From patchwork Thu Jan 23 14:51:29 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gokhan Cetin X-Patchwork-Id: 4031 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Thu, 23 Jan 2025 15:52:04 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-lj1-f184.google.com (mail-lj1-f184.google.com [209.85.208.184]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 50NEq3JC008031 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 23 Jan 2025 15:52:03 +0100 Received: by mail-lj1-f184.google.com with SMTP id 38308e7fff4ca-3062c49c56csf5368991fa.0 for ; Thu, 23 Jan 2025 06:52:03 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1737643918; cv=pass; d=google.com; s=arc-20240605; b=cKrnch8Hg3XI02kwB42JBiPfieqGIz23z82v9DD2zuIYuhY/djw6TWlsUB46QOU3WN AsTq7P32zFw+hIx/ZickwgmP5neB9Gekx/NQgQ8jBo16JIDw/3pLjHgRXzNSOMcDiuzt CtK44UDof3mrLNjWyu8tsIhrABkpI+w/90mVVbLdHfM+xsttUpgAH9664m8edlEQgbEM 1zbw+VXA+jWWvRiWGSZ1F3ETqgb4gOwlskTEUSoIPfuudanyCE5S8eH/wrGBmt+e/Zfb MaFI1Uew254T0fyAyjTn6/RO6eHe/5A/41BHY806iolvrNovmKwtM834ldNW/jY0PB3l u4Qw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=CqDXN/Wc0f1wKPB7hV+7wtOywK0GZaD6deHiSMZbrGA=; fh=3MgrNExeuPrcPO5tCQ5NQiSuWcU/4iQJtnUgmRg/1YQ=; b=Qyv7TVRs5Ra9iLs6AMraDhSdPcVpTrLOs0IQnKibvGvf8FPn2mJRuMPthIpWOCiIFS 0lu72LZEsT3Pyq0PFwEjpsw1jJG/ZMgYp8pLU6M5uxRVqXFGb2yy1xsIzbRj2p3vuMMq iwi+cSKa5xTolHhARm9lcuzVG88nKxmP3V2Q0ixizg16o+tK2mNdZc6Pn9JoQkodsfWs SaRoNgS/tM6bpwp6uXEoO1RKbmqmeBVHDG/T+hJxelGVDnpk6s3T/bUAEp4kK00ANPDc dUdSMGege9EhBdJTw87km1+0LtEGANkufAaphPhfm7dTbfjE9cD1s6jvSvnJ0xIs59KG NfAA==; darn=isar-build.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=XFJzLZmG; spf=pass (google.com: domain of fm-1328731-2025012314515379d518041ccae1699f-11xy2q@rts-flowmailer.siemens.com designates 185.136.65.226 as permitted sender) smtp.mailfrom=fm-1328731-2025012314515379d518041ccae1699f-11Xy2q@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1737643918; x=1738248718; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=CqDXN/Wc0f1wKPB7hV+7wtOywK0GZaD6deHiSMZbrGA=; b=Deqw7GAYQ1IA3aYcanozIglapOg9P0pr5XEVd8qXBorq30/4s8199ifAguhnXOm5Tu ojGlPQC1v1Jf3hEEWb4/qTTP+pU/N8j3SNFJ+CNB0f/htRAoYA+xnRDYwoEDi5yyaZZ1 WeMkPmdrs73hvChooOHUosQtZ+Da78tViLycaPFmfKz79OGajspaSQXTE0Q/3kV1TCiv JN3UTVRVZ8TCpMxjGtDr9Zdwb6PEMDC6AGKzDjivXaB3Ef9g/4iT1Py0Kvx+bi2ezZHA xPjm1LSaiAQ1+i81FZGUOi1GtXAhqxU/JS7rBg0j8he9xCqSIDQeWwzwPLAzft/cu34b ez5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737643918; x=1738248718; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=CqDXN/Wc0f1wKPB7hV+7wtOywK0GZaD6deHiSMZbrGA=; b=UGH9LbdWX+vXFR3WMlbn1Yq0sz98PTN6PIm9Jqhy6ImzW2NFEDmArraKxzzZmgx9Or /C2lRtXXqdp6OqlO0yzfmy0fRZEEQc6yKkvF/MOqcjpM9qAlyQRHb5kWgu2HUWYjL0UM BEsdKVlsxUEtshQ4CQblaDmWo89wqjFpS/Zj8NvOBLWraI91AcgR64P9DeiKwtZNeJXc tUiBZUqZh7BGghemidMoD1ui3q+AlfgkRY/XTyvUrXuX32vOLtoQVxBjK+4DJf/85dNU 3bkDiKZ0ofbjcwxqSBbLf5na0igeKMf7V0bOew8ls84l4F2eBdavU5aJAbc/8J+8fOgM ed0Q== X-Forwarded-Encrypted: i=2; AJvYcCVkIjFbJMnOtzcl65vaqz7XJ2tvVXO86fDeCUKequqOuZckeb3HeB/wiWcgEJ8EUP+ZJ2dELYQ=@isar-build.org X-Gm-Message-State: AOJu0YyXHEb9e+a9JAQ1w5hMoIbsuTdhd+nm5gXGCL9QPfKirhxaovQ4 AJANHtMGICO2sTzDZV0vi59HxME28R9XVvbnuF1Ao03Ic5kgzzPN X-Google-Smtp-Source: AGHT+IHOLNWpkODgTuX0XAvpLOTf/A7qsH0+wAGhiZU5w5bweaE+1SLakimtBk/ojzkkIATRAqL+uA== X-Received: by 2002:a2e:b5cf:0:b0:2fe:e44d:6162 with SMTP id 38308e7fff4ca-3072cb0def3mr90968461fa.26.1737643916394; Thu, 23 Jan 2025 06:51:56 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a05:651c:893:b0:300:35e7:860c with SMTP id 38308e7fff4ca-30761da7e65ls2547871fa.2.-pod-prod-03-eu; Thu, 23 Jan 2025 06:51:54 -0800 (PST) X-Received: by 2002:ac2:5239:0:b0:540:1dca:52bd with SMTP id 2adb3069b0e04-5439c249eb7mr6911835e87.29.1737643913857; Thu, 23 Jan 2025 06:51:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1737643913; cv=none; d=google.com; s=arc-20240605; b=g81vJ8wgddBd6xCBUfCeKeG60cQ2i8Y/Ty8g553jrZvrh7ztB0Ow9HSg2xJ+nOgIcv 7zrekKHgAORfilV36f4DI6W/0yYAzPpOfDxmhoWyWbtIvEeHIGJeDrcigMwYz4zuKDmV 330e6/9SvSFbXgR5ID7g6ksogKFKleNR63B6ciPcKCZ3YPPdlnLxmSWCy1knKwpjYIYu 4s9uBD3H/5xYsmGLi7zU94TalNh9mmkib7zcp1aRfXV5B2okN7EQRURrwcNB0UroMJUH 4NPej+KqXH/FAt710r9shB155bMciRNWNR/OQkApOYz5vwBT6vFG/mg0QAjA509tSmX3 ENaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=pX4n0lE9HWf6JaE/6xUU1DreP1whpIVEmfMrkxzg6BU=; fh=vM67Djwl41RMMQGrNcTm06QnRkAhOnQjK4pKA7dIR+w=; b=hKONIo+yxdQbfR/i2k9R3RdXYA+VElG8SED52i1OW92ImLHH3voR3KnGZILBDv6yje 5t943moCU3lUx9Q/NNoMIt7lxU5zk+PaNO5U1Z1GfScP6z+fvSp90xJpMMgotUAhcit0 xs/Tw1asDe30cmS5YskYAUFi1nXywKRt7MAUyY2hHJqbHEVqIL58b7VvzSQl4QjZtlaU YB7x/d1a4A6pNJaOu1vtxESa7XoLvSfUDxVx1gO12nUkoDiVzVvvG3L96c/O4usO6lMF jXB5K+r/F4pG+ToFAO/00NJDSBH8TpwJk2SobBJeh6QWAarLmrU4vQOievL4zQlNfF+8 UzXQ==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=XFJzLZmG; spf=pass (google.com: domain of fm-1328731-2025012314515379d518041ccae1699f-11xy2q@rts-flowmailer.siemens.com designates 185.136.65.226 as permitted sender) smtp.mailfrom=fm-1328731-2025012314515379d518041ccae1699f-11Xy2q@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-65-226.siemens.flowmailer.net (mta-65-226.siemens.flowmailer.net. [185.136.65.226]) by gmr-mx.google.com with ESMTPS id 2adb3069b0e04-5439af637f1si371133e87.6.2025.01.23.06.51.53 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 23 Jan 2025 06:51:53 -0800 (PST) Received-SPF: pass (google.com: domain of fm-1328731-2025012314515379d518041ccae1699f-11xy2q@rts-flowmailer.siemens.com designates 185.136.65.226 as permitted sender) client-ip=185.136.65.226; Received: by mta-65-226.siemens.flowmailer.net with ESMTPSA id 2025012314515379d518041ccae1699f for ; Thu, 23 Jan 2025 15:51:53 +0100 X-Patchwork-Original-From: "'Gokhan Cetin' via isar-users" From: Gokhan Cetin To: isar-users@googlegroups.com Cc: gokhan.cetin@siemens.com, felix.moessbauer@siemens.com Subject: [PATCH 1/3] meta/recipes-kernel/linux-module: Allow use of external scripts to sign modules Date: Thu, 23 Jan 2025 15:51:29 +0100 Message-Id: <20250123145131.1142290-2-gokhan.cetin@siemens.com> In-Reply-To: <20250123145131.1142290-1-gokhan.cetin@siemens.com> References: <20250123145131.1142290-1-gokhan.cetin@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1328731:519-21489:flowmailer X-Original-Sender: gokhan.cetin@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=XFJzLZmG; spf=pass (google.com: domain of fm-1328731-2025012314515379d518041ccae1699f-11xy2q@rts-flowmailer.siemens.com designates 185.136.65.226 as permitted sender) smtp.mailfrom=fm-1328731-2025012314515379d518041ccae1699f-11Xy2q@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Gokhan Cetin Reply-To: Gokhan Cetin Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= This facilitates the integration of scripts developed for signing solutions like HSM where private keys are not accessible and allows the use of detached signatures produced by such solutions. Signed-off-by: Gokhan Cetin --- meta/recipes-kernel/linux-module/files/debian/rules.tmpl | 4 ++++ meta/recipes-kernel/linux-module/module.inc | 2 ++ 2 files changed, 6 insertions(+) diff --git a/meta/recipes-kernel/linux-module/files/debian/rules.tmpl b/meta/recipes-kernel/linux-module/files/debian/rules.tmpl index ad743437..30d7ce0f 100755 --- a/meta/recipes-kernel/linux-module/files/debian/rules.tmpl +++ b/meta/recipes-kernel/linux-module/files/debian/rules.tmpl @@ -56,6 +56,10 @@ endif ifneq ($(filter pkg.sign,$(DEB_BUILD_PROFILES)),) find . -name "*.ko" -print -exec $(KDIR)/scripts/sign-file ${SIGNATURE_HASHFN} ${SIGNATURE_KEYFILE} ${SIGNATURE_CERTFILE} {} \; endif +ifneq ($(filter pkg.signwith,$(DEB_BUILD_PROFILES)),) + find . -name "*.ko" | xargs -i ${SIGNATURE_SIGNWITH} {} {}.signature ${SIGNATURE_HASHFN} ${SIGNATURE_CERTFILE} + find . -name "*.ko" | xargs -i $(KDIR)/scripts/sign-file -s {}.signature ${SIGNATURE_HASHFN} ${SIGNATURE_CERTFILE} {} +endif override_dh_auto_install: $(MAKE) -C $(KDIR) M=${MODULE_DIR} INSTALL_MOD_PATH=$(PWD)/debian/${PN} modules_install diff --git a/meta/recipes-kernel/linux-module/module.inc b/meta/recipes-kernel/linux-module/module.inc index 3e8e5e7a..d7432bf7 100644 --- a/meta/recipes-kernel/linux-module/module.inc +++ b/meta/recipes-kernel/linux-module/module.inc @@ -25,6 +25,7 @@ DEB_BUILD_OPTIONS += "noautodbgsym" SIGNATURE_KEYFILE ??= "" SIGNATURE_CERTFILE ??= "" SIGNATURE_HASHFN ??= "sha256" +SIGNATURE_SIGNWITH ??= "" SRC_URI += "file://debian/" @@ -57,6 +58,7 @@ TEMPLATE_VARS += " \ SIGNATURE_KEYFILE \ SIGNATURE_CERTFILE \ SIGNATURE_HASHFN \ + SIGNATURE_SIGNWITH \ PN \ DEBIAN_COMPAT" From patchwork Thu Jan 23 14:51:30 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gokhan Cetin X-Patchwork-Id: 4032 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Thu, 23 Jan 2025 15:52:05 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-lf1-f62.google.com (mail-lf1-f62.google.com [209.85.167.62]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 50NEq4Cu008034 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 23 Jan 2025 15:52:05 +0100 Received: by mail-lf1-f62.google.com with SMTP id 2adb3069b0e04-53e1bddea1dsf640539e87.2 for ; Thu, 23 Jan 2025 06:52:05 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1737643919; cv=pass; d=google.com; s=arc-20240605; b=MV6L4nhzyaBVowQhJubFMqPN46j5jE0ry9iWgSdlTQO9zy+Vkd8ZySCuWH/aHVg1MD yTaJegrB3sb2mibCl8ckU8qBGPx/rde1moDZNJ8Qgxi8xlSniRxLzlRmENOodTSaoDNS WYelrndU78C1LNRUQ8r3Y8SBI9opiRRgKLI8vJMuqMNKmVlMzavIgsWmiy5X5w9GhSRo 9I9P0kABOZm4NpbOKZwUyI/9ICtqGLctdW+k1z8XcJeYq48XB2TzpV8RCOim7+d+UeBU ggb+gDTnJw1HX1Nj2hxPxiVRvI6axrPYNBeVcaV/KbFSSZZxUSWPPPoEhhB876tPdVKt uMfQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=oaXCbw7/3aowyvS6+U5V4n27uUmy+g75M6x7iMq60xQ=; fh=JPKk6mtFa8imJGSccLfhBQ2NIQH07LwhwrDY6xJ0uWk=; b=VCGkKs4ZEpdDYUsCK+t6/AHFsx26BMWDbMy/s4cH8sWGWY9QhNTDdRTl3fCucCCiwM 6y8rSXkZaEkFJfLXWlHOzPBl6twwTbX0bh36r5qIS0OfzpQTP4XSNj4snjE8ClcRkiWH scmf+nowGquE8xmWy+o8EvpAiYlay0fHkBJn5PSp0CGUsO5+nQ+MOs5yc4jZ4BnpVYoT IGRp9s8QJPYtgICLswdcbgn6U2RfNzbuV60fzvYsjfmqDshEo4ugbpstQOX+MB3sHl2U 4nad9NzNE87kYhWpdS6ohDt6IBTy9e2xgDUCK4ODiHDVwPxN7ulFUKVWGELW9TWBAnwZ y8xg==; darn=isar-build.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=XRqPUjt0; spf=pass (google.com: domain of fm-1328731-202501231451547b8f8c186e3f95dca6-zazcji@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-1328731-202501231451547b8f8c186e3f95dca6-ZAzCjI@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1737643919; x=1738248719; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=oaXCbw7/3aowyvS6+U5V4n27uUmy+g75M6x7iMq60xQ=; b=CAn2gw3OaNBSPsK04VSIw/Cujg8dgup++a5Q3AzHxD7uey4mcKWe1/d/y1qUpUnnHG Yl9HDjoj8IC85YbgbiGV0Snll9J/7AyLzrAx+J48N2axONdV48IzD4Jk9+/o4YbXtTvw Ep0a7Nf7nCfHV1NQCSEZ8mRn+Kbw76Gsf5hAlpO3RjRalEPbhLPXo7QIJAQwwlOapYS+ z/praX2INPv9vCn2BP1AwG6ahA3GLK6lPvtVibU8ZPYJnWYnu6pa4I4ku6mIr4n2AF2E OfE7yHZMl2F/dIspCJStDlR9KjpoikzKcpgHquUaJlJlPgILiqzRa5J6rRSGK56QuZ4G fI9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737643919; x=1738248719; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=oaXCbw7/3aowyvS6+U5V4n27uUmy+g75M6x7iMq60xQ=; b=L+/Oup8JMLn+eT4wY6QR5hy/k6sNGv3nrji1jGwOtOoF0tDnVI1h09jVakbphYfeL8 IpJq3WtcMG96vseIo4/xauf268NdGaH7z7o4Oy0NGNAoqodBEo62rml4CnWSPjbfUEc3 eyLx/AljaKLwNlaHRzqH+NoQBYzB3j958AaRzrjKH780y3lMwENW082+dKaHtyKv2Vrd XVmYJcGsSJVd0DHJRHCMGxF2ftwdTX6rQCeXnTNKI8VJjfT7U+7e3SKkxda6HrqECDAm 1QL5cvTA4f1dHg1RzPWkPLNZJc277JU6K+b51cgCNnHBc9BMbX0nI+Da8JMGlkYOdV92 PyrA== X-Forwarded-Encrypted: i=2; AJvYcCURxDmOFbFDI8TiVS3QcU0liUVDX2Cr20Gztr2zja1hUz4/QL8Dt6WxX8ShOuuraA+a2J79lrs=@isar-build.org X-Gm-Message-State: AOJu0YzV31YX8UTXjEH1390pNILFW9IUHdeJyWsE9YJXFd1eSyfv1E4B 6f5ohhXiviAKjHzUY3xBmnDiYIuWc9XvFzFtLqMNfr3+TExJYXFq X-Google-Smtp-Source: AGHT+IFmvst0q+hu75tdpX5YdOwiEu6cpY1yWSngsXZHmRtcu0AW115tPOqQwVbuUdV6gTfsfgRtwQ== X-Received: by 2002:a05:6512:3e03:b0:540:1f7d:8bc0 with SMTP id 2adb3069b0e04-5439c287470mr10273853e87.49.1737643917759; Thu, 23 Jan 2025 06:51:57 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a05:651c:221d:b0:300:40ad:298f with SMTP id 38308e7fff4ca-30761c5e062ls234351fa.0.-pod-prod-02-eu; Thu, 23 Jan 2025 06:51:55 -0800 (PST) X-Received: by 2002:a2e:bd89:0:b0:300:33b1:f0e1 with SMTP id 38308e7fff4ca-3072c991370mr95317291fa.0.1737643915421; Thu, 23 Jan 2025 06:51:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1737643915; cv=none; d=google.com; s=arc-20240605; b=bfvmP0bnONtYDqFoxvajzSsmD5C8RVOmh1ijSxjYcnglis7kLEtZmtgjv90JDvnk7+ 1G8c3itaka+02AJzIZgaOwqIJWP1BTwf4YusK716vWSqUK/GADpBVgXHHzMUvqoNTP2H cbSU45PTa1MJr6n/Ax3e8+K7bNx3xdSNqVhYqtS7sySeqwOYJSTo/qpNhPZl/bxNKlDd TTEooCPBU+rmwYl/UN6/rUEZuHF6v2bYAS3jUpnaorj7vof7zN7vNuhYz+VvjZvGdlaq KyKUNe9oCQcTcwaRwKJ++ZM1Yd/BlhQvZXQ6y/ZBd5yGQAmBHG7jsY9CJQWBMmB5cwkN mwVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=wqdXGe+xXRCFkBbh0/HKCDXeKeZXMK1C85uKWi03SS8=; fh=vM67Djwl41RMMQGrNcTm06QnRkAhOnQjK4pKA7dIR+w=; b=QrV/kCktvFmyOLJZZuB+zg4HcsDCjcPMLUrvwfzgEduZjtk6DrqnwfsQNNrUE8j8HT +Z/ORa3KJi2x23DG9vJQYI+P2z3W5+06RraFkfA+WD7yexNxYV6skzs/Z7TpXf1JumX8 UTGA7ow/6P6SjCsNcqt+mxpmcrUmChG9EbDlMAVDnzdqjLhHDOLu3qf12qE5h2TgmYvo CX9tnIXVTa43t5SVFykC0JBPtmO27yUqnNb135mkQIuKtiUAom5kYLPvQOH2cqxrhNIw RRp/xJbAwwsTqWMz5GEybRLsFfU8k/Re03aoPg19am7hPnVgB0nGGFSMxjWtqVU+AMqK D1Ew==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=XRqPUjt0; spf=pass (google.com: domain of fm-1328731-202501231451547b8f8c186e3f95dca6-zazcji@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-1328731-202501231451547b8f8c186e3f95dca6-ZAzCjI@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net. [185.136.64.227]) by gmr-mx.google.com with ESMTPS id 38308e7fff4ca-3072a2725f0si2566141fa.0.2025.01.23.06.51.55 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 23 Jan 2025 06:51:55 -0800 (PST) Received-SPF: pass (google.com: domain of fm-1328731-202501231451547b8f8c186e3f95dca6-zazcji@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) client-ip=185.136.64.227; Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 202501231451547b8f8c186e3f95dca6 for ; Thu, 23 Jan 2025 15:51:54 +0100 X-Patchwork-Original-From: "'Gokhan Cetin' via isar-users" From: Gokhan Cetin To: isar-users@googlegroups.com Cc: gokhan.cetin@siemens.com, felix.moessbauer@siemens.com Subject: [PATCH 2/3] module-signer-example: add example signer hook and signed variant for example-module Date: Thu, 23 Jan 2025 15:51:30 +0100 Message-Id: <20250123145131.1142290-3-gokhan.cetin@siemens.com> In-Reply-To: <20250123145131.1142290-1-gokhan.cetin@siemens.com> References: <20250123145131.1142290-1-gokhan.cetin@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1328731:519-21489:flowmailer X-Original-Sender: gokhan.cetin@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=XRqPUjt0; spf=pass (google.com: domain of fm-1328731-202501231451547b8f8c186e3f95dca6-zazcji@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-1328731-202501231451547b8f8c186e3f95dca6-ZAzCjI@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Gokhan Cetin Reply-To: Gokhan Cetin Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= This patch introduces an example signer hook that generates raw detached signatures for out-of-tree kernel modules. Signed-off-by: Gokhan Cetin --- .../files/sign-module.sh | 40 +++++++++++++++++++ .../module-signer-example.bb | 20 ++++++++++ .../example-module-signedwith.bb | 15 +++++++ 3 files changed, 75 insertions(+) create mode 100644 meta-isar/recipes-devtools/module-signer-example/files/sign-module.sh create mode 100644 meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb create mode 100644 meta-isar/recipes-kernel/example-module/example-module-signedwith.bb diff --git a/meta-isar/recipes-devtools/module-signer-example/files/sign-module.sh b/meta-isar/recipes-devtools/module-signer-example/files/sign-module.sh new file mode 100644 index 00000000..4d22532b --- /dev/null +++ b/meta-isar/recipes-devtools/module-signer-example/files/sign-module.sh @@ -0,0 +1,40 @@ +#!/bin/sh +# +# Example signer script that generates detached signatures for modules +# +# This software is a part of ISAR. +# Copyright (c) Siemens AG, 2025 +# +# SPDX-License-Identifier: MIT + +set -e + +module=$1 +signature=$2 +hashfn=$3 +certfile=$4 + +if [ -z "$module" ] || [ -z "$signature" ] || [ -z "$hashfn" ] || [ -z "$certfile" ] ; then + exit 1 +fi + +echo "Signing module $module with hash function $hashfn and certificate $certfile" + +openssl smime -sign -nocerts -noattr -binary \ + -in "$module" \ + -md "$hashfn" \ + -inkey /etc/sb-mok-keys/MOK/MOK.priv \ + -signer /etc/sb-mok-keys/MOK/MOK.der \ + -outform DER \ + -out "$signature" + +echo "Verifying signature of module $module with hash function $hashfn and certificate $certfile" + +openssl smime -verify \ + -in "$signature" \ + -md "$hashfn" \ + -content "$module" \ + -certfile /etc/sb-mok-keys/MOK/MOK.der \ + -noverify \ + -inform DER \ + -out /dev/null diff --git a/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb b/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb new file mode 100644 index 00000000..001e8cc8 --- /dev/null +++ b/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb @@ -0,0 +1,20 @@ +# Example recipe for signing a kernel module with custom signer script +# +# This software is a part of ISAR. +# Copyright (c) Siemens AG, 2025 +# +# SPDX-License-Identifier: MIT + +inherit dpkg-raw + +DPKG_ARCH = "all" + +DEPENDS = "sb-mok-keys" +DEBIAN_DEPENDS += "openssl, sb-mok-keys" + +SRC_URI = "file://sign-module.sh" + +do_install[cleandirs] = "${D}/usr/bin/" +do_install() { + install -m 0755 ${WORKDIR}/sign-module.sh ${D}/usr/bin/sign-module.sh +} diff --git a/meta-isar/recipes-kernel/example-module/example-module-signedwith.bb b/meta-isar/recipes-kernel/example-module/example-module-signedwith.bb new file mode 100644 index 00000000..f611169c --- /dev/null +++ b/meta-isar/recipes-kernel/example-module/example-module-signedwith.bb @@ -0,0 +1,15 @@ +# Example recipe for building a custom module +# +# This software is a part of ISAR. +# Copyright (c) Siemens AG, 2025 +# +# SPDX-License-Identifier: MIT + +require example-module.bb + +DEPENDS += "module-signer-example" +DEBIAN_BUILD_DEPENDS .= ', module-signer-example' + +DEB_BUILD_PROFILES += 'pkg.signwith' +SIGNATURE_CERTFILE = '/etc/sb-mok-keys/MOK/MOK.der' +SIGNATURE_SIGNWITH = '/usr/bin/sign-module.sh' From patchwork Thu Jan 23 14:51:31 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gokhan Cetin X-Patchwork-Id: 4033 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Thu, 23 Jan 2025 15:52:07 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-lf1-f61.google.com (mail-lf1-f61.google.com [209.85.167.61]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 50NEq6hb008110 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 23 Jan 2025 15:52:07 +0100 Received: by mail-lf1-f61.google.com with SMTP id 2adb3069b0e04-542af3b0fecsf575381e87.3 for ; Thu, 23 Jan 2025 06:52:07 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1737643921; cv=pass; d=google.com; s=arc-20240605; b=ItcARGTKc0cOwLjeqFcQ1gWRVxGi4oxbhPr2j/DngGHX4gK6ftZx7+Ivg/CuDkvXkk 3Vv1Dbjn2gv7BbV24PpXh7ud5jKK+umGy883lBvW+FLxvQI73YZhx56X+bHh8d0GBa4A fg4SHtkQ6K375KqTLaHduI2LQvAQVLnQ48/vfX4iK9rjF9ewHX6/7GeM+8k5TlJUZviq Tvxqmidi7M5HHOKyCy/8uQDW2uyX3xJCLbEbX+xNFbBCXcg29KVC/XOB8A5Rwp0oCUeA zpiqotdeXucc+f8sWBWO7XwglbaRiW155KjgncIeZzZhb0uCnqpArkLahJYTFOI8ivh+ 0eGw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=TYygm8wjNjCgQmVhbB80z7PAbfLDhJ/C3UZ5wFBEdOA=; fh=bg0TXCKWaM4q6axT+uEsLfXQIwIeqbXf0us9yWVqgzc=; b=H+16uLdfNTBpdPxfEtSDAD+6SMPz+2/tLJQNd0oGjTUEuMLNp/JN/ckg1nE+oWbe+H +QL6bvSHRVg0soRup5iUro2C2+icxyvZ8iZwYHrrQlraseMMvxsQpwasFyskZH/hPjLp wz9ffZW4eAlcswKVYQjUG+888DHpgNO8PbEBh2hX6rpqYTxWa2BW/B0iotqbiGI8TBGS GxXsH+8ObQlgdjQlnmz8POn5HJ+/b/ElJHJpheI07l1X9IgPNQ0d6JE8iBNFaHb7PsWW oNS2vHmI/plVEfxUN/rcvry1yvgDuWSixhOyJ0gsfZNaZ2NLlXf+HdschMAxZejs4Cs0 pxZQ==; darn=isar-build.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=Z8QKualz; spf=pass (google.com: domain of fm-1328731-20250123145156ccf07680984b58fd38-dx3mt_@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) smtp.mailfrom=fm-1328731-20250123145156ccf07680984b58fd38-dX3Mt_@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1737643921; x=1738248721; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=TYygm8wjNjCgQmVhbB80z7PAbfLDhJ/C3UZ5wFBEdOA=; b=kK68nzo1dRBzJB1fhndDC3bU2It2jMurrazXVGUSHbLDQaO4YLmJpoVRovlYLGGbRY B3lYVvMIagco1t6fZesAo5mkFZgEkTTkMvIIlNItxid9cMLYnV1tGOn/ohKXVWl2h9gn pdQUYuY/QNjWFJKTQHTKa301YLSFwwBSq0f3mxjg04QgRx/ugsRb2Hpjpox3HUauweFm piSSKK/NpmZ/F9nAApP3p4gFZefhJPYCpURYl9nc9MbW7XbJdKljci3C79zGpuHPgN3j ENJbF2ZOyOm0b/zQfjACdX3+NW2BaQDLzfMn15O06S/qhtQbEfireTJl6BfBL4V5IEbg c8BA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737643921; x=1738248721; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=TYygm8wjNjCgQmVhbB80z7PAbfLDhJ/C3UZ5wFBEdOA=; b=PioNu5Hx39b3P86UtsNej9lNMDZJR2e53JRgoyDOo2aJs67jxF/qdeQ8aLOA+62t4i 73NXbPvjFQG9NYh9CA1M/XKHFFL5NyG0r2LJCVjHkozRmh97hymCfsmP2czNhEMPYx9p yl4y4Vw7vKce8YpvKKzK+vEXMVQs4t09DFaB92WjvvoNbGhFZ6Zi7hLIJo0ziwRL5aQt kDoiTcYeGiCT4R58xeeVSjr4Se8GyC92cMg1oKQd+AA8OlFRZNfoKcEA752A8JId9/E5 OW40q+Hlf6QminIg51+2kI6JN8ch+nhB5CF6vva/k0XDAS446OKXWiAyt9k3MySbt4rw 9rwA== X-Forwarded-Encrypted: i=2; AJvYcCUDOhWEy1HYhWio4aOoIUnLSJ2LSyX9RnldA5zIP2sDZq5Zys5k+xOQmnTU/FzuHEehFm/VIh8=@isar-build.org X-Gm-Message-State: AOJu0YzqhmISDy15NXGJ6yMy0wwC4EmjiMko9OId7KPudgiAraKYrX+Y i1jaV0d6oYepKHkKEfMl71EYdYXQ041KqrNfwbMc322g1Ho3y36z X-Google-Smtp-Source: AGHT+IHcx0O/xqZaYX/c0Wf2/T4JZoqeMtaFR/A57Zs6biBqDG73S0eYBkTy3TbOEF1NwPZ3cIUDPg== X-Received: by 2002:a19:e045:0:b0:543:bb21:4256 with SMTP id 2adb3069b0e04-543bb2143d1mr2167115e87.25.1737643919146; Thu, 23 Jan 2025 06:51:59 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a19:8c46:0:b0:540:1b08:1acd with SMTP id 2adb3069b0e04-543c23e3047ls16563e87.0.-pod-prod-06-eu; Thu, 23 Jan 2025 06:51:57 -0800 (PST) X-Received: by 2002:a05:6512:ea7:b0:540:5b5c:c18d with SMTP id 2adb3069b0e04-5439c22a94dmr7993833e87.7.1737643916798; Thu, 23 Jan 2025 06:51:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1737643916; cv=none; d=google.com; s=arc-20240605; b=c+ag/ecAu/1oh8fkwUtZyWHDGKuziQ+U7lKUHrga0u0mNH+293R+uKuPKx8XsS2hMR FA7wXj5nQd4Q4bJRXgT4GQCohGJ1wA7GNrijqrKclaXmL+zr7ziXcA/4W/0iHmVFX34B Ec/q7hPggiDI+hPXFdTQKvkgTD0K/w+L0r2QclZrQNjwtL9znu0y6FtsvIgpVQj2B4BG aRHnv/kG4KWuXvlRR8OqLn8NUTUWjv7bNh5uX3NQ4EigvFHEvuifXQsvnxKpI8eAXW5E YGJrC9avBWisaHWvwoOO50r+ZlY9upUB3xib7Lz0B3Qm7YTIdr+grc+1VKqKKUEAQViH JEQw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=g6+AZWr7Kl+CMB9YOdDkDKAQvL4h5cH00DOi6o0c+Ik=; fh=vM67Djwl41RMMQGrNcTm06QnRkAhOnQjK4pKA7dIR+w=; b=bbM+CDRTdh5nwhGcBru5kVcvCzItTpFat0FlYgEMvoN/RD6koqeLdwWPn61KFc98Dt EXE35Aiw9K1vL4ndnUTvPHiok89AOS/vxUluXvLVqaSvtjG6OrH4Cjk8NKZnFuiPLPyR Cp0AIMtZNsZ/78YuTDrkjSBceKIDeHFtML6ZIzDULs7pZVJp9NdWWzp8JLYqCVCOyG+E aFp1W/0Kk5JUlWKcNFPR/5O9F4tWX37zHbpMboyOMQBYZePdrI8uJv+Ogfxl81qQ/URL g7VqKlV9HAJZKbNvRUTrujSazqVPMBJMtmOB0yfruakQ+lqMlOSadx+ULVU5mIBK4pOn pQlA==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=Z8QKualz; spf=pass (google.com: domain of fm-1328731-20250123145156ccf07680984b58fd38-dx3mt_@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) smtp.mailfrom=fm-1328731-20250123145156ccf07680984b58fd38-dX3Mt_@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net. [185.136.64.226]) by gmr-mx.google.com with ESMTPS id 2adb3069b0e04-5439af7bf97si163075e87.11.2025.01.23.06.51.56 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 23 Jan 2025 06:51:56 -0800 (PST) Received-SPF: pass (google.com: domain of fm-1328731-20250123145156ccf07680984b58fd38-dx3mt_@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) client-ip=185.136.64.226; Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 20250123145156ccf07680984b58fd38 for ; Thu, 23 Jan 2025 15:51:56 +0100 X-Patchwork-Original-From: "'Gokhan Cetin' via isar-users" From: Gokhan Cetin To: isar-users@googlegroups.com Cc: gokhan.cetin@siemens.com, felix.moessbauer@siemens.com Subject: [PATCH 3/3] doc/user_manual: describe module signing and custom signer hooks Date: Thu, 23 Jan 2025 15:51:31 +0100 Message-Id: <20250123145131.1142290-4-gokhan.cetin@siemens.com> In-Reply-To: <20250123145131.1142290-1-gokhan.cetin@siemens.com> References: <20250123145131.1142290-1-gokhan.cetin@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1328731:519-21489:flowmailer X-Original-Sender: gokhan.cetin@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=Z8QKualz; spf=pass (google.com: domain of fm-1328731-20250123145156ccf07680984b58fd38-dx3mt_@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) smtp.mailfrom=fm-1328731-20250123145156ccf07680984b58fd38-dX3Mt_@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Gokhan Cetin Reply-To: Gokhan Cetin Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= Mentions why kernel module signing is needed and how to implement. Signed-off-by: Gokhan Cetin --- doc/user_manual.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/doc/user_manual.md b/doc/user_manual.md index 62d16c8c..477070d1 100644 --- a/doc/user_manual.md +++ b/doc/user_manual.md @@ -1133,6 +1133,30 @@ Use the previously definded password to enroll the key, then reboot. Now the image should be up again and `modprobe example-module` should work. +**Sign kernel modules with custom signer hooks** + +The kernel module signing process establishes a chain of trust from the kernel to the modules, ensuring that +all components of the system are from trusted sources. If Secure Boot is enabled or the module signing +facility is enabled by kernel configuration or via `module.sig_enforce` kernel parameter, the kernel checks +the signature of the modules against the public keys from kernel system keyring and kernel platform keyring. + +Please note that if the certificates you use to sign modules are not included in one of these keyrings or are +blacklisted, the signature will be rejected and the module will not be loaded by the kernel. + +Many regulatory standards and compliance frameworks require the use of signing methods that are +designed to protect cryptographic keys and signing operations to ensure a high level of security. + +In order to use solutions like Hardware Security Module (HSM) or server-side signing, which +are usually made available via a client, an API endpoint or a plug-in, for signing kernel modules, +Isar provides a build profile called `pkg.signwith` for kernel module recipes. + +To provide a signer script that implements your custom signing solution, `SIGNATURE_SIGNWITH` variable +can be set for the script path within the module recipe together with `SIGNATURE_CERTFILE` to define the public +certificate path of the signer. + +Please see how `module-signer-example` hook generates a detached signature for the kernel module implemented in +`example-module-signedwith` recipe. + ### Cross Support for Imagers If `ISAR_CROSS_COMPILE = "1"`, the imager and optional compression tasks