[PATCH 0/5] Structure module signing dependencies and providers

[PATCH 0/5] Structure module signing dependencies and providers

['Gokhan Cetin' via isar-users]

As of now, in each kernel module, the same configuration block
has to be specified repeatedly for each module in module recipes
to specify build-time dependencies on recipes that provide the
required build profile and the scripts and certificates used in 
kernel module signing.

With these changes, it is possible to enable a recommended signature
configuration for all module recipes without touching the modules,
while it is still possible to customize the configuration when necessary.

Gokhan Cetin (5):
  module-signer-example: define virtual package name as module-signer
  meta/recipes-kernel/linux-module: Define default paths for signing
    related variables
  meta-isar/recipes-secureboot/sb-mok-keys: define virtual package name
  meta/recipes-kernel/linux-module: add option to set default signing
    profile and dependencies
  doc/user_manual: describe module signer and certificate provider
    configuration

 doc/user_manual.md                                   |  8 ++++++++
 .../module-signer-example/module-signer-example.bb   |  3 +++
 .../recipes-secureboot/sb-mok-keys/sb-mok-keys.bb    |  2 ++
 meta/recipes-kernel/linux-module/module.inc          | 12 +++++++++---
 4 files changed, 22 insertions(+), 3 deletions(-)

-- 
2.39.2

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250415122204.120360-1-gokhan.cetin%40siemens.com.

[PATCH 1/5] module-signer-example: define virtual package name as module-signer

['Gokhan Cetin' via isar-users]

This will help to easily manage dependencies on providers implemented in downstreams.

Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com>
---
 .../module-signer-example/module-signer-example.bb             | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb b/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb
index 001e8cc8..58a84d01 100644
--- a/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb
+++ b/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb
@@ -9,6 +9,9 @@ inherit dpkg-raw
 
 DPKG_ARCH = "all"
 
+PROVIDES = "module-signer"
+DEBIAN_PROVIDES = "module-signer"
+
 DEPENDS = "sb-mok-keys"
 DEBIAN_DEPENDS += "openssl, sb-mok-keys"
 
-- 
2.39.2

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250415122204.120360-2-gokhan.cetin%40siemens.com.

[PATCH 2/5] meta/recipes-kernel/linux-module: Define default paths for signing related variables

['Gokhan Cetin' via isar-users]

They are initialized with almost standardized paths in isar-cip-core and many other layers.
In this way, it is possible to get rid of dozens of repeating lines in module recipes.

Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com>
---
 meta/recipes-kernel/linux-module/module.inc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-kernel/linux-module/module.inc b/meta/recipes-kernel/linux-module/module.inc
index 3b0ceae7..45d88d48 100644
--- a/meta/recipes-kernel/linux-module/module.inc
+++ b/meta/recipes-kernel/linux-module/module.inc
@@ -23,10 +23,10 @@ DEBIAN_BUILD_DEPENDS = "${KERNEL_HEADERS_PKG}"
 # Do not generate debug symbols packages, as not supported for modules
 DEB_BUILD_OPTIONS += "noautodbgsym"
 
-SIGNATURE_KEYFILE ??= ""
-SIGNATURE_CERTFILE ??= ""
+SIGNATURE_KEYFILE ??= "/usr/share/secure-boot-secrets/secure-boot.key"
+SIGNATURE_CERTFILE ??= "/usr/share/secure-boot-secrets/secure-boot.pem"
 SIGNATURE_HASHFN ??= "sha256"
-SIGNATURE_SIGNWITH ??= ""
+SIGNATURE_SIGNWITH ??= "/usr/bin/sign-module.sh"
 
 SRC_URI += "file://debian/"
 
-- 
2.39.2

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250415122204.120360-3-gokhan.cetin%40siemens.com.

[PATCH 3/5] meta-isar/recipes-secureboot/sb-mok-keys: define virtual package name

['Gokhan Cetin' via isar-users]

As done by 946b908b, this will allow more key providers to meet further
common dependencies.

Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com>
---
 meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb b/meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb
index 61378347..2a8b66d4 100644
--- a/meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb
+++ b/meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb
@@ -5,6 +5,8 @@
 
 inherit dpkg
 
+PROVIDES = "secure-boot-secrets"
+DEBIAN_PROVIDES = "secure-boot-secrets"
 
 SRC_URI = "file://Makefile.tmpl"
 S = "${WORKDIR}/src"
-- 
2.39.2

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250415122204.120360-4-gokhan.cetin%40siemens.com.

[PATCH 4/5] meta/recipes-kernel/linux-module: add option to set default signing profile and dependencies

['Gokhan Cetin' via isar-users]

Introduces single configuration variable (`SIGNATURE_ENABLED`) to
set all predefined profile and dependencies need to be provided.

By using this option, downstreams will be able to sign all
kernel modules without appending any additional configuration
into their module recipes.

Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com>
---
 meta/recipes-kernel/linux-module/module.inc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/meta/recipes-kernel/linux-module/module.inc b/meta/recipes-kernel/linux-module/module.inc
index 45d88d48..576a2cad 100644
--- a/meta/recipes-kernel/linux-module/module.inc
+++ b/meta/recipes-kernel/linux-module/module.inc
@@ -27,6 +27,12 @@ SIGNATURE_KEYFILE ??= "/usr/share/secure-boot-secrets/secure-boot.key"
 SIGNATURE_CERTFILE ??= "/usr/share/secure-boot-secrets/secure-boot.pem"
 SIGNATURE_HASHFN ??= "sha256"
 SIGNATURE_SIGNWITH ??= "/usr/bin/sign-module.sh"
+SIGNATURE_ENABLED ??= ""
+
+# Define signing profile and dependencies if SIGNATURE_ENABLED is set to "1"
+DEB_BUILD_PROFILES += "${@'pkg.signwith' if bb.utils.to_boolean(d.getVar('SIGNATURE_ENABLED')) else ''}"
+DEPENDS += "${@'module-signer secure-boot-secrets' if bb.utils.to_boolean(d.getVar('SIGNATURE_ENABLED')) else ''}"
+DEBIAN_BUILD_DEPENDS .= "${@', module-signer, secure-boot-secrets' if bb.utils.to_boolean(d.getVar('SIGNATURE_ENABLED')) else ''}"
 
 SRC_URI += "file://debian/"
 
-- 
2.39.2

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250415122204.120360-5-gokhan.cetin%40siemens.com.

[PATCH 5/5] doc/user_manual: describe module signer and certificate provider configuration

['Gokhan Cetin' via isar-users]

Mentions how `SIGNATURE_ENABLED` can be used and how to manage the dependencies.

Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com>
---
 doc/user_manual.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/doc/user_manual.md b/doc/user_manual.md
index d8e5c33e..50d98f85 100644
--- a/doc/user_manual.md
+++ b/doc/user_manual.md
@@ -1162,9 +1162,17 @@ To provide a signer script that implements your custom signing solution, `SIGNAT
 can be set for the script path within the module recipe together with `SIGNATURE_CERTFILE` to define the public
 certificate path of the signer.
 
+In order to easily choose between different signing solutions, signer recipes should provide the `module-signer`
+and certificate provider recipes should provide the `secure-boot-secrets` as virtual package to meet build dependencies.
+This way, desired signers and certificates can be configured using `PREFERRED_PROVIDER`.
+
 Please see how `module-signer-example` hook generates a detached signature for the kernel module implemented in
 `example-module-signedwith` recipe.
 
+In order not to cause repetitive changes in kernel module recipes, 
+if `SIGNATURE_ENABLED = "1"`, `pkg.signwith` build profile is added by default in addition to
+`module-signer` and `secure-boot-secrets` package dependencies to the kernel module recipes.
+
 ### Cross Support for Imagers
 
 If `ISAR_CROSS_COMPILE = "1"`, the imager and optional compression tasks
-- 
2.39.2

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250415122204.120360-6-gokhan.cetin%40siemens.com.

Re: [PATCH 4/5] meta/recipes-kernel/linux-module: add option to set default signing profile and dependencies

['Jan Kiszka' via isar-users]

On 15.04.25 14:22, 'Gokhan Cetin' via isar-users wrote:
> Introduces single configuration variable (`SIGNATURE_ENABLED`) to
> set all predefined profile and dependencies need to be provided.
> 
> By using this option, downstreams will be able to sign all
> kernel modules without appending any additional configuration
> into their module recipes.
> 
> Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com>
> ---
>  meta/recipes-kernel/linux-module/module.inc | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/meta/recipes-kernel/linux-module/module.inc b/meta/recipes-kernel/linux-module/module.inc
> index 45d88d48..576a2cad 100644
> --- a/meta/recipes-kernel/linux-module/module.inc
> +++ b/meta/recipes-kernel/linux-module/module.inc
> @@ -27,6 +27,12 @@ SIGNATURE_KEYFILE ??= "/usr/share/secure-boot-secrets/secure-boot.key"
>  SIGNATURE_CERTFILE ??= "/usr/share/secure-boot-secrets/secure-boot.pem"
>  SIGNATURE_HASHFN ??= "sha256"
>  SIGNATURE_SIGNWITH ??= "/usr/bin/sign-module.sh"
> +SIGNATURE_ENABLED ??= ""

Should this last control actually be by module recipe (which includes
module.inc), or shouldn't we also support build-wide enabling via
local.conf etc.? In the latter case, isar should introduce a global
control variable, say KERNEL_MODULE_SIGNATURES, which controls that for
every module recipe.

Jan

> +
> +# Define signing profile and dependencies if SIGNATURE_ENABLED is set to "1"
> +DEB_BUILD_PROFILES += "${@'pkg.signwith' if bb.utils.to_boolean(d.getVar('SIGNATURE_ENABLED')) else ''}"
> +DEPENDS += "${@'module-signer secure-boot-secrets' if bb.utils.to_boolean(d.getVar('SIGNATURE_ENABLED')) else ''}"
> +DEBIAN_BUILD_DEPENDS .= "${@', module-signer, secure-boot-secrets' if bb.utils.to_boolean(d.getVar('SIGNATURE_ENABLED')) else ''}"
>  
>  SRC_URI += "file://debian/"
>  


-- 
Siemens AG, Foundational Technologies
Linux Expert Center

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/73ca026a-3f26-44c1-a2df-c305a2e2d71f%40siemens.com.

Re: [PATCH 5/5] doc/user_manual: describe module signer and certificate provider configuration

['Jan Kiszka' via isar-users]

On 15.04.25 14:22, 'Gokhan Cetin' via isar-users wrote:
> Mentions how `SIGNATURE_ENABLED` can be used and how to manage the dependencies.
> 
> Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com>
> ---
>  doc/user_manual.md | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/doc/user_manual.md b/doc/user_manual.md
> index d8e5c33e..50d98f85 100644
> --- a/doc/user_manual.md
> +++ b/doc/user_manual.md
> @@ -1162,9 +1162,17 @@ To provide a signer script that implements your custom signing solution, `SIGNAT
>  can be set for the script path within the module recipe together with `SIGNATURE_CERTFILE` to define the public
>  certificate path of the signer.
>  
> +In order to easily choose between different signing solutions, signer recipes should provide the `module-signer`

...target and package

> +and certificate provider recipes should provide the `secure-boot-secrets` as virtual package to meet build dependencies.
> +This way, desired signers and certificates can be configured using `PREFERRED_PROVIDER`.
> +
>  Please see how `module-signer-example` hook generates a detached signature for the kernel module implemented in
>  `example-module-signedwith` recipe.
>  
> +In order not to cause repetitive changes in kernel module recipes, 

I think this argument need not be in the user manual. It's enough to
state that there is variable to enable signing (per recipe or globally,
see patch 4).

> +if `SIGNATURE_ENABLED = "1"`, `pkg.signwith` build profile is added by default in addition to
> +`module-signer` and `secure-boot-secrets` package dependencies to the kernel module recipes.
> +
>  ### Cross Support for Imagers
>  
>  If `ISAR_CROSS_COMPILE = "1"`, the imager and optional compression tasks

Jan

-- 
Siemens AG, Foundational Technologies
Linux Expert Center

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/f384d67d-e7fa-4308-8a96-4f85e6760bc5%40siemens.com.