| Message ID | 20260119060648.40011-1-badrikesh.prusty@siemens.com |
|---|---|
| State | Under Review |
| Headers | show |
| Series | linux-custom: generate secrets package for out-of-tree module signing | expand |
On 19.01.26 07:06, 'Badrikesh Prusty' via isar-users wrote: > Add a new package, linux-image-<kernel>-secrets, to ship the kernel > module signing keys required for signing out-of-tree kernel modules. > > The package is built only when the pkg.<BPN>.secrets build profile is > enabled and installs the signing_key artifacts generated during the > kernel build into /usr/share/linux-secrets. > > This allows out-of-tree modules to be signed with the same key used for > in-tree modules. > > Usage: > In the out-of-tree module recipe: > SIGNATURE_KEYFILE = "/usr/share/linux-secrets/signing_key.pem" > SIGNATURE_CERTFILE = "/usr/share/linux-secrets/signing_key.x509" > DEBIAN_BUILD_DEPENDS:append = ", linux-secrets" > > In the kernel recipe, enable the secrets build profile: > BUILD_PROFILES:append = " pkg.${BPN}.secrets" > > NOTE: The linux-image-<kernel>-secrets package contains the private > module signing key. Care must be taken NOT to distribute this package > in package feeds or images, as this would allow anyone to sign kernel > modules that the kernel would trust. > > Signed-off-by: Badrikesh Prusty <badrikesh.prusty@siemens.com> > --- > RECIPE-API-CHANGELOG.md | 24 +++++++++++++++++++ > .../linux/files/debian/control.tmpl | 7 ++++++ > .../linux/files/debian/isar/common.tmpl | 1 + > .../linux/files/debian/isar/install.tmpl | 19 +++++++++++++++ > 4 files changed, 51 insertions(+) > > diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md > index 0bad8a44..1a33d6ae 100644 > --- a/RECIPE-API-CHANGELOG.md > +++ b/RECIPE-API-CHANGELOG.md > @@ -962,3 +962,27 @@ INSTALLER_UNATTENDED_ABORT_ENABLE = "1" > # Optional: set countdown timeout in seconds (default 5) > INSTALLER_UNATTENDED_ABORT_TIMEOUT = "5" > ``` > + > +### Add linux-image-<kernel>-secrets package for out-of-tree module signing > + > +linux-image-<kernel>-secrets ships kernel module signing keys required for > +signing out-of-tree kernel modules. > + > +The package is built only when the `pkg.<BPN>.secrets` build profile is > +enabled and installs the signing_key artifacts generated during the kernel > +build into `/usr/share/linux-secrets`. > + > +Usage: > +``` > +# In the out-of-tree module recipe: > +SIGNATURE_KEYFILE = "/usr/share/linux-secrets/signing_key.pem" > +SIGNATURE_CERTFILE = "/usr/share/linux-secrets/signing_key.x509" > +DEBIAN_BUILD_DEPENDS:append = ", linux-secrets" > + > +# In the kernel recipe, enable the secrets build profile: > +BUILD_PROFILES:append = " pkg.${BPN}.secrets" > +``` > + > +SECURITY NOTE: This package contains the private module signing key. Do not > +distribute it in package feeds or images, as this would allow anyone to sign > +kernel modules that the kernel would trust. > diff --git a/meta/recipes-kernel/linux/files/debian/control.tmpl b/meta/recipes-kernel/linux/files/debian/control.tmpl > index ee87cf92..969f6b0c 100644 > --- a/meta/recipes-kernel/linux/files/debian/control.tmpl > +++ b/meta/recipes-kernel/linux/files/debian/control.tmpl > @@ -69,3 +69,10 @@ Conflicts: linux-kbuild-${KERNEL_NAME_PROVIDED} > Description: ${KERNEL_NAME_PROVIDED} Linux kbuild scripts and tools for @KR@ > This package provides kernel kbuild scripts and tools for @KR@ > This is useful for people who need to build external modules > + > +Package: linux-image-${KERNEL_NAME_PROVIDED}-secrets > +Build-Profiles: <pkg.${BPN}.secrets> > +Section: devel > +Provides: linux-secrets > +Architecture: all > +Description: Linux kernel module signing secrets > diff --git a/meta/recipes-kernel/linux/files/debian/isar/common.tmpl b/meta/recipes-kernel/linux/files/debian/isar/common.tmpl > index f9cc2f02..6554cdb0 100644 > --- a/meta/recipes-kernel/linux/files/debian/isar/common.tmpl > +++ b/meta/recipes-kernel/linux/files/debian/isar/common.tmpl > @@ -38,6 +38,7 @@ deb_libc_hdr_dir=${deb_top_dir}/${KERNEL_PKG_LIBC_HEADERS} > deb_libc_hdr_cross_dir=${deb_top_dir}/${KERNEL_PKG_LIBC_HEADERS_CROSS} > deb_kern_kbuild_dir=${deb_top_dir}/${KERNEL_PKG_KERN_KBUILD} > deb_kern_kbuild_cross_dir=${deb_top_dir}/${KERNEL_PKG_KERN_KBUILD_CROSS} > +deb_kern_secrets=${deb_top_dir}/${KERNEL_PKG_IMAGE}-secrets > > # Array of packages to be generated > declare -A kern_pkgs > diff --git a/meta/recipes-kernel/linux/files/debian/isar/install.tmpl b/meta/recipes-kernel/linux/files/debian/isar/install.tmpl > index 6fa94508..99d64ca5 100644 > --- a/meta/recipes-kernel/linux/files/debian/isar/install.tmpl > +++ b/meta/recipes-kernel/linux/files/debian/isar/install.tmpl > @@ -70,6 +70,11 @@ do_install() { > install_headers > fi > > + if echo "${DEB_BUILD_PROFILES}" | grep -q "pkg.${BPN}.secrets"; then > + kern_secrets_path="${deb_kern_secrets}/usr/share/linux-secrets" > + install_module_signing_secrets "${kern_secrets_path}" > + fi > + > # Stop tracing > set +x > } > @@ -271,4 +276,18 @@ install_kbuild() { > kernel_tools > } > > +install_module_signing_secrets() { > + local dest="${1}" > + local keydir="${KERNEL_BUILD_DIR}/certs" > + local priv="${keydir}/signing_key.pem" > + local cert="${keydir}/signing_key.x509" > + if [ ! -f "${priv}" ] || [ ! -f "${cert}" ]; then > + echo "error: module signing keys not found but pkg.${BPN}.secrets is enabled" >&2 > + return 1 > + fi > + install -d -m 0755 ${dest} > + install -m 0400 ${KERNEL_BUILD_DIR}/certs/signing_key.pem ${dest}/ > + install -m 0444 ${KERNEL_BUILD_DIR}/certs/signing_key.x509 ${dest}/ > +} > + > main install ${*} Given the risk that comes with this new packages and also in the light of [1], I think we should rather enable consistent module signing with existing, managed key providers. Jan [1] https://gitlab.com/cip-project/cip-core/isar-cip-core/-/issues/144
diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md index 0bad8a44..1a33d6ae 100644 --- a/RECIPE-API-CHANGELOG.md +++ b/RECIPE-API-CHANGELOG.md @@ -962,3 +962,27 @@ INSTALLER_UNATTENDED_ABORT_ENABLE = "1" # Optional: set countdown timeout in seconds (default 5) INSTALLER_UNATTENDED_ABORT_TIMEOUT = "5" ``` + +### Add linux-image-<kernel>-secrets package for out-of-tree module signing + +linux-image-<kernel>-secrets ships kernel module signing keys required for +signing out-of-tree kernel modules. + +The package is built only when the `pkg.<BPN>.secrets` build profile is +enabled and installs the signing_key artifacts generated during the kernel +build into `/usr/share/linux-secrets`. + +Usage: +``` +# In the out-of-tree module recipe: +SIGNATURE_KEYFILE = "/usr/share/linux-secrets/signing_key.pem" +SIGNATURE_CERTFILE = "/usr/share/linux-secrets/signing_key.x509" +DEBIAN_BUILD_DEPENDS:append = ", linux-secrets" + +# In the kernel recipe, enable the secrets build profile: +BUILD_PROFILES:append = " pkg.${BPN}.secrets" +``` + +SECURITY NOTE: This package contains the private module signing key. Do not +distribute it in package feeds or images, as this would allow anyone to sign +kernel modules that the kernel would trust. diff --git a/meta/recipes-kernel/linux/files/debian/control.tmpl b/meta/recipes-kernel/linux/files/debian/control.tmpl index ee87cf92..969f6b0c 100644 --- a/meta/recipes-kernel/linux/files/debian/control.tmpl +++ b/meta/recipes-kernel/linux/files/debian/control.tmpl @@ -69,3 +69,10 @@ Conflicts: linux-kbuild-${KERNEL_NAME_PROVIDED} Description: ${KERNEL_NAME_PROVIDED} Linux kbuild scripts and tools for @KR@ This package provides kernel kbuild scripts and tools for @KR@ This is useful for people who need to build external modules + +Package: linux-image-${KERNEL_NAME_PROVIDED}-secrets +Build-Profiles: <pkg.${BPN}.secrets> +Section: devel +Provides: linux-secrets +Architecture: all +Description: Linux kernel module signing secrets diff --git a/meta/recipes-kernel/linux/files/debian/isar/common.tmpl b/meta/recipes-kernel/linux/files/debian/isar/common.tmpl index f9cc2f02..6554cdb0 100644 --- a/meta/recipes-kernel/linux/files/debian/isar/common.tmpl +++ b/meta/recipes-kernel/linux/files/debian/isar/common.tmpl @@ -38,6 +38,7 @@ deb_libc_hdr_dir=${deb_top_dir}/${KERNEL_PKG_LIBC_HEADERS} deb_libc_hdr_cross_dir=${deb_top_dir}/${KERNEL_PKG_LIBC_HEADERS_CROSS} deb_kern_kbuild_dir=${deb_top_dir}/${KERNEL_PKG_KERN_KBUILD} deb_kern_kbuild_cross_dir=${deb_top_dir}/${KERNEL_PKG_KERN_KBUILD_CROSS} +deb_kern_secrets=${deb_top_dir}/${KERNEL_PKG_IMAGE}-secrets # Array of packages to be generated declare -A kern_pkgs diff --git a/meta/recipes-kernel/linux/files/debian/isar/install.tmpl b/meta/recipes-kernel/linux/files/debian/isar/install.tmpl index 6fa94508..99d64ca5 100644 --- a/meta/recipes-kernel/linux/files/debian/isar/install.tmpl +++ b/meta/recipes-kernel/linux/files/debian/isar/install.tmpl @@ -70,6 +70,11 @@ do_install() { install_headers fi + if echo "${DEB_BUILD_PROFILES}" | grep -q "pkg.${BPN}.secrets"; then + kern_secrets_path="${deb_kern_secrets}/usr/share/linux-secrets" + install_module_signing_secrets "${kern_secrets_path}" + fi + # Stop tracing set +x } @@ -271,4 +276,18 @@ install_kbuild() { kernel_tools } +install_module_signing_secrets() { + local dest="${1}" + local keydir="${KERNEL_BUILD_DIR}/certs" + local priv="${keydir}/signing_key.pem" + local cert="${keydir}/signing_key.x509" + if [ ! -f "${priv}" ] || [ ! -f "${cert}" ]; then + echo "error: module signing keys not found but pkg.${BPN}.secrets is enabled" >&2 + return 1 + fi + install -d -m 0755 ${dest} + install -m 0400 ${KERNEL_BUILD_DIR}/certs/signing_key.pem ${dest}/ + install -m 0444 ${KERNEL_BUILD_DIR}/certs/signing_key.x509 ${dest}/ +} + main install ${*}
Add a new package, linux-image-<kernel>-secrets, to ship the kernel module signing keys required for signing out-of-tree kernel modules. The package is built only when the pkg.<BPN>.secrets build profile is enabled and installs the signing_key artifacts generated during the kernel build into /usr/share/linux-secrets. This allows out-of-tree modules to be signed with the same key used for in-tree modules. Usage: In the out-of-tree module recipe: SIGNATURE_KEYFILE = "/usr/share/linux-secrets/signing_key.pem" SIGNATURE_CERTFILE = "/usr/share/linux-secrets/signing_key.x509" DEBIAN_BUILD_DEPENDS:append = ", linux-secrets" In the kernel recipe, enable the secrets build profile: BUILD_PROFILES:append = " pkg.${BPN}.secrets" NOTE: The linux-image-<kernel>-secrets package contains the private module signing key. Care must be taken NOT to distribute this package in package feeds or images, as this would allow anyone to sign kernel modules that the kernel would trust. Signed-off-by: Badrikesh Prusty <badrikesh.prusty@siemens.com> --- RECIPE-API-CHANGELOG.md | 24 +++++++++++++++++++ .../linux/files/debian/control.tmpl | 7 ++++++ .../linux/files/debian/isar/common.tmpl | 1 + .../linux/files/debian/isar/install.tmpl | 19 +++++++++++++++ 4 files changed, 51 insertions(+)