From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <isar-users+bncBDAZZLHW6AOBBDNPZG6AMGQEVVA2UWY@googlegroups.com>
Received: from shymkent.ilbers.de ([unix socket])
	 by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA;
	 Thu, 23 Jan 2025 15:52:05 +0100
X-Sieve: CMU Sieve 2.4
Received: from mail-lf1-f60.google.com (mail-lf1-f60.google.com [209.85.167.60])
	by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 50NEq4p8008037
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
	for <iupi@ilbers.de>; Thu, 23 Jan 2025 15:52:05 +0100
Received: by mail-lf1-f60.google.com with SMTP id 2adb3069b0e04-53e38c853a0sf620676e87.0
        for <iupi@ilbers.de>; Thu, 23 Jan 2025 06:52:05 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1737643919; cv=pass;
        d=google.com; s=arc-20240605;
        b=AOPWIJaxfsE65cLjk0HMBagiYMqExiXNrVvUtyks7Cjfg0qaSbsn9VBDrB1yK++Z/e
         AtQna4Urk2vZ5n1q2qiGEvTYN22jPMLHdF6AZJWYbx4yAk+OiciwMGbkFCAohCX2qYKF
         leoK6aeNPCbeTVgdd4/qvLtJtNfgbdYCDzk07eGD0zP67sKXNrJcEqTuWYeAmwhPWdUv
         0yOMDhaRW94irKLhYiOVqFVN/FotLbOG1f9+zqLd6NzNbeumj3oxabJPzvuh0ANdkwwk
         MfdhE5KE97vzLrK8P7VZH2Oo4nok5lPLbCJ+IMAwoYyg2USXyDv6n6pl+2l89YIEB3J7
         Jg0w==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=oaXCbw7/3aowyvS6+U5V4n27uUmy+g75M6x7iMq60xQ=;
        fh=xrerrwfHwbMZNnOwH3n8YfY/Cchx4+/JDvsEHAicPfU=;
        b=IywrlIZU1HuKbKvYpHiDM6z5BrUaM/6nspvvhW870SpPikPu6UQIWdCf3IzMtuN5dw
         jm9OBvXIXJsViaRnEjTmqJ8ykTCVEQ5s+jBXlAF4ED3TThLXFHYRUQHHlyq7+C81yRbV
         Al2kxaM+It5+6RDN7a0VFI9g8obMgpZIeC6hlQLYITqFqZ5uQ5cfOBbmjLdGNxWI5F75
         Gckt3DN+XEY4Fr4idPyIADEHFWvIFoqSLrL2fmIjUQxFiioSJOAQaBu00vsxfg/h4t95
         z7k5NwqHljYxrXPLU4aBWclba95pZekUg8hrABvUXNyVY1vZ95CHFIcivZxUu2KVpIvy
         HxuA==;
        darn=ilbers.de
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=fm2 header.b=XRqPUjt0;
       spf=pass (google.com: domain of fm-1328731-202501231451547b8f8c186e3f95dca6-zazcji@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-1328731-202501231451547b8f8c186e3f95dca6-ZAzCjI@rts-flowmailer.siemens.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1737643919; x=1738248719; darn=ilbers.de;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:reply-to
         :x-original-authentication-results:x-original-sender:feedback-id
         :mime-version:references:in-reply-to:message-id:date:subject:cc:to
         :from:from:to:cc:subject:date:message-id:reply-to;
        bh=oaXCbw7/3aowyvS6+U5V4n27uUmy+g75M6x7iMq60xQ=;
        b=wCp2rthWjBjtFmqxEuVL7MkgUX2qEyQsb5WYXN7/UvXqRD5pKt57IN9sKXTmdtRSpE
         3NF4nrWeZ1Qtwab1JpMG7RklI6/IhtQu2pJ8+jnefn+fbpWAaP7atDb99veV8JS3v78H
         16uRw4dngd9Tq2FxskkiTKECWBZQejmMvbBtUPXXbzBxQgCSbfesmF8nENfmM6koio3+
         wsHnzjymXMlpyh0cgeeaE5bdgsb44vK8b+Hf8K0h8IbvWip9CjBzR2KI3tA4fHdCRHu4
         +jLJ6bPrRpncKWGKvzFSD3W2VkTtm25YwXqC69LgCJqfhbd63HpDy97VrWMKZfjtHpIK
         hwnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1737643919; x=1738248719;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to
         :x-original-authentication-results:x-original-sender:feedback-id
         :mime-version:references:in-reply-to:message-id:date:subject:cc:to
         :from:x-beenthere:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=oaXCbw7/3aowyvS6+U5V4n27uUmy+g75M6x7iMq60xQ=;
        b=LGDqz2WQN4hY1ma1VsaWYyKwAbXbmbZpo9tUVGAh/zSVpDUSUkFKLUKd6u8MNu1NIF
         yxRZTL8S+jrK687CyTtJrTtlLnEN+Hkc45rdCEEMKju+g4ZNhGnGJ4EakuMJte4Qu8W8
         XZC3tzRZP4uqTXr/IuWlmGpvmeuyBPfbxnDfN5R9IKgRCOimAn4ZdxtcK5CmYIir9Kbe
         wUtaF3oojG9fAyF3O7xih/U27FFhcxKh/ekd97F8chuv7qNYjkJsIfvSPeTLatxz1uEn
         4VfmVPexUSOvSViSO0Q3vVdlYB2JQXWOLTI9FlIEcyL7gtbZG5NWTaJslcI/P8dOYwp2
         ifYg==
X-Forwarded-Encrypted: i=2; AJvYcCUH5vhmki915kDK/B2j1GK/fRX7FCqaIK0L6vfKsOoCs7iBWEYy+vRxDMPJwVfO3K0amd81@ilbers.de
X-Gm-Message-State: AOJu0Yxe1yUVmGsoxg40vsVbSp1cVCdDcA/UO6qQHBDArJI1+oPLEMpX
	rX9dkKAcKHdD2zGxs0yR2nlO3vLCfGO4/4rb1FGkvfMCbVO3j/A7
X-Google-Smtp-Source: AGHT+IFmvst0q+hu75tdpX5YdOwiEu6cpY1yWSngsXZHmRtcu0AW115tPOqQwVbuUdV6gTfsfgRtwQ==
X-Received: by 2002:a05:6512:3e03:b0:540:1f7d:8bc0 with SMTP id 2adb3069b0e04-5439c287470mr10273853e87.49.1737643917759;
        Thu, 23 Jan 2025 06:51:57 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a05:651c:221d:b0:300:40ad:298f with SMTP id
 38308e7fff4ca-30761c5e062ls234351fa.0.-pod-prod-02-eu; Thu, 23 Jan 2025
 06:51:55 -0800 (PST)
X-Received: by 2002:a2e:bd89:0:b0:300:33b1:f0e1 with SMTP id 38308e7fff4ca-3072c991370mr95317291fa.0.1737643915421;
        Thu, 23 Jan 2025 06:51:55 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1737643915; cv=none;
        d=google.com; s=arc-20240605;
        b=bfvmP0bnONtYDqFoxvajzSsmD5C8RVOmh1ijSxjYcnglis7kLEtZmtgjv90JDvnk7+
         1G8c3itaka+02AJzIZgaOwqIJWP1BTwf4YusK716vWSqUK/GADpBVgXHHzMUvqoNTP2H
         cbSU45PTa1MJr6n/Ax3e8+K7bNx3xdSNqVhYqtS7sySeqwOYJSTo/qpNhPZl/bxNKlDd
         TTEooCPBU+rmwYl/UN6/rUEZuHF6v2bYAS3jUpnaorj7vof7zN7vNuhYz+VvjZvGdlaq
         KyKUNe9oCQcTcwaRwKJ++ZM1Yd/BlhQvZXQ6y/ZBd5yGQAmBHG7jsY9CJQWBMmB5cwkN
         mwVg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=feedback-id:content-transfer-encoding:mime-version:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature;
        bh=wqdXGe+xXRCFkBbh0/HKCDXeKeZXMK1C85uKWi03SS8=;
        fh=vM67Djwl41RMMQGrNcTm06QnRkAhOnQjK4pKA7dIR+w=;
        b=QrV/kCktvFmyOLJZZuB+zg4HcsDCjcPMLUrvwfzgEduZjtk6DrqnwfsQNNrUE8j8HT
         +Z/ORa3KJi2x23DG9vJQYI+P2z3W5+06RraFkfA+WD7yexNxYV6skzs/Z7TpXf1JumX8
         UTGA7ow/6P6SjCsNcqt+mxpmcrUmChG9EbDlMAVDnzdqjLhHDOLu3qf12qE5h2TgmYvo
         CX9tnIXVTa43t5SVFykC0JBPtmO27yUqnNb135mkQIuKtiUAom5kYLPvQOH2cqxrhNIw
         RRp/xJbAwwsTqWMz5GEybRLsFfU8k/Re03aoPg19am7hPnVgB0nGGFSMxjWtqVU+AMqK
         D1Ew==;
        dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=fm2 header.b=XRqPUjt0;
       spf=pass (google.com: domain of fm-1328731-202501231451547b8f8c186e3f95dca6-zazcji@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-1328731-202501231451547b8f8c186e3f95dca6-ZAzCjI@rts-flowmailer.siemens.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net. [185.136.64.227])
        by gmr-mx.google.com with ESMTPS id 38308e7fff4ca-3072a2725f0si2566141fa.0.2025.01.23.06.51.55
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 23 Jan 2025 06:51:55 -0800 (PST)
Received-SPF: pass (google.com: domain of fm-1328731-202501231451547b8f8c186e3f95dca6-zazcji@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) client-ip=185.136.64.227;
Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 202501231451547b8f8c186e3f95dca6
        for <isar-users@googlegroups.com>;
        Thu, 23 Jan 2025 15:51:54 +0100
From: "'Gokhan Cetin' via isar-users" <isar-users@googlegroups.com>
To: isar-users@googlegroups.com
Cc: gokhan.cetin@siemens.com, felix.moessbauer@siemens.com
Subject: [PATCH 2/3] module-signer-example: add example signer hook and signed variant for example-module
Date: Thu, 23 Jan 2025 15:51:30 +0100
Message-Id: <20250123145131.1142290-3-gokhan.cetin@siemens.com>
In-Reply-To: <20250123145131.1142290-1-gokhan.cetin@siemens.com>
References: <20250123145131.1142290-1-gokhan.cetin@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-1328731:519-21489:flowmailer
X-Original-Sender: gokhan.cetin@siemens.com
X-Original-Authentication-Results: gmr-mx.google.com;       dkim=pass
 header.i=@siemens.com header.s=fm2 header.b=XRqPUjt0;       spf=pass
 (google.com: domain of fm-1328731-202501231451547b8f8c186e3f95dca6-zazcji@rts-flowmailer.siemens.com
 designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-1328731-202501231451547b8f8c186e3f95dca6-ZAzCjI@rts-flowmailer.siemens.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
X-Original-From: Gokhan Cetin <gokhan.cetin@siemens.com>
Reply-To: Gokhan Cetin <gokhan.cetin@siemens.com>
Content-Type: text/plain; charset="UTF-8"
Precedence: list
Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com
List-ID: <isar-users.googlegroups.com>
X-Spam-Checked-In-Group: isar-users@googlegroups.com
X-Google-Group-Id: 914930254986
List-Post: <https://groups.google.com/group/isar-users/post>, <mailto:isar-users@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:isar-users+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/isar-users
List-Subscribe: <https://groups.google.com/group/isar-users/subscribe>, <mailto:isar-users+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+914930254986+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/isar-users/subscribe>
X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED,
	RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable
	autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de
X-TUID: VLgLF37leVpw

This patch introduces an example signer hook that generates raw detached signatures
for out-of-tree kernel modules.

Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com>
---
 .../files/sign-module.sh                      | 40 +++++++++++++++++++
 .../module-signer-example.bb                  | 20 ++++++++++
 .../example-module-signedwith.bb              | 15 +++++++
 3 files changed, 75 insertions(+)
 create mode 100644 meta-isar/recipes-devtools/module-signer-example/files/sign-module.sh
 create mode 100644 meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb
 create mode 100644 meta-isar/recipes-kernel/example-module/example-module-signedwith.bb

diff --git a/meta-isar/recipes-devtools/module-signer-example/files/sign-module.sh b/meta-isar/recipes-devtools/module-signer-example/files/sign-module.sh
new file mode 100644
index 00000000..4d22532b
--- /dev/null
+++ b/meta-isar/recipes-devtools/module-signer-example/files/sign-module.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+#
+# Example signer script that generates detached signatures for modules
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2025
+#
+# SPDX-License-Identifier: MIT
+
+set -e
+
+module=$1
+signature=$2
+hashfn=$3
+certfile=$4
+
+if [ -z "$module" ] || [ -z "$signature" ] || [ -z "$hashfn" ] || [ -z "$certfile" ] ; then
+    exit 1
+fi
+
+echo "Signing module $module with hash function $hashfn and certificate $certfile"
+
+openssl smime -sign -nocerts -noattr -binary \
+    -in "$module" \
+    -md "$hashfn" \
+    -inkey /etc/sb-mok-keys/MOK/MOK.priv \
+    -signer /etc/sb-mok-keys/MOK/MOK.der \
+    -outform DER \
+    -out "$signature"
+
+echo "Verifying signature of module $module with hash function $hashfn and certificate $certfile"
+
+openssl smime -verify \
+    -in "$signature" \
+    -md "$hashfn" \
+    -content "$module" \
+    -certfile /etc/sb-mok-keys/MOK/MOK.der \
+    -noverify \
+    -inform DER \
+    -out /dev/null
diff --git a/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb b/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb
new file mode 100644
index 00000000..001e8cc8
--- /dev/null
+++ b/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb
@@ -0,0 +1,20 @@
+# Example recipe for signing a kernel module with custom signer script
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2025
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg-raw
+
+DPKG_ARCH = "all"
+
+DEPENDS = "sb-mok-keys"
+DEBIAN_DEPENDS += "openssl, sb-mok-keys"
+
+SRC_URI = "file://sign-module.sh"
+
+do_install[cleandirs] = "${D}/usr/bin/"
+do_install() {
+    install -m 0755 ${WORKDIR}/sign-module.sh ${D}/usr/bin/sign-module.sh
+}
diff --git a/meta-isar/recipes-kernel/example-module/example-module-signedwith.bb b/meta-isar/recipes-kernel/example-module/example-module-signedwith.bb
new file mode 100644
index 00000000..f611169c
--- /dev/null
+++ b/meta-isar/recipes-kernel/example-module/example-module-signedwith.bb
@@ -0,0 +1,15 @@
+# Example recipe for building a custom module
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2025
+#
+# SPDX-License-Identifier: MIT
+
+require example-module.bb
+
+DEPENDS += "module-signer-example"
+DEBIAN_BUILD_DEPENDS .= ', module-signer-example'
+
+DEB_BUILD_PROFILES += 'pkg.signwith'
+SIGNATURE_CERTFILE = '/etc/sb-mok-keys/MOK/MOK.der'
+SIGNATURE_SIGNWITH = '/usr/bin/sign-module.sh'
-- 
2.39.2

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250123145131.1142290-3-gokhan.cetin%40siemens.com.