From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6821118203682357248 X-Received: by 2002:adf:fed2:: with SMTP id q18mr45457172wrs.157.1588186662227; Wed, 29 Apr 2020 11:57:42 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a5d:668b:: with SMTP id l11ls33420127wru.0.gmail; Wed, 29 Apr 2020 11:57:41 -0700 (PDT) X-Google-Smtp-Source: APiQypJCfpXqhay3nLMiMeXQ3LYKwOH6MjN3CpFBheVFuzbRhzoA6Sh4DUuC5mkG9YkO0CMqYRmQ X-Received: by 2002:adf:8441:: with SMTP id 59mr42471405wrf.237.1588186661459; Wed, 29 Apr 2020 11:57:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588186661; cv=none; d=google.com; s=arc-20160816; b=diSf2IvjCO8Dya/E6z7+inyCdkI2pMj7Fehves7hCxFUhBSkSZ/+GqUXzLrfO6ynKQ TqSd9x3bztt/DcbWEiy4gqZf3WzA2sPTIBhoKdscqI37FteVxdt1ONfombyxXPGfwyLZ 2QiQeLoqZk21wiqnX6fdMvS960NvNR29D1lmB5WPo4DQqKZocLIj2OYzixQiWSp9jnJB 0X/ffPa+kK2kWV2DpSu++JPfLMwBPex+GBJfufqSuejuTFbPPyXVM7x64lmSeZ+Psks4 Kc6vVHjadDDAufAWoz4+ThJUMs+giBC5awt4zqDMEwgihpiTVlwROXZo9/qazntQLBRI Rl1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-language:content-transfer-encoding:in-reply-to:mime-version :user-agent:date:message-id:from:references:to:subject :dkim-signature; bh=Cgao2SByI5vWG9iZI4fdwAISjNf1J1f2mZ4S71MDmBU=; b=NKuhmZBzHMNXhop3wKxQqlNh2QNQ7BVZbgEd+YVnGi4w5JhA9sKdi4KLf/l0ODO8uX sXvFJMMqtQ7e+OgpELrgucNX7zL7v3YuLD720i//J6xQwlPhcTS6GnaNZDzTHR2/WgWC 6nRAA2FCsOjZ77OyM8eZIeUsOGil+C9uni73Sh5zLvpoEeUG77TScYuQaBItEYV1rAOr jdIqH6Q6NtrgfLP04krw9ojBVPOpaZltjaeiM6wJlhoMsPTw4jQD7vO25HCsvYJHDuLA fGwShyApYo9wfOBaFb0ZMbgFs6/+y4mW2yj0J+gpDtXC2p/cumn2NX28px3Omha3bgWe 8UKA== ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=KtPHW3J3; spf=pass (google.com: domain of yuecelm@gmail.com designates 2a00:1450:4864:20::432 as permitted sender) smtp.mailfrom=yuecelm@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from mail-wr1-x432.google.com (mail-wr1-x432.google.com. [2a00:1450:4864:20::432]) by gmr-mx.google.com with ESMTPS id u23si508699wmn.0.2020.04.29.11.57.41 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 29 Apr 2020 11:57:41 -0700 (PDT) Received-SPF: pass (google.com: domain of yuecelm@gmail.com designates 2a00:1450:4864:20::432 as permitted sender) client-ip=2a00:1450:4864:20::432; Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=KtPHW3J3; spf=pass (google.com: domain of yuecelm@gmail.com designates 2a00:1450:4864:20::432 as permitted sender) smtp.mailfrom=yuecelm@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: by mail-wr1-x432.google.com with SMTP id t14so3831192wrw.12 for ; Wed, 29 Apr 2020 11:57:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=Cgao2SByI5vWG9iZI4fdwAISjNf1J1f2mZ4S71MDmBU=; b=KtPHW3J38vF6n6bjcdufbiyTsAKJDN2jYEqQ7IrnGd/rgeQhyTzPLgI2Mxj39aOoMa kB7EpZ1gKzRvl26UAbTU5zNVXDKmcFqNlBlmRZgOSkS1/HEc1loAJwN7Kag2ARwz/piL P+KcF/EMs44RnJlTrXupVNc8igqbugignqizPmA2QZW+UlniWQqJWYUoYUBPYQEa+jcU EcJPa52314XxMXibwgeJtJP/3k5arcWN2C6LmBgBE/OCRd/5WqRbuzcY+G/UNMBFZOt7 lriKGEHKgYXkIj+BnQe//m5pfVE414fpmilg4VJrJm2wMochEpMz+t+rg6DnnncW9zUC wMpA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=Cgao2SByI5vWG9iZI4fdwAISjNf1J1f2mZ4S71MDmBU=; b=gzKrbitb/PVF3T+P32iXkaQETcvNIMqZmkf01LUJSDVMZPVJqarOl6kVYHSD8Ilk+u WlqQDQOdJXrlUQuSMqi5oESgSrWrnFo8brGfhMJi+OP0xNnbrS3gVDnVZ5kg09YWFJcU 2xbJm7ghXu13OxIfnOZbFZUmN72V1n8x/G9bUTgxWPXnl6RVbEVJkp39EwsbDNZMZMSE N5ywFR0I3l34GLI1uyzEz9BK7k0EvJeSY6t5EXPtMJhzmqF4WtAPUM1B8kvAhKnPJbQ3 +3YFOrmoDJ8YQDPu7TL/9dY/8NAA3GXW/RsUiI4rCdOVwCewYBd+SG61nCwS0wFjIuz0 2oyw== X-Gm-Message-State: AGi0PubOnXEUhPm7ZcPwNHq6H6iKnGKV5QJtT4JM60wk7TQhnYT/+v4v EvKim2hDkbeBz0Z+tMvA4t5jhPg4 X-Received: by 2002:a5d:640a:: with SMTP id z10mr42907860wru.280.1588186660816; Wed, 29 Apr 2020 11:57:40 -0700 (PDT) Return-Path: Received: from [192.168.5.10] (65.76.96.185.zh.ftth.1tv.ch. [185.96.76.65]) by smtp.gmail.com with ESMTPSA id r17sm226965wrn.43.2020.04.29.11.57.39 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 29 Apr 2020 11:57:40 -0700 (PDT) Subject: Re: signing support for (in-tree and external) kernel modules To: Jan Kiszka , isar-users References: <9a590808-34da-493f-9ea2-219d17cd87c9@googlegroups.com> <9d4818d5-e884-a600-0504-996042f31e3b@siemens.com> From: =?UTF-8?Q?Mustafa_Y=c3=bccel?= Message-ID: <3a5d776b-3cce-ba0f-cf37-f4e2a0afc65a@gmail.com> Date: Wed, 29 Apr 2020 20:57:39 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 MIME-Version: 1.0 In-Reply-To: <9d4818d5-e884-a600-0504-996042f31e3b@siemens.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-TUID: a9D5OLREbfGM >> from where you got CONFIG_MODULE_SIG_FORMAT? CONFIG_MODULE_SIG is the >> trigger to create this binary: >> >> scripts/Makefile:hostprogs-$(CONFIG_MODULE_SIG)+= sign-file >> > > I was looking at kernel 5.6. > > Then we likely need multiple condition when to run sign-file while > building an external module. > > And we also need some idea how to deploy the shared keys to all > recipes. If we only talk about two or three, the kernel recipe could > carry the keys as artifacts, and other recipes would simply link them. > But that is not really nice to maintain. We could, of course, package > the keys into linux-headers. Downside: Someone may then accidentally > ship them on a device. maybe we can use a separate package? e.g. kernel-module-signkeys? normally this package will be only used for building, we can output an error during isar build when someone installs this package to the image (prevents "accidentally ship them on a device") next point: can we avoid somehow with isar that this package is showing up in some apt repo (outside isar build system)? On Wednesday, April 29, 2020 at 5:35:15 PM UTC+2, Jan Kiszka wrote: >> >>     On 29.04.20 15:00, yue...@gmail.com wrote: >>      > In tree kernel modules gets signed with the CONFIG_MODULE_SIG_ALL >>     kernel >>      > option, but extra (resp. external) modules not. If you (resp. >>     isar) not >>      > provide an (external) signing key, the kernel build >> autogenerates a >>      > private/public key pair. It would be nice if the isar build >> system >>      > provide some support for signing kernel modules. >>      > >>      > I see currently 2 use cases: >>      > 1) let the kernel build to autogenerate private/public key for >>     kernel >>      > module signing and kernel-module reuse the key for signing (evt. >>     isar >>      > deletes the private key after image generation) >>      > 2) provide an (external) private and public key for kernel module >>      > signing and will be used in kernel and kernel-module recipes >>      > >> >>     We likely want to go for path 2 because the first option prevents >>     reproducibility. And that means we need to define a channel how to >>     provide those keys both to the kernel build as well as the external >>     module builds. >> >>     Did you happen to observe if kernel-headers will include at least >> the >>     script/sign-file host tool when CONFIG_MODULE_SIG_FORMAT is enabled? >>     That - together with the keys - would be needed in order to sign >>     external modules already during their build. >> >>     Jan >> >>     --     Siemens AG, Corporate Technology, CT RDA IOT SES-DE >>     Corporate Competence Center Embedded Linux >> >> -- >> You received this message because you are subscribed to the Google >> Groups "isar-users" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to isar-users+unsubscribe@googlegroups.com >> . >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/isar-users/a5a4a11a-9c3f-4367-b264-bba84bd2727c%40googlegroups.com >> . >> >