From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Mon, 19 Jan 2026 07:07:15 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-lj1-f185.google.com (mail-lj1-f185.google.com [209.85.208.185]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 60J67ENF024076 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 19 Jan 2026 07:07:14 +0100 Received: by mail-lj1-f185.google.com with SMTP id 38308e7fff4ca-382f5ff8a1esf27414621fa.0 for ; Sun, 18 Jan 2026 22:07:14 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1768802829; cv=pass; d=google.com; s=arc-20240605; b=YfVc4YdQwXTSugoJrH8sAi33YbxgYSiDR5VTAB6qImkCQjyntQQRRllMNuycAHehbU XXUo/S44lzt3yii91wHQjOx3O3U+HEX5cpEsNGYXyvX5mAVJMiidNhg+hLyodYGBAGA+ k5z2U2IprkrUYFun5XSXF50rer9GY2vAWrYOJJ5wFwmd9rdZ/zHY/Ui6rkTzvQW3G0Ia p0kGERF8H9fAGuI3f297JdbO2vK/c6VlFPs4YSAJEj0DXI47biDREi/XQCFzKwtBnMIT EluxQUxQLcbp2qElk54dOZ1qn7gcpgokqsekgPIIeuCyX0gZQcfe8SUYsY+l1r8hzOJ2 FdTw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=AykhD5G18qsBkgGNzb0Hbv62n1ueTdIWFjHb+4YQ+S4=; fh=LqedDVF6ebkI4APOJk6iFoNEel8VaSqcsXAGZ7LWg7Y=; b=fwNYJqrG17TOz3VF7rx7SJYW/FzPCJKntuS90ageNA+kPyJ6HX2RiXLBR8I6D7D2Kf N7V0rZAXviRh/ZFJbi2pRarI+C1+DmxHFsefvUgCU0/ukDGnODtGp8dnIAsIvoPv42nu KuS0jrnVZjRUmPJjXgKEh7fBQZykpjVZnqpx1MDR/y06j8MHXVDWZAYamQO0oLyTdjOU w6ue8G3+oZsYfk8vqyDDjLktY06cSwLhy187V6oOKc81jHg9tevaBylgQ3lt7Enz17k7 uQElA5SdSE+x7MgaB41gLyce+aYsB7RfNnLJnGP8h05AvN9i/zlV29hWlJ5n8ukc9tH2 8MxA==; darn=ilbers.de ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=U07Nx0s6; spf=pass (google.com: domain of fm-1328765-20260119060704d75931c2f6000207a9-soqjnv@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-1328765-20260119060704d75931c2f6000207a9-sOqJNv@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1768802829; x=1769407629; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=AykhD5G18qsBkgGNzb0Hbv62n1ueTdIWFjHb+4YQ+S4=; b=teRLmFiLKRC3XDHa2fVlVSyXwsMDIAR0ycOrg3VnSAH5mvSt218tnGjYojEc5Vwikp ujher/kGHVs5O14mHddyxrkPd3acH5OexFGq8sFjDM7Fo9Ddx972AObzUHKjxtXPnDh2 Dws0PyHPNFTC5wSOxLkpF3CJ9VU1fnOc/4bbEs2VtUpzIoN71nhyUvxaVkPWGrGN0c7N YfQDqmoczLYbYGyLJhi9K+3kpQDiX6aPYZJMKXbPnKYfrraMjpFM3fhwmlgRBmxNsWhw GzmtXKxYVz0Zo4brQk8SD8z8xDy9kFOXviTrrqB4mEPaauZN8/RRWA0E9dhoy6OU8PdB NgIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768802829; x=1769407629; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:x-beenthere :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=AykhD5G18qsBkgGNzb0Hbv62n1ueTdIWFjHb+4YQ+S4=; b=RjV3cckzfpoiC2JmapUAR9TdXOx8mdOwp1O9DdwxQ+66iqJkAhG2cYoZ0tBVP3I6zr n3pioMb4KFQMo7LjPqvlHjGCnUHKErqgojgPNSk1y9ChM+7TVttDmj0X2O4VS90tOc4s 1+dfnVLOPlMeZj9t7VUQN5h+YkU4UyvbPTGQNCIY4Fh8SLs6Qi1XoCCEqyMOQRdFAorb 3QTCbTJSTfRAKpPR5QxqDfPqM4I5famkSN+/DVqjYNfkJb6ybNp7Cx0qPJZwX5HeZvoq HThsaRruuK1Gj9cM5VoIfI+ugLJJX6c35TC3ILOy0x5k4fUeG0OSZ9dqy1os0+cETU7y unLA== X-Forwarded-Encrypted: i=2; AJvYcCVTgtEU1zP9VF85k9P/e5uwSyWND028SUkycBPP7SnHCC8noUIC/ZFE0lgSuSHeTpnjkkIU@ilbers.de X-Gm-Message-State: AOJu0YyMA45R8rQk3ifihwHP0Ctegz7FBzNWBghWR/wU1QmbNeFJghZ+ xquxukEWMI9u0PvMeLroJ/Nmx/zBmoA1CqHGxCyHVViciezpuMPQICqj X-Received: by 2002:a05:6512:239a:b0:59b:8091:a357 with SMTP id 2adb3069b0e04-59baffd26e4mr3326166e87.36.1768802828468; Sun, 18 Jan 2026 22:07:08 -0800 (PST) X-BeenThere: isar-users@googlegroups.com; h="AV1CL+HVH+ZDHRfeodpbrmeMImpgdclcFFbihC6d1/hhjNzvPw==" Received: by 2002:a05:6512:1389:b0:59b:6cb9:a212 with SMTP id 2adb3069b0e04-59ba6afde0als1692900e87.0.-pod-prod-04-eu; Sun, 18 Jan 2026 22:07:06 -0800 (PST) X-Received: by 2002:a2e:bc27:0:b0:383:1737:5ae1 with SMTP id 38308e7fff4ca-383866d029bmr34168821fa.11.1768802825695; Sun, 18 Jan 2026 22:07:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1768802825; cv=none; d=google.com; s=arc-20240605; b=MmVQArMblDV7ZOmAS+Ph2qzm9y983w/hf/wnXRrnoghOHaCEy4PVd6Ek30VQ+uDafm p+V6jmaQdu3tnFo7p0F3JYWOM10/WpbZayN+776LomLYkikNqhyBCh1iJVBhJcL2Z6XT HGK+gg1j9CEHqFg4ZYvU0ikaLl63sqUufdkwCsw2tSmKkVgp9sqgSmfKEmUwASCbUUXm J/6c5zLgFbKptIkQsuvZItyLvlU1g9V5x3b/L4DceVdQUZTHyuFlnRJhwwA0u+a2FV6F Tcd8pFW44Yu9GoBoyWotwYb+zKQVcOlg/tSzdFJAYnv2jemVbkjTgnWyLlOowTHPhnHi BkUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:message-id:date :subject:cc:to:from:dkim-signature; bh=lrAjE3b1nQNs8tkqLDRMEG0Za8VfVKqQqZNepTJoNpI=; fh=dfM1PARtFHqkN5Ix6iqjcqNDjwK1I0eLqPg9KwoAvQg=; b=M75eDGRyxhBGe6QXha1fho7vkf57LzKxB8REzWF+CVS8ssrIswHiSRJ+8t8DGaH1/M rR3r1XL7qrShZmt+Z6ugWKBlLiBLxCl1rIzhOkj6r1c71FOok0jvSb8aJEJZeEUrvPg5 XSU7dzCBM2OJ1K2CWgqMgHPnukscBEI9M7HyhwP77SOpA+4LQ8CpfvcMT8bNXIQJ/oYk c/RcDYizxA5Wm2Fi7XmJQOFgK2fEFoEQcll9Z9lK47YIhuUJsCmXl1+r44ZBADN2Kwrc OHwklpPtjmZ13N5NzjtSeBu4GoKwW7theK8QKZQEyRXSOKOwn5wS1uP24tNh6VuYHBJE aeEw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=U07Nx0s6; spf=pass (google.com: domain of fm-1328765-20260119060704d75931c2f6000207a9-soqjnv@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-1328765-20260119060704d75931c2f6000207a9-sOqJNv@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net. [185.136.64.227]) by gmr-mx.google.com with ESMTPS id 38308e7fff4ca-38384e5dcb9si2058131fa.7.2026.01.18.22.07.05 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 18 Jan 2026 22:07:05 -0800 (PST) Received-SPF: pass (google.com: domain of fm-1328765-20260119060704d75931c2f6000207a9-soqjnv@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) client-ip=185.136.64.227; Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20260119060704d75931c2f6000207a9 for ; Mon, 19 Jan 2026 07:07:04 +0100 From: "'Badrikesh Prusty' via isar-users" To: isar-users@googlegroups.com Cc: cedric.hombourger@siemens.com, Badrikesh Prusty Subject: [PATCH] linux-custom: generate secrets package for out-of-tree module signing Date: Mon, 19 Jan 2026 01:06:48 -0500 Message-ID: <20260119060648.40011-1-badrikesh.prusty@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1328765:519-21489:flowmailer X-Original-Sender: badrikesh.prusty@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=U07Nx0s6; spf=pass (google.com: domain of fm-1328765-20260119060704d75931c2f6000207a9-soqjnv@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-1328765-20260119060704d75931c2f6000207a9-sOqJNv@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Badrikesh Prusty Reply-To: Badrikesh Prusty Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: p5hT5qs4XnSl Add a new package, linux-image--secrets, to ship the kernel module signing keys required for signing out-of-tree kernel modules. The package is built only when the pkg..secrets build profile is enabled and installs the signing_key artifacts generated during the kernel build into /usr/share/linux-secrets. This allows out-of-tree modules to be signed with the same key used for in-tree modules. Usage: In the out-of-tree module recipe: SIGNATURE_KEYFILE = "/usr/share/linux-secrets/signing_key.pem" SIGNATURE_CERTFILE = "/usr/share/linux-secrets/signing_key.x509" DEBIAN_BUILD_DEPENDS:append = ", linux-secrets" In the kernel recipe, enable the secrets build profile: BUILD_PROFILES:append = " pkg.${BPN}.secrets" NOTE: The linux-image--secrets package contains the private module signing key. Care must be taken NOT to distribute this package in package feeds or images, as this would allow anyone to sign kernel modules that the kernel would trust. Signed-off-by: Badrikesh Prusty --- RECIPE-API-CHANGELOG.md | 24 +++++++++++++++++++ .../linux/files/debian/control.tmpl | 7 ++++++ .../linux/files/debian/isar/common.tmpl | 1 + .../linux/files/debian/isar/install.tmpl | 19 +++++++++++++++ 4 files changed, 51 insertions(+) diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md index 0bad8a44..1a33d6ae 100644 --- a/RECIPE-API-CHANGELOG.md +++ b/RECIPE-API-CHANGELOG.md @@ -962,3 +962,27 @@ INSTALLER_UNATTENDED_ABORT_ENABLE = "1" # Optional: set countdown timeout in seconds (default 5) INSTALLER_UNATTENDED_ABORT_TIMEOUT = "5" ``` + +### Add linux-image--secrets package for out-of-tree module signing + +linux-image--secrets ships kernel module signing keys required for +signing out-of-tree kernel modules. + +The package is built only when the `pkg..secrets` build profile is +enabled and installs the signing_key artifacts generated during the kernel +build into `/usr/share/linux-secrets`. + +Usage: +``` +# In the out-of-tree module recipe: +SIGNATURE_KEYFILE = "/usr/share/linux-secrets/signing_key.pem" +SIGNATURE_CERTFILE = "/usr/share/linux-secrets/signing_key.x509" +DEBIAN_BUILD_DEPENDS:append = ", linux-secrets" + +# In the kernel recipe, enable the secrets build profile: +BUILD_PROFILES:append = " pkg.${BPN}.secrets" +``` + +SECURITY NOTE: This package contains the private module signing key. Do not +distribute it in package feeds or images, as this would allow anyone to sign +kernel modules that the kernel would trust. diff --git a/meta/recipes-kernel/linux/files/debian/control.tmpl b/meta/recipes-kernel/linux/files/debian/control.tmpl index ee87cf92..969f6b0c 100644 --- a/meta/recipes-kernel/linux/files/debian/control.tmpl +++ b/meta/recipes-kernel/linux/files/debian/control.tmpl @@ -69,3 +69,10 @@ Conflicts: linux-kbuild-${KERNEL_NAME_PROVIDED} Description: ${KERNEL_NAME_PROVIDED} Linux kbuild scripts and tools for @KR@ This package provides kernel kbuild scripts and tools for @KR@ This is useful for people who need to build external modules + +Package: linux-image-${KERNEL_NAME_PROVIDED}-secrets +Build-Profiles: +Section: devel +Provides: linux-secrets +Architecture: all +Description: Linux kernel module signing secrets diff --git a/meta/recipes-kernel/linux/files/debian/isar/common.tmpl b/meta/recipes-kernel/linux/files/debian/isar/common.tmpl index f9cc2f02..6554cdb0 100644 --- a/meta/recipes-kernel/linux/files/debian/isar/common.tmpl +++ b/meta/recipes-kernel/linux/files/debian/isar/common.tmpl @@ -38,6 +38,7 @@ deb_libc_hdr_dir=${deb_top_dir}/${KERNEL_PKG_LIBC_HEADERS} deb_libc_hdr_cross_dir=${deb_top_dir}/${KERNEL_PKG_LIBC_HEADERS_CROSS} deb_kern_kbuild_dir=${deb_top_dir}/${KERNEL_PKG_KERN_KBUILD} deb_kern_kbuild_cross_dir=${deb_top_dir}/${KERNEL_PKG_KERN_KBUILD_CROSS} +deb_kern_secrets=${deb_top_dir}/${KERNEL_PKG_IMAGE}-secrets # Array of packages to be generated declare -A kern_pkgs diff --git a/meta/recipes-kernel/linux/files/debian/isar/install.tmpl b/meta/recipes-kernel/linux/files/debian/isar/install.tmpl index 6fa94508..99d64ca5 100644 --- a/meta/recipes-kernel/linux/files/debian/isar/install.tmpl +++ b/meta/recipes-kernel/linux/files/debian/isar/install.tmpl @@ -70,6 +70,11 @@ do_install() { install_headers fi + if echo "${DEB_BUILD_PROFILES}" | grep -q "pkg.${BPN}.secrets"; then + kern_secrets_path="${deb_kern_secrets}/usr/share/linux-secrets" + install_module_signing_secrets "${kern_secrets_path}" + fi + # Stop tracing set +x } @@ -271,4 +276,18 @@ install_kbuild() { kernel_tools } +install_module_signing_secrets() { + local dest="${1}" + local keydir="${KERNEL_BUILD_DIR}/certs" + local priv="${keydir}/signing_key.pem" + local cert="${keydir}/signing_key.x509" + if [ ! -f "${priv}" ] || [ ! -f "${cert}" ]; then + echo "error: module signing keys not found but pkg.${BPN}.secrets is enabled" >&2 + return 1 + fi + install -d -m 0755 ${dest} + install -m 0400 ${KERNEL_BUILD_DIR}/certs/signing_key.pem ${dest}/ + install -m 0444 ${KERNEL_BUILD_DIR}/certs/signing_key.x509 ${dest}/ +} + main install ${*} -- 2.39.5 -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/20260119060648.40011-1-badrikesh.prusty%40siemens.com.