From: "'Jan Kiszka' via isar-users" <isar-users@googlegroups.com>
To: Badrikesh Prusty <badrikesh.prusty@siemens.com>,
isar-users@googlegroups.com
Cc: cedric.hombourger@siemens.com
Subject: Re: [PATCH] linux-custom: generate secrets package for out-of-tree module signing
Date: Mon, 19 Jan 2026 07:13:34 +0100 [thread overview]
Message-ID: <5b6b7fee-feb7-4c87-895f-9dca339d4063@siemens.com> (raw)
In-Reply-To: <20260119060648.40011-1-badrikesh.prusty@siemens.com>
On 19.01.26 07:06, 'Badrikesh Prusty' via isar-users wrote:
> Add a new package, linux-image-<kernel>-secrets, to ship the kernel
> module signing keys required for signing out-of-tree kernel modules.
>
> The package is built only when the pkg.<BPN>.secrets build profile is
> enabled and installs the signing_key artifacts generated during the
> kernel build into /usr/share/linux-secrets.
>
> This allows out-of-tree modules to be signed with the same key used for
> in-tree modules.
>
> Usage:
> In the out-of-tree module recipe:
> SIGNATURE_KEYFILE = "/usr/share/linux-secrets/signing_key.pem"
> SIGNATURE_CERTFILE = "/usr/share/linux-secrets/signing_key.x509"
> DEBIAN_BUILD_DEPENDS:append = ", linux-secrets"
>
> In the kernel recipe, enable the secrets build profile:
> BUILD_PROFILES:append = " pkg.${BPN}.secrets"
>
> NOTE: The linux-image-<kernel>-secrets package contains the private
> module signing key. Care must be taken NOT to distribute this package
> in package feeds or images, as this would allow anyone to sign kernel
> modules that the kernel would trust.
>
> Signed-off-by: Badrikesh Prusty <badrikesh.prusty@siemens.com>
> ---
> RECIPE-API-CHANGELOG.md | 24 +++++++++++++++++++
> .../linux/files/debian/control.tmpl | 7 ++++++
> .../linux/files/debian/isar/common.tmpl | 1 +
> .../linux/files/debian/isar/install.tmpl | 19 +++++++++++++++
> 4 files changed, 51 insertions(+)
>
> diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
> index 0bad8a44..1a33d6ae 100644
> --- a/RECIPE-API-CHANGELOG.md
> +++ b/RECIPE-API-CHANGELOG.md
> @@ -962,3 +962,27 @@ INSTALLER_UNATTENDED_ABORT_ENABLE = "1"
> # Optional: set countdown timeout in seconds (default 5)
> INSTALLER_UNATTENDED_ABORT_TIMEOUT = "5"
> ```
> +
> +### Add linux-image-<kernel>-secrets package for out-of-tree module signing
> +
> +linux-image-<kernel>-secrets ships kernel module signing keys required for
> +signing out-of-tree kernel modules.
> +
> +The package is built only when the `pkg.<BPN>.secrets` build profile is
> +enabled and installs the signing_key artifacts generated during the kernel
> +build into `/usr/share/linux-secrets`.
> +
> +Usage:
> +```
> +# In the out-of-tree module recipe:
> +SIGNATURE_KEYFILE = "/usr/share/linux-secrets/signing_key.pem"
> +SIGNATURE_CERTFILE = "/usr/share/linux-secrets/signing_key.x509"
> +DEBIAN_BUILD_DEPENDS:append = ", linux-secrets"
> +
> +# In the kernel recipe, enable the secrets build profile:
> +BUILD_PROFILES:append = " pkg.${BPN}.secrets"
> +```
> +
> +SECURITY NOTE: This package contains the private module signing key. Do not
> +distribute it in package feeds or images, as this would allow anyone to sign
> +kernel modules that the kernel would trust.
> diff --git a/meta/recipes-kernel/linux/files/debian/control.tmpl b/meta/recipes-kernel/linux/files/debian/control.tmpl
> index ee87cf92..969f6b0c 100644
> --- a/meta/recipes-kernel/linux/files/debian/control.tmpl
> +++ b/meta/recipes-kernel/linux/files/debian/control.tmpl
> @@ -69,3 +69,10 @@ Conflicts: linux-kbuild-${KERNEL_NAME_PROVIDED}
> Description: ${KERNEL_NAME_PROVIDED} Linux kbuild scripts and tools for @KR@
> This package provides kernel kbuild scripts and tools for @KR@
> This is useful for people who need to build external modules
> +
> +Package: linux-image-${KERNEL_NAME_PROVIDED}-secrets
> +Build-Profiles: <pkg.${BPN}.secrets>
> +Section: devel
> +Provides: linux-secrets
> +Architecture: all
> +Description: Linux kernel module signing secrets
> diff --git a/meta/recipes-kernel/linux/files/debian/isar/common.tmpl b/meta/recipes-kernel/linux/files/debian/isar/common.tmpl
> index f9cc2f02..6554cdb0 100644
> --- a/meta/recipes-kernel/linux/files/debian/isar/common.tmpl
> +++ b/meta/recipes-kernel/linux/files/debian/isar/common.tmpl
> @@ -38,6 +38,7 @@ deb_libc_hdr_dir=${deb_top_dir}/${KERNEL_PKG_LIBC_HEADERS}
> deb_libc_hdr_cross_dir=${deb_top_dir}/${KERNEL_PKG_LIBC_HEADERS_CROSS}
> deb_kern_kbuild_dir=${deb_top_dir}/${KERNEL_PKG_KERN_KBUILD}
> deb_kern_kbuild_cross_dir=${deb_top_dir}/${KERNEL_PKG_KERN_KBUILD_CROSS}
> +deb_kern_secrets=${deb_top_dir}/${KERNEL_PKG_IMAGE}-secrets
>
> # Array of packages to be generated
> declare -A kern_pkgs
> diff --git a/meta/recipes-kernel/linux/files/debian/isar/install.tmpl b/meta/recipes-kernel/linux/files/debian/isar/install.tmpl
> index 6fa94508..99d64ca5 100644
> --- a/meta/recipes-kernel/linux/files/debian/isar/install.tmpl
> +++ b/meta/recipes-kernel/linux/files/debian/isar/install.tmpl
> @@ -70,6 +70,11 @@ do_install() {
> install_headers
> fi
>
> + if echo "${DEB_BUILD_PROFILES}" | grep -q "pkg.${BPN}.secrets"; then
> + kern_secrets_path="${deb_kern_secrets}/usr/share/linux-secrets"
> + install_module_signing_secrets "${kern_secrets_path}"
> + fi
> +
> # Stop tracing
> set +x
> }
> @@ -271,4 +276,18 @@ install_kbuild() {
> kernel_tools
> }
>
> +install_module_signing_secrets() {
> + local dest="${1}"
> + local keydir="${KERNEL_BUILD_DIR}/certs"
> + local priv="${keydir}/signing_key.pem"
> + local cert="${keydir}/signing_key.x509"
> + if [ ! -f "${priv}" ] || [ ! -f "${cert}" ]; then
> + echo "error: module signing keys not found but pkg.${BPN}.secrets is enabled" >&2
> + return 1
> + fi
> + install -d -m 0755 ${dest}
> + install -m 0400 ${KERNEL_BUILD_DIR}/certs/signing_key.pem ${dest}/
> + install -m 0444 ${KERNEL_BUILD_DIR}/certs/signing_key.x509 ${dest}/
> +}
> +
> main install ${*}
Given the risk that comes with this new packages and also in the light
of [1], I think we should rather enable consistent module signing with
existing, managed key providers.
Jan
[1] https://gitlab.com/cip-project/cip-core/isar-cip-core/-/issues/144
--
Siemens AG, Foundational Technologies
Linux Expert Center
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/5b6b7fee-feb7-4c87-895f-9dca339d4063%40siemens.com.
prev parent reply other threads:[~2026-01-19 6:13 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-19 6:06 'Badrikesh Prusty' via isar-users
2026-01-19 6:13 ` 'Jan Kiszka' via isar-users [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5b6b7fee-feb7-4c87-895f-9dca339d4063@siemens.com \
--to=isar-users@googlegroups.com \
--cc=badrikesh.prusty@siemens.com \
--cc=cedric.hombourger@siemens.com \
--cc=jan.kiszka@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox