPRESS_GZIP
       bool "Support in-kernel GZIP decompression for module"
       select MODULE_DECOMPRESS

config MODULE_DECOMPRESS_XZ
       bool "Support in-kernel XZ decompression for module"
       select MODULE_DECOMPRESS

config MODULE_DECOMPRESS_ZSTD
       bool "Support in-kernel ZSTD decompression for module"
       select MODULE_DECOMPRESS

config MODULE_DECOMPRESS
       bool




You can toggle MODULE_COMPRESS_GZIP and
MODULE_DECOMPRESS_GZIP independently


Of course, the current kernel/module/decompress.c does not
work when multiple (or zero) CONFIG_MODULE_DECOMPRESS_* is
enabled. It needs a little modification.


I will wait for Lius's comment.







>  kernel/module/Kconfig    | 61 ++++++++++++++++++++--------------------
>  scripts/Makefile.modinst |  2 ++
>  2 files changed, 33 insertions(+), 30 deletions(-)
>
> diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig
> index 4047b6d48255..bb7f7930fef6 100644
> --- a/kernel/module/Kconfig
> +++ b/kernel/module/Kconfig
> @@ -278,64 +278,65 @@ config MODULE_SIG_HASH
>         default "sha3-384" if MODULE_SIG_SHA3_384
>         default "sha3-512" if MODULE_SIG_SHA3_512
>
> -choice
> -       prompt "Module compression mode"
> +config MODULE_COMPRESS
> +       bool "Module compression"
>         help
> -         This option allows you to choose the algorithm which will be used to
> -         compress modules when 'make modules_install' is run. (or, you can
> -         choose to not compress modules at all.)
> -
> -         External modules will also be compressed in the same way during the
> -         installation.
> -
> -         For modules inside an initrd or initramfs, it's more efficient to
> -         compress the whole initrd or initramfs instead.
> -
> +         Enable module compression to reduce on-disk size of module binaries.
>           This is fully compatible with signed modules.
>
> -         Please note that the tool used to load modules needs to support the
> -         corresponding algorithm. module-init-tools MAY support gzip, and kmod
> -         MAY support gzip, xz and zstd.
> +         The tool used to work with modules needs to support the selected
> +         compression type. kmod MAY support gzip, xz and zstd. Other tools
> +         might have a limited selection of the supported types.
>
> -         Your build system needs to provide the appropriate compression tool
> -         to compress the modules.
> +         Note that for modules inside an initrd or initramfs, it's more
> +         efficient to compress the whole ramdisk instead.
>
> -         If in doubt, select 'None'.
> +         If unsure, say N.
>
> -config MODULE_COMPRESS_NONE
> -       bool "None"
> +choice
> +       prompt "Module compression type"
> +       depends on MODULE_COMPRESS
>         help
> -         Do not compress modules. The installed modules are suffixed
> -         with .ko.
> +         Choose the supported algorithm for module compression.
>
>  config MODULE_COMPRESS_GZIP
>         bool "GZIP"
>         help
> -         Compress modules with GZIP. The installed modules are suffixed
> -         with .ko.gz.
> +         Support modules compressed with GZIP. The installed modules are
> +         suffixed with .ko.gz.
>
>  config MODULE_COMPRESS_XZ
>         bool "XZ"
>         help
> -         Compress modules with XZ. The installed modules are suffixed
> -         with .ko.xz.
> +         Support modules compressed with XZ. The installed modules are
> +         suffixed with .ko.xz.
>
>  config MODULE_COMPRESS_ZSTD
>         bool "ZSTD"
>         help
> -         Compress modules with ZSTD. The installed modules are suffixed
> -         with .ko.zst.
> +         Support modules compressed with ZSTD. The installed modules are
> +         suffixed with .ko.zst.
>
>  endchoice
>
> +config MODULE_COMPRESS_ALL
> +       bool "Automatically compress all modules"
> +       default y
> +       depends on MODULE_COMPRESS
> +       help
> +         Compress all modules during 'make modules_install'.
> +
> +         Your build system needs to provide the appropriate compression tool
> +         for the selected compression type. External modules will also be
> +         compressed in the same way during the installation.
> +
>  config MODULE_DECOMPRESS
>         bool "Support in-kernel module decompression"
> -       depends on MODULE_COMPRESS_GZIP || MODULE_COMPRESS_XZ || MODULE_COMPRESS_ZSTD
> +       depends on MODULE_COMPRESS
>         select ZLIB_INFLATE if MODULE_COMPRESS_GZIP
>         select XZ_DEC if MODULE_COMPRESS_XZ
>         select ZSTD_DECOMPRESS if MODULE_COMPRESS_ZSTD
>         help
> -
>           Support for decompressing kernel modules by the kernel itself
>           instead of relying on userspace to perform this task. Useful when
>           load pinning security policy is enabled.
> diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst
> index 0afd75472679..bce4a9adb893 100644
> --- a/scripts/Makefile.modinst
> +++ b/scripts/Makefile.modinst
> @@ -51,9 +51,11 @@ $(foreach x, % :, $(if $(findstring $x, $(dst)), \
>         $(error module installation path cannot contain '$x')))
>
>  suffix-y                               :=
> +ifdef CONFIG_MODULE_COMPRESS_ALL
>  suffix-$(CONFIG_MODULE_COMPRESS_GZIP)  := .gz
>  suffix-$(CONFIG_MODULE_COMPRESS_XZ)    := .xz
>  suffix-$(CONFIG_MODULE_COMPRESS_ZSTD)  := .zst
> +endif
>
>  modules := $(patsubst $(extmod_prefix)%.o, $(dst)/%.ko$(suffix-y), $(modules))
>  install-$(CONFIG_MODULES) += $(modules)
> --
> 2.35.3
>


-- 
Best Regards
Masahiro Yamada

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ