From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Thu, 23 Jan 2025 15:52:07 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-lj1-f188.google.com (mail-lj1-f188.google.com [209.85.208.188]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 50NEq7Mo008115 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 23 Jan 2025 15:52:07 +0100 Received: by mail-lj1-f188.google.com with SMTP id 38308e7fff4ca-30220a23430sf4754141fa.3 for ; Thu, 23 Jan 2025 06:52:07 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1737643921; cv=pass; d=google.com; s=arc-20240605; b=RLgojJVs/SH9RI6fdokOLTaJM+H7Y05F8Q3oGBhCd5X/MFFMzi37swmohp3I/fwKth JiyEAzvqDtpcA+x4JTSn4ge7WvBFOBQkzQ2CFBNILpDP/7NplvOkbwXdYZI5/J2Ym8iu WHtt40Q1B0iZRr1vLVlX8GGj8f0GM6mobRy3qvGOz16CuaRj9Ed1aNCxZBhUxdb80zdn 3ApURmsTNYbBwUeJnmSECYN7/Q4g/szhbuFU4lM7j/SbJL09qLrady3h4Bfq/cmjlEe8 jYJ6qg7GLFDAoN1nzTlzA6qJvok5Zbi66yEBP2UAyTpKUEAmjg0D7wQtWWLub3jW+ivA n6Vg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=TYygm8wjNjCgQmVhbB80z7PAbfLDhJ/C3UZ5wFBEdOA=; fh=rDCCQll+XWYqMgAl0kNSr44TdNjr5NJagoTjFcediE4=; b=F/s2zb2ZwZR7CGAQb+spGh7niIUx0KEbdBBH9i8jmPUn9kZs4ENTM+N0q/5J9yzAUV 2f7BnIU86PgNzdmIp5JPRuZc1tjtOIVACN9/vBkVsz1ptOwU/zOZ98At0MW48Dc1IvNK VsVIdBreToRqXtE+/xCviybJREexCa+VbOYja/0IVlAP2DXmzYTTsNrI8+pXqLG/3HjK YyQbw9tcjIgda5WlekK6huWz62CxON62lw3ol1yjB9dZljYfWh06x/ga3rUC5XGCSlUu Fxz34h9cWAqFqbbFR0G/PLbDKHzxUoIIBNLVHsiHh25FnLK8BKMP6EWzRR4EWVqRjhct AlOA==; darn=ilbers.de ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=Z8QKualz; spf=pass (google.com: domain of fm-1328731-20250123145156ccf07680984b58fd38-dx3mt_@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) smtp.mailfrom=fm-1328731-20250123145156ccf07680984b58fd38-dX3Mt_@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1737643921; x=1738248721; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=TYygm8wjNjCgQmVhbB80z7PAbfLDhJ/C3UZ5wFBEdOA=; b=xkLV6DEsISGulaok2COhyub4dgP5aNa9CkI7NEo13IKG7tPD6LEvBB5v5fZ8feN8LW mQQH/+wSXxup3SZNfDzndch9xz0vef+77ZqKRjC31vVOKDhQDlikBkiSEhesfalF4LnT /O7A+xDbhNlzY1UgHRsMiP9A8yqjgKBK0EFCecCdxQPER4WTzI6I0FRdGEnEsIOCiqIu TYYEFMc8h1nG2KoV94cq5qhGdfvW7vPSsMc7aUuPw8m0yQ3KmMtG4EhP3r3VYBdnlaKd hBSIgd127JR9IeGncE14NSFMLgjtv1PX1amtLkSWQfjhGfUjwNkJnCe5ZlBPrAZKH/iC CB3Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737643921; x=1738248721; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=TYygm8wjNjCgQmVhbB80z7PAbfLDhJ/C3UZ5wFBEdOA=; b=e2QdpslW00R2I+WeN9eKnINRX9Z4lpqEpJruOKzQmk+1jISzLLXv0Zk4T+Md5CeqvF 7r5+M6LaGhPnDjgFcV7zv8zO/yy9jgw5nsAcSKebJnwA6zpY0srDC98iI3Do3B6jbBZr b6P0F7N8vQLTyWGAWmREGO4u0Boos/l4+PuN5xJg74pLJKvI1jxqMIQkXsxyCltzfDsn Kxp8KgvWvKEuefpT5N7VDtAbmwnx1vx1DbVuBaIqyNEyZde6YL7zlTBvleSJSY/WyUtX vdRJwJoWc4HZ34pk05eA1RrdFaYmtOdbybO21/bwp3Es1yhdYzAPj2LD4M5fBaun1QGF 80cA== X-Forwarded-Encrypted: i=2; AJvYcCX9k7ZHsdHcIg13tMfRplW36uJaItVY1jUtlpz7zOAuEUUmmKlNq/p0EdlMXpBk7vKZE+Mc@ilbers.de X-Gm-Message-State: AOJu0Yx59E3A1AVdrWEsqcSrFFWGgqTj7iH4nsDT7elBsZW0z8WnrBRW zRrNBDy/IAU/OhOUPxZAL2S2sQK2VeW6SFeJf6DnZPDKij/I+MY8 X-Google-Smtp-Source: AGHT+IHcx0O/xqZaYX/c0Wf2/T4JZoqeMtaFR/A57Zs6biBqDG73S0eYBkTy3TbOEF1NwPZ3cIUDPg== X-Received: by 2002:a19:e045:0:b0:543:bb21:4256 with SMTP id 2adb3069b0e04-543bb2143d1mr2167115e87.25.1737643919146; Thu, 23 Jan 2025 06:51:59 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a19:8c46:0:b0:540:1b08:1acd with SMTP id 2adb3069b0e04-543c23e3047ls16563e87.0.-pod-prod-06-eu; Thu, 23 Jan 2025 06:51:57 -0800 (PST) X-Received: by 2002:a05:6512:ea7:b0:540:5b5c:c18d with SMTP id 2adb3069b0e04-5439c22a94dmr7993833e87.7.1737643916798; Thu, 23 Jan 2025 06:51:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1737643916; cv=none; d=google.com; s=arc-20240605; b=c+ag/ecAu/1oh8fkwUtZyWHDGKuziQ+U7lKUHrga0u0mNH+293R+uKuPKx8XsS2hMR FA7wXj5nQd4Q4bJRXgT4GQCohGJ1wA7GNrijqrKclaXmL+zr7ziXcA/4W/0iHmVFX34B Ec/q7hPggiDI+hPXFdTQKvkgTD0K/w+L0r2QclZrQNjwtL9znu0y6FtsvIgpVQj2B4BG aRHnv/kG4KWuXvlRR8OqLn8NUTUWjv7bNh5uX3NQ4EigvFHEvuifXQsvnxKpI8eAXW5E YGJrC9avBWisaHWvwoOO50r+ZlY9upUB3xib7Lz0B3Qm7YTIdr+grc+1VKqKKUEAQViH JEQw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=g6+AZWr7Kl+CMB9YOdDkDKAQvL4h5cH00DOi6o0c+Ik=; fh=vM67Djwl41RMMQGrNcTm06QnRkAhOnQjK4pKA7dIR+w=; b=bbM+CDRTdh5nwhGcBru5kVcvCzItTpFat0FlYgEMvoN/RD6koqeLdwWPn61KFc98Dt EXE35Aiw9K1vL4ndnUTvPHiok89AOS/vxUluXvLVqaSvtjG6OrH4Cjk8NKZnFuiPLPyR Cp0AIMtZNsZ/78YuTDrkjSBceKIDeHFtML6ZIzDULs7pZVJp9NdWWzp8JLYqCVCOyG+E aFp1W/0Kk5JUlWKcNFPR/5O9F4tWX37zHbpMboyOMQBYZePdrI8uJv+Ogfxl81qQ/URL g7VqKlV9HAJZKbNvRUTrujSazqVPMBJMtmOB0yfruakQ+lqMlOSadx+ULVU5mIBK4pOn pQlA==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=Z8QKualz; spf=pass (google.com: domain of fm-1328731-20250123145156ccf07680984b58fd38-dx3mt_@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) smtp.mailfrom=fm-1328731-20250123145156ccf07680984b58fd38-dX3Mt_@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net. [185.136.64.226]) by gmr-mx.google.com with ESMTPS id 2adb3069b0e04-5439af7bf97si163075e87.11.2025.01.23.06.51.56 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 23 Jan 2025 06:51:56 -0800 (PST) Received-SPF: pass (google.com: domain of fm-1328731-20250123145156ccf07680984b58fd38-dx3mt_@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) client-ip=185.136.64.226; Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 20250123145156ccf07680984b58fd38 for ; Thu, 23 Jan 2025 15:51:56 +0100 From: "'Gokhan Cetin' via isar-users" To: isar-users@googlegroups.com Cc: gokhan.cetin@siemens.com, felix.moessbauer@siemens.com Subject: [PATCH 3/3] doc/user_manual: describe module signing and custom signer hooks Date: Thu, 23 Jan 2025 15:51:31 +0100 Message-Id: <20250123145131.1142290-4-gokhan.cetin@siemens.com> In-Reply-To: <20250123145131.1142290-1-gokhan.cetin@siemens.com> References: <20250123145131.1142290-1-gokhan.cetin@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1328731:519-21489:flowmailer X-Original-Sender: gokhan.cetin@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=Z8QKualz; spf=pass (google.com: domain of fm-1328731-20250123145156ccf07680984b58fd38-dx3mt_@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) smtp.mailfrom=fm-1328731-20250123145156ccf07680984b58fd38-dX3Mt_@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Gokhan Cetin Reply-To: Gokhan Cetin Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: Wc9CC+PAl1me Mentions why kernel module signing is needed and how to implement. Signed-off-by: Gokhan Cetin --- doc/user_manual.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/doc/user_manual.md b/doc/user_manual.md index 62d16c8c..477070d1 100644 --- a/doc/user_manual.md +++ b/doc/user_manual.md @@ -1133,6 +1133,30 @@ Use the previously definded password to enroll the key, then reboot. Now the image should be up again and `modprobe example-module` should work. +**Sign kernel modules with custom signer hooks** + +The kernel module signing process establishes a chain of trust from the kernel to the modules, ensuring that +all components of the system are from trusted sources. If Secure Boot is enabled or the module signing +facility is enabled by kernel configuration or via `module.sig_enforce` kernel parameter, the kernel checks +the signature of the modules against the public keys from kernel system keyring and kernel platform keyring. + +Please note that if the certificates you use to sign modules are not included in one of these keyrings or are +blacklisted, the signature will be rejected and the module will not be loaded by the kernel. + +Many regulatory standards and compliance frameworks require the use of signing methods that are +designed to protect cryptographic keys and signing operations to ensure a high level of security. + +In order to use solutions like Hardware Security Module (HSM) or server-side signing, which +are usually made available via a client, an API endpoint or a plug-in, for signing kernel modules, +Isar provides a build profile called `pkg.signwith` for kernel module recipes. + +To provide a signer script that implements your custom signing solution, `SIGNATURE_SIGNWITH` variable +can be set for the script path within the module recipe together with `SIGNATURE_CERTFILE` to define the public +certificate path of the signer. + +Please see how `module-signer-example` hook generates a detached signature for the kernel module implemented in +`example-module-signedwith` recipe. + ### Cross Support for Imagers If `ISAR_CROSS_COMPILE = "1"`, the imager and optional compression tasks -- 2.39.2 -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250123145131.1142290-4-gokhan.cetin%40siemens.com.