| Message ID | 20250415122204.120360-5-gokhan.cetin@siemens.com |
|---|---|
| State | Superseded, archived |
| Headers | show |
| Series | Structure module signing dependencies and providers | expand |
On 15.04.25 14:22, 'Gokhan Cetin' via isar-users wrote: > Introduces single configuration variable (`SIGNATURE_ENABLED`) to > set all predefined profile and dependencies need to be provided. > > By using this option, downstreams will be able to sign all > kernel modules without appending any additional configuration > into their module recipes. > > Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com> > --- > meta/recipes-kernel/linux-module/module.inc | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/meta/recipes-kernel/linux-module/module.inc b/meta/recipes-kernel/linux-module/module.inc > index 45d88d48..576a2cad 100644 > --- a/meta/recipes-kernel/linux-module/module.inc > +++ b/meta/recipes-kernel/linux-module/module.inc > @@ -27,6 +27,12 @@ SIGNATURE_KEYFILE ??= "/usr/share/secure-boot-secrets/secure-boot.key" > SIGNATURE_CERTFILE ??= "/usr/share/secure-boot-secrets/secure-boot.pem" > SIGNATURE_HASHFN ??= "sha256" > SIGNATURE_SIGNWITH ??= "/usr/bin/sign-module.sh" > +SIGNATURE_ENABLED ??= "" Should this last control actually be by module recipe (which includes module.inc), or shouldn't we also support build-wide enabling via local.conf etc.? In the latter case, isar should introduce a global control variable, say KERNEL_MODULE_SIGNATURES, which controls that for every module recipe. Jan > + > +# Define signing profile and dependencies if SIGNATURE_ENABLED is set to "1" > +DEB_BUILD_PROFILES += "${@'pkg.signwith' if bb.utils.to_boolean(d.getVar('SIGNATURE_ENABLED')) else ''}" > +DEPENDS += "${@'module-signer secure-boot-secrets' if bb.utils.to_boolean(d.getVar('SIGNATURE_ENABLED')) else ''}" > +DEBIAN_BUILD_DEPENDS .= "${@', module-signer, secure-boot-secrets' if bb.utils.to_boolean(d.getVar('SIGNATURE_ENABLED')) else ''}" > > SRC_URI += "file://debian/" >
diff --git a/meta/recipes-kernel/linux-module/module.inc b/meta/recipes-kernel/linux-module/module.inc index 45d88d48..576a2cad 100644 --- a/meta/recipes-kernel/linux-module/module.inc +++ b/meta/recipes-kernel/linux-module/module.inc @@ -27,6 +27,12 @@ SIGNATURE_KEYFILE ??= "/usr/share/secure-boot-secrets/secure-boot.key" SIGNATURE_CERTFILE ??= "/usr/share/secure-boot-secrets/secure-boot.pem" SIGNATURE_HASHFN ??= "sha256" SIGNATURE_SIGNWITH ??= "/usr/bin/sign-module.sh" +SIGNATURE_ENABLED ??= "" + +# Define signing profile and dependencies if SIGNATURE_ENABLED is set to "1" +DEB_BUILD_PROFILES += "${@'pkg.signwith' if bb.utils.to_boolean(d.getVar('SIGNATURE_ENABLED')) else ''}" +DEPENDS += "${@'module-signer secure-boot-secrets' if bb.utils.to_boolean(d.getVar('SIGNATURE_ENABLED')) else ''}" +DEBIAN_BUILD_DEPENDS .= "${@', module-signer, secure-boot-secrets' if bb.utils.to_boolean(d.getVar('SIGNATURE_ENABLED')) else ''}" SRC_URI += "file://debian/"
Introduces single configuration variable (`SIGNATURE_ENABLED`) to set all predefined profile and dependencies need to be provided. By using this option, downstreams will be able to sign all kernel modules without appending any additional configuration into their module recipes. Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com> --- meta/recipes-kernel/linux-module/module.inc | 6 ++++++ 1 file changed, 6 insertions(+)