From f05348d4fa9519434236ad6f6c832cdfad1e87c2 Mon Sep 17 00:00:00 2001
From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
Date: Mon, 11 Nov 2019 21:16:01 +0300
Subject: [PATCH] Verify that modules are signed (multithreaded)

---
 kernel.spec | 32 +++++++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/kernel.spec b/kernel.spec
index a13ccb0..50ab8ef 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -4,7 +4,7 @@
 %define sublevel	7
 
 # Release number. Increase this before a rebuild.
-%define rpmrel		5
+%define rpmrel		6
 %define fullrpmrel	%{rpmrel}
 
 %define rpmtag		%{disttag}
@@ -63,6 +63,7 @@
 %define certs_dir_rnd %{src_dir}/certs_%{vendor}_rnd
 %define certs_signing_key_rnd %{certs_dir_rnd}/signing_key.pem
 %define certs_key_config_rnd %{certs_dir_rnd}/x509.genkey
+%define certs_verify_tmp %{certs_dir_rnd}/verify.tmp
 # %%certs_email_rnd expansion has bashisms
 %define _buildshell /bin/bash
 # On ABF, %%packager == $username <$email>
@@ -249,6 +250,8 @@ BuildRequires:		pkgconfig(libcrypto)
 %if %{enhanced_security}
 # To generate keys
 BuildRequires:		openssl
+# To verify signatures (find, xargs, hexdump)
+BuildRequires:		findutils util-linux
 %endif
 
 # might be useful too:
@@ -1003,6 +1006,33 @@ cd %src_dir
 rm -rf %{buildroot}
 cp -a %{temp_root} %{buildroot}
 
+%if %{enhanced_security}
+# Multithreaded verification that every kernel module
+# has a signature attached to it
+mkdir -p "%{certs_dir_rnd}"
+echo 0 > %{certs_verify_tmp}
+_verify_signature(){
+	if [ -z "$1" ] || [ ! -f "$1" ]; then return; fi
+	if hexdump -C "$1" | awk -F '|' '{print $2}' | tr -d '\n' | \
+	   grep -q '~Module signature appended~'
+		then
+			echo $(($(cat %{certs_verify_tmp})+1)) > %{certs_verify_tmp}
+		else
+			echo "ERROR: Module $1 has no signature attached to it!"
+			exit 1
+	fi
+}
+export -f _verify_signature
+find %{target_modules} -name '*.ko' -print0 | sort -u | \
+	xargs --null -P "$(nproc)" -I {} "$SHELL" -x -c '_verify_signature "{}"'
+if [ "$(cat %{certs_verify_tmp})" -lt 1 ]; then
+	echo "ERROR: seems that signatures of none modules were verified!"
+	exit 1
+fi
+cat %{certs_verify_tmp}
+rm -f %{certs_verify_tmp}
+%endif
+
 # compressing modules
 %if %{build_modxz}
 find %{target_modules} -name "*.ko" | %kxargs xz -6e