From: "'Gokhan Cetin' via isar-users" <isar-users@googlegroups.com>
To: isar-users@googlegroups.com
Cc: gokhan.cetin@siemens.com, felix.moessbauer@siemens.com
Subject: [PATCH 1/3] meta/recipes-kernel/linux-module: Allow use of external scripts to sign modules
Date: Thu, 23 Jan 2025 15:51:29 +0100 [thread overview]
Message-ID: <20250123145131.1142290-2-gokhan.cetin@siemens.com> (raw)
In-Reply-To: <20250123145131.1142290-1-gokhan.cetin@siemens.com>
This facilitates the integration of scripts developed for signing solutions like HSM
where private keys are not accessible and allows the use of detached signatures
produced by such solutions.
Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com>
---
meta/recipes-kernel/linux-module/files/debian/rules.tmpl | 4 ++++
meta/recipes-kernel/linux-module/module.inc | 2 ++
2 files changed, 6 insertions(+)
diff --git a/meta/recipes-kernel/linux-module/files/debian/rules.tmpl b/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
index ad743437..30d7ce0f 100755
--- a/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
+++ b/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
@@ -56,6 +56,10 @@ endif
ifneq ($(filter pkg.sign,$(DEB_BUILD_PROFILES)),)
find . -name "*.ko" -print -exec $(KDIR)/scripts/sign-file ${SIGNATURE_HASHFN} ${SIGNATURE_KEYFILE} ${SIGNATURE_CERTFILE} {} \;
endif
+ifneq ($(filter pkg.signwith,$(DEB_BUILD_PROFILES)),)
+ find . -name "*.ko" | xargs -i ${SIGNATURE_SIGNWITH} {} {}.signature ${SIGNATURE_HASHFN} ${SIGNATURE_CERTFILE}
+ find . -name "*.ko" | xargs -i $(KDIR)/scripts/sign-file -s {}.signature ${SIGNATURE_HASHFN} ${SIGNATURE_CERTFILE} {}
+endif
override_dh_auto_install:
$(MAKE) -C $(KDIR) M=${MODULE_DIR} INSTALL_MOD_PATH=$(PWD)/debian/${PN} modules_install
diff --git a/meta/recipes-kernel/linux-module/module.inc b/meta/recipes-kernel/linux-module/module.inc
index 3e8e5e7a..d7432bf7 100644
--- a/meta/recipes-kernel/linux-module/module.inc
+++ b/meta/recipes-kernel/linux-module/module.inc
@@ -25,6 +25,7 @@ DEB_BUILD_OPTIONS += "noautodbgsym"
SIGNATURE_KEYFILE ??= ""
SIGNATURE_CERTFILE ??= ""
SIGNATURE_HASHFN ??= "sha256"
+SIGNATURE_SIGNWITH ??= ""
SRC_URI += "file://debian/"
@@ -57,6 +58,7 @@ TEMPLATE_VARS += " \
SIGNATURE_KEYFILE \
SIGNATURE_CERTFILE \
SIGNATURE_HASHFN \
+ SIGNATURE_SIGNWITH \
PN \
DEBIAN_COMPAT"
--
2.39.2
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250123145131.1142290-2-gokhan.cetin%40siemens.com.
next prev parent reply other threads:[~2025-01-23 14:52 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-23 14:51 [PATCH 0/3] " 'Gokhan Cetin' via isar-users
2025-01-23 14:51 ` 'Gokhan Cetin' via isar-users [this message]
2025-01-23 14:51 ` [PATCH 2/3] module-signer-example: add example signer hook and signed variant for example-module 'Gokhan Cetin' via isar-users
2025-01-23 14:51 ` [PATCH 3/3] doc/user_manual: describe module signing and custom signer hooks 'Gokhan Cetin' via isar-users
2025-01-31 11:38 ` [PATCH 0/3] Allow use of external scripts to sign modules 'MOESSBAUER, Felix' via isar-users
2025-02-07 7:59 ` Uladzimir Bely
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250123145131.1142290-2-gokhan.cetin@siemens.com \
--to=isar-users@googlegroups.com \
--cc=felix.moessbauer@siemens.com \
--cc=gokhan.cetin@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox