[PATCH v2 0/5] Structure module signing dependencies and providers

[PATCH v2 0/5] Structure module signing dependencies and providers

['Gokhan Cetin' via isar-users]

As of now, in each kernel module, the same configuration block
has to be specified repeatedly for each module in module recipes
to specify build-time dependencies on recipes that provide the
required build profile and the scripts and certificates used in 
kernel module signing.

With these changes, it is possible to enable a recommended signature
configuration for all module recipes without touching the modules,
while it is still possible to customize the configuration when necessary.

Gokhan Cetin (5):
  module-signer-example: define virtual package name as module-signer
  meta/recipes-kernel/linux-module: Define default paths for signing
    related variables
  meta-isar/recipes-secureboot/sb-mok-keys: define virtual package name
  meta/recipes-kernel/linux-module: add option to set default signing
    profile and dependencies
  doc/user_manual: describe module signer and certificate provider
    configuration

 doc/user_manual.md                                  |  8 ++++++++
 .../module-signer-example/module-signer-example.bb  |  3 +++
 .../recipes-secureboot/sb-mok-keys/sb-mok-keys.bb   |  2 ++
 meta/recipes-kernel/linux-module/module.inc         | 13 ++++++++++---
 4 files changed, 23 insertions(+), 3 deletions(-)

-- 
2.39.2

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250416171709.742191-1-gokhan.cetin%40siemens.com.

[PATCH v2 1/5] module-signer-example: define virtual package name as module-signer

['Gokhan Cetin' via isar-users]

This will help to easily manage dependencies on providers implemented in downstreams.

Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com>
---
 .../module-signer-example/module-signer-example.bb             | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb b/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb
index 001e8cc8..58a84d01 100644
--- a/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb
+++ b/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb
@@ -9,6 +9,9 @@ inherit dpkg-raw
 
 DPKG_ARCH = "all"
 
+PROVIDES = "module-signer"
+DEBIAN_PROVIDES = "module-signer"
+
 DEPENDS = "sb-mok-keys"
 DEBIAN_DEPENDS += "openssl, sb-mok-keys"
 
-- 
2.39.2

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250416171709.742191-2-gokhan.cetin%40siemens.com.

[PATCH v2 2/5] meta/recipes-kernel/linux-module: Define default paths for signing related variables

['Gokhan Cetin' via isar-users]

They are initialized with almost standardized paths in isar-cip-core and many other layers.
In this way, it is possible to get rid of dozens of repeating lines in module recipes.

Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com>
---
 meta/recipes-kernel/linux-module/module.inc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-kernel/linux-module/module.inc b/meta/recipes-kernel/linux-module/module.inc
index 3b0ceae7..45d88d48 100644
--- a/meta/recipes-kernel/linux-module/module.inc
+++ b/meta/recipes-kernel/linux-module/module.inc
@@ -23,10 +23,10 @@ DEBIAN_BUILD_DEPENDS = "${KERNEL_HEADERS_PKG}"
 # Do not generate debug symbols packages, as not supported for modules
 DEB_BUILD_OPTIONS += "noautodbgsym"
 
-SIGNATURE_KEYFILE ??= ""
-SIGNATURE_CERTFILE ??= ""
+SIGNATURE_KEYFILE ??= "/usr/share/secure-boot-secrets/secure-boot.key"
+SIGNATURE_CERTFILE ??= "/usr/share/secure-boot-secrets/secure-boot.pem"
 SIGNATURE_HASHFN ??= "sha256"
-SIGNATURE_SIGNWITH ??= ""
+SIGNATURE_SIGNWITH ??= "/usr/bin/sign-module.sh"
 
 SRC_URI += "file://debian/"
 
-- 
2.39.2

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250416171709.742191-3-gokhan.cetin%40siemens.com.

[PATCH v2 3/5] meta-isar/recipes-secureboot/sb-mok-keys: define virtual package name

['Gokhan Cetin' via isar-users]

As done by 946b908b, this will allow more key providers to meet further
common dependencies.

Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com>
---
 meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb b/meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb
index 61378347..2a8b66d4 100644
--- a/meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb
+++ b/meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb
@@ -5,6 +5,8 @@
 
 inherit dpkg
 
+PROVIDES = "secure-boot-secrets"
+DEBIAN_PROVIDES = "secure-boot-secrets"
 
 SRC_URI = "file://Makefile.tmpl"
 S = "${WORKDIR}/src"
-- 
2.39.2

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250416171709.742191-4-gokhan.cetin%40siemens.com.

[PATCH v2 4/5] meta/recipes-kernel/linux-module: add option to set default signing profile and dependencies

['Gokhan Cetin' via isar-users]

Introduces single control variable (`KERNEL_MODULE_SIGNATURES`) to
set all predefined build profile and dependencies need to be configured
for kernel module signing.

By using this option, downstreams will be able to enable build-wide signing
of kernel modules which include module.inc without appending any additional
configuration into their module recipes.

Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com>
---
 meta/recipes-kernel/linux-module/module.inc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/meta/recipes-kernel/linux-module/module.inc b/meta/recipes-kernel/linux-module/module.inc
index 45d88d48..8fe5eed4 100644
--- a/meta/recipes-kernel/linux-module/module.inc
+++ b/meta/recipes-kernel/linux-module/module.inc
@@ -28,6 +28,13 @@ SIGNATURE_CERTFILE ??= "/usr/share/secure-boot-secrets/secure-boot.pem"
 SIGNATURE_HASHFN ??= "sha256"
 SIGNATURE_SIGNWITH ??= "/usr/bin/sign-module.sh"
 
+KERNEL_MODULE_SIGNATURES ??= ""
+
+# Define signing profile and dependencies if KERNEL_MODULE_SIGNATURES is set to "1"
+DEB_BUILD_PROFILES += "${@'pkg.signwith' if bb.utils.to_boolean(d.getVar('KERNEL_MODULE_SIGNATURES')) else ''}"
+DEPENDS += "${@'module-signer secure-boot-secrets' if bb.utils.to_boolean(d.getVar('KERNEL_MODULE_SIGNATURES')) else ''}"
+DEBIAN_BUILD_DEPENDS .= "${@', module-signer, secure-boot-secrets' if bb.utils.to_boolean(d.getVar('KERNEL_MODULE_SIGNATURES')) else ''}"
+
 SRC_URI += "file://debian/"
 
 AUTOLOAD ?= ""
-- 
2.39.2

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250416171709.742191-5-gokhan.cetin%40siemens.com.

[PATCH v2 5/5] doc/user_manual: describe module signer and certificate provider configuration

['Gokhan Cetin' via isar-users]

Mentions how `KERNEL_MODULE_SIGNATURES` can be used and how to manage the dependencies.

Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com>
---
 doc/user_manual.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/doc/user_manual.md b/doc/user_manual.md
index d8e5c33e..627dacb7 100644
--- a/doc/user_manual.md
+++ b/doc/user_manual.md
@@ -1162,9 +1162,17 @@ To provide a signer script that implements your custom signing solution, `SIGNAT
 can be set for the script path within the module recipe together with `SIGNATURE_CERTFILE` to define the public
 certificate path of the signer.
 
+In order to choose between different signing solutions, signer recipes should provide the `module-signer`
+target and package while certificate provider recipes should provide the `secure-boot-secrets` as target and package
+to meet build dependencies. This way, desired signers and certificates can be configured using `PREFERRED_PROVIDER`.
+
 Please see how `module-signer-example` hook generates a detached signature for the kernel module implemented in
 `example-module-signedwith` recipe.
 
+You can enable build-wide kernel module signing by defining `KERNEL_MODULE_SIGNATURES = "1"` globally,
+in this case, `pkg.signwith` build profile is added by default in addition to
+`module-signer` and `secure-boot-secrets` target and package dependencies to the kernel module recipes.
+
 ### Cross Support for Imagers
 
 If `ISAR_CROSS_COMPILE = "1"`, the imager and optional compression tasks
-- 
2.39.2

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250416171709.742191-6-gokhan.cetin%40siemens.com.