From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 7180261367669063680
X-Received: by 2002:a17:906:aac7:b0:78d:a136:7332 with SMTP id kt7-20020a170906aac700b0078da1367332mr745025ejb.355.1671784895634;
        Fri, 23 Dec 2022 00:41:35 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a05:6402:2708:b0:46d:d0c2:969c with SMTP id
 y8-20020a056402270800b0046dd0c2969cls2660013edd.1.-pod-prod-gmail; Fri, 23
 Dec 2022 00:41:34 -0800 (PST)
X-Google-Smtp-Source: AMrXdXuJOxyecHqeVfHFR8VQYxfA/jgnza/Js50cc/8uo+QWBEhyzWyqMKTPyAaCHNxqUuDAVC8/
X-Received: by 2002:a50:ed17:0:b0:46d:6f14:aec with SMTP id j23-20020a50ed17000000b0046d6f140aecmr7600960eds.0.1671784894150;
        Fri, 23 Dec 2022 00:41:34 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1671784894; cv=none;
        d=google.com; s=arc-20160816;
        b=Mw2OEk6b+wcRCugFrwowmoWsSEmU/igjlzBEfgFvSttbgmcnBtHFM+9x2srCxXcxRX
         NAf0YHxgCJSNuUvRTLbx0cuiLlefO8Js5n9oOQVU+O6LubaOqbfDAod/Dg2rW/xnGCqX
         JUMYeg1FHokoGerWMuNjKRC2kehRzysmIn412V7sXrUkxKlM8E62UEOo2eLhAczUvG9C
         qPYZnKeBxzNE2/rduAWjzx+4NWnwH8ns1NeYAfGKI33gcfR0KNAO0KcIXpRs03zW8kr6
         g8OORbZghgjikgHThWhQvOv9Mf9lDg+XLF8HkghqJy2htoT7DPrXnZSFPVG9Ou4Nh/f5
         1VAg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=feedback-id:content-transfer-encoding:mime-version:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature;
        bh=aXcfBAdXujDk7qzqxl3z/wXNgYWWYgcJRMUQKp5A1Pc=;
        b=iWNXywjNDgGQVKFSpkw4m3fUvKDSih8CuSKsMefLtm5S29ZVZzuYHqi4mFTHMgNcAe
         QsJg8jowdBtrKFMungMU1+85b3Z2wbiCvqWGcrpd1ynYTlf3DKme+4EcPci6skJqRUBg
         7yY/Jt1vvbcWYfxVxFlB4Jo4AiWdcghAEZThRft77JF99kCloAzcH9dySJROtIobZT/7
         oqYxu0CG2J4V96qO7BtzEfgkGVgdYp2uZceGtDOkj0rwpuPwcN92z1D4120WLhrhxo02
         LcvuW4fQJZxY9L9WZpcD+avgsTjusZ88ulJbKLlaGF/qaU4mutvm2KSIhcCItnU4h5A+
         MTyg==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=fm1 header.b=EGWaMGBm;
       spf=pass (google.com: domain of fm-72506-20221223084133fa1ba3a94ae490d4e3-mbf6rt@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-72506-20221223084133fa1ba3a94ae490d4e3-mbf6Rt@rts-flowmailer.siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Return-Path: <fm-72506-20221223084133fa1ba3a94ae490d4e3-mbf6Rt@rts-flowmailer.siemens.com>
Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net. [185.136.64.227])
        by gmr-mx.google.com with ESMTPS id k6-20020aa7d2c6000000b004704657766csi161286edr.1.2022.12.23.00.41.34
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 23 Dec 2022 00:41:34 -0800 (PST)
Received-SPF: pass (google.com: domain of fm-72506-20221223084133fa1ba3a94ae490d4e3-mbf6rt@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) client-ip=185.136.64.227;
Authentication-Results: gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=fm1 header.b=EGWaMGBm;
       spf=pass (google.com: domain of fm-72506-20221223084133fa1ba3a94ae490d4e3-mbf6rt@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-72506-20221223084133fa1ba3a94ae490d4e3-mbf6Rt@rts-flowmailer.siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20221223084133fa1ba3a94ae490d4e3
        for <isar-users@googlegroups.com>;
        Fri, 23 Dec 2022 09:41:33 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=felix.moessbauer@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=aXcfBAdXujDk7qzqxl3z/wXNgYWWYgcJRMUQKp5A1Pc=;
 b=EGWaMGBm67j3AcKe0vkxvTp/gFNq5LcEH9w9dlol5xyycupk+D0hW2bLyLUkAp1TmnPE3s
 vht5GvL1opeOBGW7xMcFvUctacIVlcusbOW956B5jgKWQK0uiCBCsjjnC1lPJP59SZLOdpoA
 pTJfuM7hx6GIDfToPzqoHTGjdkAQw=;
From: Felix Moessbauer <felix.moessbauer@siemens.com>
To: isar-users@googlegroups.com
Cc: tobias.preclik@siemens.com,
	christian.storm@siemens.com,
	Felix Moessbauer <felix.moessbauer@siemens.com>
Subject: [PATCH 05/10] add support to sign kernel modules
Date: Fri, 23 Dec 2022 08:40:53 +0000
Message-Id: <20221223084058.1899957-6-felix.moessbauer@siemens.com>
In-Reply-To: <20221223084058.1899957-1-felix.moessbauer@siemens.com>
References: <20221223084058.1899957-1-felix.moessbauer@siemens.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-72506:519-21489:flowmailer
X-TUID: cF/ddyK0OKL6

This patchs extends the module.inc class to add support to sign the
compiled kernel modules. If the module is signed or not is controlled
via a build profile named pkg.sign. When enabled, the kernels sign-file
is executed. The path to the keyfile inside the schroot has to be
provided in SIGNATURE_KEYFILE, the path to the corresponding cert in
SIGNATURE_CERTFILE. The used hash-function can be controlled using
SIGNATURE_HASHFN. All modules in the current build directory are
signed.

The implementation - by design - does not specify how to provide the
keys in the schroot inside the sbuild. This gives some flexibility, e.g.
the keys can be provided in a package, added as build dependency or
alternatively via a mountpoint.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 meta/recipes-kernel/linux-module/files/debian/rules.tmpl | 3 +++
 meta/recipes-kernel/linux-module/module.inc              | 7 +++++++
 2 files changed, 10 insertions(+)

diff --git a/meta/recipes-kernel/linux-module/files/debian/rules.tmpl b/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
index c1c2560..7d950e3 100755
--- a/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
+++ b/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
@@ -50,6 +50,9 @@ override_dh_auto_clean:
 
 override_dh_auto_build:
 	$(MAKE) -C $(KDIR) M=$(PWD) $(PARALLEL_MAKE) modules
+ifneq ($(filter pkg.sign,$(DEB_BUILD_PROFILES)),)
+	find . -name "*.ko" -print -exec $(KDIR)/scripts/sign-file ${SIGNATURE_HASHFN} ${SIGNATURE_KEYFILE} ${SIGNATURE_CERTFILE} {} \;
+endif
 
 override_dh_auto_install:
 	$(MAKE) -C $(KDIR) M=$(PWD) INSTALL_MOD_PATH=$(PWD)/debian/${PN} modules_install
diff --git a/meta/recipes-kernel/linux-module/module.inc b/meta/recipes-kernel/linux-module/module.inc
index cfc6d20..a9e5d3d 100644
--- a/meta/recipes-kernel/linux-module/module.inc
+++ b/meta/recipes-kernel/linux-module/module.inc
@@ -18,6 +18,10 @@ KERNEL_HEADERS_PKG ??= "linux-headers-${KERNEL_NAME}"
 DEPENDS += "${KERNEL_HEADERS_PKG}"
 DEBIAN_BUILD_DEPENDS = "${KERNEL_HEADERS_PKG}"
 
+SIGNATURE_KEYFILE ??= ""
+SIGNATURE_CERTFILE ??= ""
+SIGNATURE_HASHFN ??= "sha256"
+
 SRC_URI += "file://debian/"
 
 AUTOLOAD ?= ""
@@ -33,6 +37,9 @@ TEMPLATE_VARS += " \
     KERNEL_IMAGE_PKG \
     KERNEL_HEADERS_PKG \
     DEBIAN_BUILD_DEPENDS \
+    SIGNATURE_KEYFILE \
+    SIGNATURE_CERTFILE \
+    SIGNATURE_HASHFN \
     PN"
 
 do_prepare_build() {
-- 
2.34.1