Re: signing support for (in-tree and external) kernel modules

["Mustafa Yücel" <yuecelm@gmail.com>]

>> from where you got CONFIG_MODULE_SIG_FORMAT? CONFIG_MODULE_SIG is the 
>> trigger to create this binary:
>>
>> scripts/Makefile:hostprogs-$(CONFIG_MODULE_SIG)+= sign-file
>>
>
> I was looking at kernel 5.6.
>
> Then we likely need multiple condition when to run sign-file while 
> building an external module.
>
> And we also need some idea how to deploy the shared keys to all 
> recipes. If we only talk about two or three, the kernel recipe could 
> carry the keys as artifacts, and other recipes would simply link them. 
> But that is not really nice to maintain. We could, of course, package 
> the keys into linux-headers. Downside: Someone may then accidentally 
> ship them on a device.

maybe we can use a separate package? e.g. kernel-module-signkeys?

normally this package will be only used for building, we can output an 
error during isar build when someone installs this package to the image 
(prevents "accidentally ship them on a device")

next point: can we avoid somehow with isar that this package is showing 
up in some apt repo (outside isar build system)?


On Wednesday, April 29, 2020 at 5:35:15 PM UTC+2, Jan Kiszka wrote:
>>
>>     On 29.04.20 15:00, yue...@gmail.com <javascript:> wrote:
>>      > In tree kernel modules gets signed with the CONFIG_MODULE_SIG_ALL
>>     kernel
>>      > option, but extra (resp. external) modules not. If you (resp.
>>     isar) not
>>      > provide an (external) signing key, the kernel build 
>> autogenerates a
>>      > private/public key pair. It would be nice if the isar build 
>> system
>>      > provide some support for signing kernel modules.
>>      >
>>      > I see currently 2 use cases:
>>      > 1) let the kernel build to autogenerate private/public key for
>>     kernel
>>      > module signing and kernel-module reuse the key for signing (evt.
>>     isar
>>      > deletes the private key after image generation)
>>      > 2) provide an (external) private and public key for kernel module
>>      > signing and will be used in kernel and kernel-module recipes
>>      >
>>
>>     We likely want to go for path 2 because the first option prevents
>>     reproducibility. And that means we need to define a channel how to
>>     provide those keys both to the kernel build as well as the external
>>     module builds.
>>
>>     Did you happen to observe if kernel-headers will include at least 
>> the
>>     script/sign-file host tool when CONFIG_MODULE_SIG_FORMAT is enabled?
>>     That - together with the keys - would be needed in order to sign
>>     external modules already during their build.
>>
>>     Jan
>>
>>     --     Siemens AG, Corporate Technology, CT RDA IOT SES-DE
>>     Corporate Competence Center Embedded Linux
>>
>> -- 
>> You received this message because you are subscribed to the Google 
>> Groups "isar-users" group.
>> To unsubscribe from this group and stop receiving emails from it, 
>> send an email to isar-users+unsubscribe@googlegroups.com 
>> <mailto:isar-users+unsubscribe@googlegroups.com>.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/isar-users/a5a4a11a-9c3f-4367-b264-bba84bd2727c%40googlegroups.com 
>> <https://groups.google.com/d/msgid/isar-users/a5a4a11a-9c3f-4367-b264-bba84bd2727c%40googlegroups.com?utm_medium=email&utm_source=footer>. 
>>
>