diff mbox series

[2/3] module-signer-example: add example signer hook and signed variant for example-module

Message ID 20250123145131.1142290-3-gokhan.cetin@siemens.com
State Accepted, archived
Headers show
Series Allow use of external scripts to sign modules | expand

Commit Message

Gokhan Cetin Jan. 23, 2025, 2:51 p.m. UTC 
This patch introduces an example signer hook that generates raw detached signatures
for out-of-tree kernel modules.

Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com>
---
 .../files/sign-module.sh                      | 40 +++++++++++++++++++
 .../module-signer-example.bb                  | 20 ++++++++++
 .../example-module-signedwith.bb              | 15 +++++++
 3 files changed, 75 insertions(+)
 create mode 100644 meta-isar/recipes-devtools/module-signer-example/files/sign-module.sh
 create mode 100644 meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb
 create mode 100644 meta-isar/recipes-kernel/example-module/example-module-signedwith.bb
diff mbox series

Patch

diff --git a/meta-isar/recipes-devtools/module-signer-example/files/sign-module.sh b/meta-isar/recipes-devtools/module-signer-example/files/sign-module.sh
new file mode 100644
index 00000000..4d22532b
--- /dev/null
+++ b/meta-isar/recipes-devtools/module-signer-example/files/sign-module.sh
@@ -0,0 +1,40 @@ 
+#!/bin/sh
+#
+# Example signer script that generates detached signatures for modules
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2025
+#
+# SPDX-License-Identifier: MIT
+
+set -e
+
+module=$1
+signature=$2
+hashfn=$3
+certfile=$4
+
+if [ -z "$module" ] || [ -z "$signature" ] || [ -z "$hashfn" ] || [ -z "$certfile" ] ; then
+    exit 1
+fi
+
+echo "Signing module $module with hash function $hashfn and certificate $certfile"
+
+openssl smime -sign -nocerts -noattr -binary \
+    -in "$module" \
+    -md "$hashfn" \
+    -inkey /etc/sb-mok-keys/MOK/MOK.priv \
+    -signer /etc/sb-mok-keys/MOK/MOK.der \
+    -outform DER \
+    -out "$signature"
+
+echo "Verifying signature of module $module with hash function $hashfn and certificate $certfile"
+
+openssl smime -verify \
+    -in "$signature" \
+    -md "$hashfn" \
+    -content "$module" \
+    -certfile /etc/sb-mok-keys/MOK/MOK.der \
+    -noverify \
+    -inform DER \
+    -out /dev/null
diff --git a/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb b/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb
new file mode 100644
index 00000000..001e8cc8
--- /dev/null
+++ b/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb
@@ -0,0 +1,20 @@ 
+# Example recipe for signing a kernel module with custom signer script
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2025
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg-raw
+
+DPKG_ARCH = "all"
+
+DEPENDS = "sb-mok-keys"
+DEBIAN_DEPENDS += "openssl, sb-mok-keys"
+
+SRC_URI = "file://sign-module.sh"
+
+do_install[cleandirs] = "${D}/usr/bin/"
+do_install() {
+    install -m 0755 ${WORKDIR}/sign-module.sh ${D}/usr/bin/sign-module.sh
+}
diff --git a/meta-isar/recipes-kernel/example-module/example-module-signedwith.bb b/meta-isar/recipes-kernel/example-module/example-module-signedwith.bb
new file mode 100644
index 00000000..f611169c
--- /dev/null
+++ b/meta-isar/recipes-kernel/example-module/example-module-signedwith.bb
@@ -0,0 +1,15 @@ 
+# Example recipe for building a custom module
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2025
+#
+# SPDX-License-Identifier: MIT
+
+require example-module.bb
+
+DEPENDS += "module-signer-example"
+DEBIAN_BUILD_DEPENDS .= ', module-signer-example'
+
+DEB_BUILD_PROFILES += 'pkg.signwith'
+SIGNATURE_CERTFILE = '/etc/sb-mok-keys/MOK/MOK.der'
+SIGNATURE_SIGNWITH = '/usr/bin/sign-module.sh'