From patchwork Mon Jan 19 06:06:48 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Badrikesh Prusty X-Patchwork-Id: 4805 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Mon, 19 Jan 2026 07:07:19 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-lj1-f183.google.com (mail-lj1-f183.google.com [209.85.208.183]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 60J67Ekg024084 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 19 Jan 2026 07:07:19 +0100 Received: by mail-lj1-f183.google.com with SMTP id 38308e7fff4ca-3831426aeb1sf24950131fa.3 for ; Sun, 18 Jan 2026 22:07:14 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1768802829; cv=pass; d=google.com; s=arc-20240605; b=PIG0JTbURExbSFS14bpqpXbPo6fsGFaCU2hlnG00wlhb8eoFT69k3gJiFvBgL1FdL/ 2DRxr6d+DH9ef+I96rGZgSq9JwCEF7fDEbPLYHflkLcGV0wqFvwToZKRf+5PBr84Dk25 2DEK9sJKNhVipSzfzgA1CWroXxwNITF999uMNfgHaWQ80TU50MF4pUsP1ejqc61H4pRR a5Xg9uYT6YANbVd9nXPlI1WmUiNW/q3lentIsexugPCvPHAL3Ftb7TwHBqGVU2/RP3wA 3vxsOS8p3hT/IRTddO9R2zXJ4Z/3HVXRahDc78RccC/mUkH+a4Fv9jV2ZZczduOaSStM mWrg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=AykhD5G18qsBkgGNzb0Hbv62n1ueTdIWFjHb+4YQ+S4=; fh=RGRXXGjZRp20pAsw29lzsjaXjeWgnV5XUmwIGP/+B9A=; b=H5VEl5DF2+jrDvQAjO6/V+aa8Qyqe7jD+7h3HQPQBgasL1WTQOT4C1YouC+sls+iWo ml5V+/frB1ih4bJwzq9Y/I56uM2tzArWt53F+u/g3zfV746tYwoQnYu9zYcoi3BsgSUc vWVpou2F3JbsK/PxOM2XNG1NigxUaGcmVuaF5R4HwcAgk8w5MDf7MhfGEKT2+4c0mF4E ZYAhEXO+C14jw/Nc6+uaOKa5KCddc6ICqJq6exNqs08nSqjeMRMRWyP7V3z6Y1UY4dYp T7WTzATpRQ/x37UEyuFSG5NezL2y8q2CAOK7l0J0dz3LU2bHKQAMGF/t6hFqQY2fcopM +IOw==; darn=isar-build.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=U07Nx0s6; spf=pass (google.com: domain of fm-1328765-20260119060704d75931c2f6000207a9-soqjnv@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-1328765-20260119060704d75931c2f6000207a9-sOqJNv@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1768802829; x=1769407629; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=AykhD5G18qsBkgGNzb0Hbv62n1ueTdIWFjHb+4YQ+S4=; b=jAfDDT+KlloDlXH4CczP2qu7NM2xkA2RoPggiDOgqumdeYk7SQmiQ7pdSJSSkeL8dx o4dwWcYPlmJ2e1e18J1/vRNS47KFLUR64OKiNL5SvAW4Oo9qeHAxAVmgyWO5bOMd0Fgi MwGP3JGy38oCx799Q2yQtoy9SD659UNa9c3BtFXuj5VxXh05SHHPVZptV5MMQY1QJllM dTuolfZhDkAu60ZMoleBnvqhsOV8ahVaOTV2Lz7fAplrpuAuidyOD64T4TG69BwntsJ9 /HH93KAUmJylsS30DJaHZkivPOTBdawBQnZpIBerqCNzTvvBuV12XOnriAgmGo/LWk+R Tv8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768802829; x=1769407629; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:x-beenthere :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=AykhD5G18qsBkgGNzb0Hbv62n1ueTdIWFjHb+4YQ+S4=; b=gjQkHM1LkYm8fljvKxFmxSMMR9fl8DvT5IwsuATHIxIAk+0k8C87QUvuL0u0DgVliX IWMBpZKr22TkYJnhboLLviumxQq5cgrBNFqtxKdQXXNjwigI4JGQ3xj07tX+cHXwO/g+ LnsVmRGdDInVnvaX3WYhR4kNW66Pu8BIFwG6E05TtIZ/qeMRkTp4Ww1NqpjgdtwpUUyR HAXdcxTQiUPvBtoDAX8yi1JGQe07OqwKag4RoAZiAaQIvGindRj0HoVHmNUifz0WANXB y44d/1dw9+ML6ogfo6G5uT9QB0YFguxAdXgnG+ETP9Xp55EgW0n6OWOW95Z3ymbghCM+ IdmQ== X-Forwarded-Encrypted: i=2; AJvYcCUkShznNU1KiP+ExWjP8n/tqjI1m8t85ErZ89B4wp+6rEVJ/BUZHB/SoZcYpBOWJjb9M9SgOSA=@isar-build.org X-Gm-Message-State: AOJu0YyUcbtx6yC2WMYzp3j5pPzQiq9HA42VOdfWrYaIBceOPjqXpuvp Qu/hkru7wE/+ewDw7Dd7K9XmsjfUsUDoMhzkHeg50EYEX3kgMHtTPnky X-Received: by 2002:a05:6512:239a:b0:59b:8091:a357 with SMTP id 2adb3069b0e04-59baffd26e4mr3326166e87.36.1768802828468; Sun, 18 Jan 2026 22:07:08 -0800 (PST) X-BeenThere: isar-users@googlegroups.com; h="AV1CL+HVH+ZDHRfeodpbrmeMImpgdclcFFbihC6d1/hhjNzvPw==" Received: by 2002:a05:6512:1389:b0:59b:6cb9:a212 with SMTP id 2adb3069b0e04-59ba6afde0als1692900e87.0.-pod-prod-04-eu; Sun, 18 Jan 2026 22:07:06 -0800 (PST) X-Received: by 2002:a2e:bc27:0:b0:383:1737:5ae1 with SMTP id 38308e7fff4ca-383866d029bmr34168821fa.11.1768802825695; Sun, 18 Jan 2026 22:07:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1768802825; cv=none; d=google.com; s=arc-20240605; b=MmVQArMblDV7ZOmAS+Ph2qzm9y983w/hf/wnXRrnoghOHaCEy4PVd6Ek30VQ+uDafm p+V6jmaQdu3tnFo7p0F3JYWOM10/WpbZayN+776LomLYkikNqhyBCh1iJVBhJcL2Z6XT HGK+gg1j9CEHqFg4ZYvU0ikaLl63sqUufdkwCsw2tSmKkVgp9sqgSmfKEmUwASCbUUXm J/6c5zLgFbKptIkQsuvZItyLvlU1g9V5x3b/L4DceVdQUZTHyuFlnRJhwwA0u+a2FV6F Tcd8pFW44Yu9GoBoyWotwYb+zKQVcOlg/tSzdFJAYnv2jemVbkjTgnWyLlOowTHPhnHi BkUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:message-id:date :subject:cc:to:from:dkim-signature; bh=lrAjE3b1nQNs8tkqLDRMEG0Za8VfVKqQqZNepTJoNpI=; fh=dfM1PARtFHqkN5Ix6iqjcqNDjwK1I0eLqPg9KwoAvQg=; b=M75eDGRyxhBGe6QXha1fho7vkf57LzKxB8REzWF+CVS8ssrIswHiSRJ+8t8DGaH1/M rR3r1XL7qrShZmt+Z6ugWKBlLiBLxCl1rIzhOkj6r1c71FOok0jvSb8aJEJZeEUrvPg5 XSU7dzCBM2OJ1K2CWgqMgHPnukscBEI9M7HyhwP77SOpA+4LQ8CpfvcMT8bNXIQJ/oYk c/RcDYizxA5Wm2Fi7XmJQOFgK2fEFoEQcll9Z9lK47YIhuUJsCmXl1+r44ZBADN2Kwrc OHwklpPtjmZ13N5NzjtSeBu4GoKwW7theK8QKZQEyRXSOKOwn5wS1uP24tNh6VuYHBJE aeEw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=U07Nx0s6; spf=pass (google.com: domain of fm-1328765-20260119060704d75931c2f6000207a9-soqjnv@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-1328765-20260119060704d75931c2f6000207a9-sOqJNv@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net. [185.136.64.227]) by gmr-mx.google.com with ESMTPS id 38308e7fff4ca-38384e5dcb9si2058131fa.7.2026.01.18.22.07.05 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 18 Jan 2026 22:07:05 -0800 (PST) Received-SPF: pass (google.com: domain of fm-1328765-20260119060704d75931c2f6000207a9-soqjnv@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) client-ip=185.136.64.227; Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20260119060704d75931c2f6000207a9 for ; Mon, 19 Jan 2026 07:07:04 +0100 X-Patchwork-Original-From: "'Badrikesh Prusty' via isar-users" From: Badrikesh Prusty To: isar-users@googlegroups.com Cc: cedric.hombourger@siemens.com, Badrikesh Prusty Subject: [PATCH] linux-custom: generate secrets package for out-of-tree module signing Date: Mon, 19 Jan 2026 01:06:48 -0500 Message-ID: <20260119060648.40011-1-badrikesh.prusty@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1328765:519-21489:flowmailer X-Original-Sender: badrikesh.prusty@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=U07Nx0s6; spf=pass (google.com: domain of fm-1328765-20260119060704d75931c2f6000207a9-soqjnv@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-1328765-20260119060704d75931c2f6000207a9-sOqJNv@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Badrikesh Prusty Reply-To: Badrikesh Prusty Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= Add a new package, linux-image--secrets, to ship the kernel module signing keys required for signing out-of-tree kernel modules. The package is built only when the pkg..secrets build profile is enabled and installs the signing_key artifacts generated during the kernel build into /usr/share/linux-secrets. This allows out-of-tree modules to be signed with the same key used for in-tree modules. Usage: In the out-of-tree module recipe: SIGNATURE_KEYFILE = "/usr/share/linux-secrets/signing_key.pem" SIGNATURE_CERTFILE = "/usr/share/linux-secrets/signing_key.x509" DEBIAN_BUILD_DEPENDS:append = ", linux-secrets" In the kernel recipe, enable the secrets build profile: BUILD_PROFILES:append = " pkg.${BPN}.secrets" NOTE: The linux-image--secrets package contains the private module signing key. Care must be taken NOT to distribute this package in package feeds or images, as this would allow anyone to sign kernel modules that the kernel would trust. Signed-off-by: Badrikesh Prusty --- RECIPE-API-CHANGELOG.md | 24 +++++++++++++++++++ .../linux/files/debian/control.tmpl | 7 ++++++ .../linux/files/debian/isar/common.tmpl | 1 + .../linux/files/debian/isar/install.tmpl | 19 +++++++++++++++ 4 files changed, 51 insertions(+) diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md index 0bad8a44..1a33d6ae 100644 --- a/RECIPE-API-CHANGELOG.md +++ b/RECIPE-API-CHANGELOG.md @@ -962,3 +962,27 @@ INSTALLER_UNATTENDED_ABORT_ENABLE = "1" # Optional: set countdown timeout in seconds (default 5) INSTALLER_UNATTENDED_ABORT_TIMEOUT = "5" ``` + +### Add linux-image--secrets package for out-of-tree module signing + +linux-image--secrets ships kernel module signing keys required for +signing out-of-tree kernel modules. + +The package is built only when the `pkg..secrets` build profile is +enabled and installs the signing_key artifacts generated during the kernel +build into `/usr/share/linux-secrets`. + +Usage: +``` +# In the out-of-tree module recipe: +SIGNATURE_KEYFILE = "/usr/share/linux-secrets/signing_key.pem" +SIGNATURE_CERTFILE = "/usr/share/linux-secrets/signing_key.x509" +DEBIAN_BUILD_DEPENDS:append = ", linux-secrets" + +# In the kernel recipe, enable the secrets build profile: +BUILD_PROFILES:append = " pkg.${BPN}.secrets" +``` + +SECURITY NOTE: This package contains the private module signing key. Do not +distribute it in package feeds or images, as this would allow anyone to sign +kernel modules that the kernel would trust. diff --git a/meta/recipes-kernel/linux/files/debian/control.tmpl b/meta/recipes-kernel/linux/files/debian/control.tmpl index ee87cf92..969f6b0c 100644 --- a/meta/recipes-kernel/linux/files/debian/control.tmpl +++ b/meta/recipes-kernel/linux/files/debian/control.tmpl @@ -69,3 +69,10 @@ Conflicts: linux-kbuild-${KERNEL_NAME_PROVIDED} Description: ${KERNEL_NAME_PROVIDED} Linux kbuild scripts and tools for @KR@ This package provides kernel kbuild scripts and tools for @KR@ This is useful for people who need to build external modules + +Package: linux-image-${KERNEL_NAME_PROVIDED}-secrets +Build-Profiles: +Section: devel +Provides: linux-secrets +Architecture: all +Description: Linux kernel module signing secrets diff --git a/meta/recipes-kernel/linux/files/debian/isar/common.tmpl b/meta/recipes-kernel/linux/files/debian/isar/common.tmpl index f9cc2f02..6554cdb0 100644 --- a/meta/recipes-kernel/linux/files/debian/isar/common.tmpl +++ b/meta/recipes-kernel/linux/files/debian/isar/common.tmpl @@ -38,6 +38,7 @@ deb_libc_hdr_dir=${deb_top_dir}/${KERNEL_PKG_LIBC_HEADERS} deb_libc_hdr_cross_dir=${deb_top_dir}/${KERNEL_PKG_LIBC_HEADERS_CROSS} deb_kern_kbuild_dir=${deb_top_dir}/${KERNEL_PKG_KERN_KBUILD} deb_kern_kbuild_cross_dir=${deb_top_dir}/${KERNEL_PKG_KERN_KBUILD_CROSS} +deb_kern_secrets=${deb_top_dir}/${KERNEL_PKG_IMAGE}-secrets # Array of packages to be generated declare -A kern_pkgs diff --git a/meta/recipes-kernel/linux/files/debian/isar/install.tmpl b/meta/recipes-kernel/linux/files/debian/isar/install.tmpl index 6fa94508..99d64ca5 100644 --- a/meta/recipes-kernel/linux/files/debian/isar/install.tmpl +++ b/meta/recipes-kernel/linux/files/debian/isar/install.tmpl @@ -70,6 +70,11 @@ do_install() { install_headers fi + if echo "${DEB_BUILD_PROFILES}" | grep -q "pkg.${BPN}.secrets"; then + kern_secrets_path="${deb_kern_secrets}/usr/share/linux-secrets" + install_module_signing_secrets "${kern_secrets_path}" + fi + # Stop tracing set +x } @@ -271,4 +276,18 @@ install_kbuild() { kernel_tools } +install_module_signing_secrets() { + local dest="${1}" + local keydir="${KERNEL_BUILD_DIR}/certs" + local priv="${keydir}/signing_key.pem" + local cert="${keydir}/signing_key.x509" + if [ ! -f "${priv}" ] || [ ! -f "${cert}" ]; then + echo "error: module signing keys not found but pkg.${BPN}.secrets is enabled" >&2 + return 1 + fi + install -d -m 0755 ${dest} + install -m 0400 ${KERNEL_BUILD_DIR}/certs/signing_key.pem ${dest}/ + install -m 0444 ${KERNEL_BUILD_DIR}/certs/signing_key.x509 ${dest}/ +} + main install ${*}