[PATCH] linux-custom: generate secrets package for out-of-tree module signing

[PATCH] linux-custom: generate secrets package for out-of-tree module signing

['Badrikesh Prusty' via isar-users]

Add a new package, linux-image-<kernel>-secrets, to ship the kernel
module signing keys required for signing out-of-tree kernel modules.

The package is built only when the pkg.<BPN>.secrets build profile is
enabled and installs the signing_key artifacts generated during the
kernel build into /usr/share/linux-secrets.

This allows out-of-tree modules to be signed with the same key used for
in-tree modules.

Usage:
In the out-of-tree module recipe:
    SIGNATURE_KEYFILE = "/usr/share/linux-secrets/signing_key.pem"
    SIGNATURE_CERTFILE = "/usr/share/linux-secrets/signing_key.x509"
    DEBIAN_BUILD_DEPENDS:append = ", linux-secrets"

In the kernel recipe, enable the secrets build profile:
    BUILD_PROFILES:append = " pkg.${BPN}.secrets"

NOTE: The linux-image-<kernel>-secrets package contains the private
module signing key. Care must be taken NOT to distribute this package
in package feeds or images, as this would allow anyone to sign kernel
modules that the kernel would trust.

Signed-off-by: Badrikesh Prusty <badrikesh.prusty@siemens.com>
---
 RECIPE-API-CHANGELOG.md                       | 24 +++++++++++++++++++
 .../linux/files/debian/control.tmpl           |  7 ++++++
 .../linux/files/debian/isar/common.tmpl       |  1 +
 .../linux/files/debian/isar/install.tmpl      | 19 +++++++++++++++
 4 files changed, 51 insertions(+)

diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
index 0bad8a44..1a33d6ae 100644
--- a/RECIPE-API-CHANGELOG.md
+++ b/RECIPE-API-CHANGELOG.md
@@ -962,3 +962,27 @@ INSTALLER_UNATTENDED_ABORT_ENABLE = "1"
 # Optional: set countdown timeout in seconds (default 5)
 INSTALLER_UNATTENDED_ABORT_TIMEOUT = "5"
 ```
+
+### Add linux-image-<kernel>-secrets package for out-of-tree module signing
+
+linux-image-<kernel>-secrets ships kernel module signing keys required for
+signing out-of-tree kernel modules.
+
+The package is built only when the `pkg.<BPN>.secrets` build profile is
+enabled and installs the signing_key artifacts generated during the kernel
+build into `/usr/share/linux-secrets`.
+
+Usage:
+```
+# In the out-of-tree module recipe:
+SIGNATURE_KEYFILE = "/usr/share/linux-secrets/signing_key.pem"
+SIGNATURE_CERTFILE = "/usr/share/linux-secrets/signing_key.x509"
+DEBIAN_BUILD_DEPENDS:append = ", linux-secrets"
+
+# In the kernel recipe, enable the secrets build profile:
+BUILD_PROFILES:append = " pkg.${BPN}.secrets"
+```
+
+SECURITY NOTE: This package contains the private module signing key. Do not
+distribute it in package feeds or images, as this would allow anyone to sign
+kernel modules that the kernel would trust.
diff --git a/meta/recipes-kernel/linux/files/debian/control.tmpl b/meta/recipes-kernel/linux/files/debian/control.tmpl
index ee87cf92..969f6b0c 100644
--- a/meta/recipes-kernel/linux/files/debian/control.tmpl
+++ b/meta/recipes-kernel/linux/files/debian/control.tmpl
@@ -69,3 +69,10 @@ Conflicts: linux-kbuild-${KERNEL_NAME_PROVIDED}
 Description: ${KERNEL_NAME_PROVIDED} Linux kbuild scripts and tools for @KR@
  This package provides kernel kbuild scripts and tools for @KR@
  This is useful for people who need to build external modules
+
+Package: linux-image-${KERNEL_NAME_PROVIDED}-secrets
+Build-Profiles: <pkg.${BPN}.secrets>
+Section: devel
+Provides: linux-secrets
+Architecture: all
+Description: Linux kernel module signing secrets
diff --git a/meta/recipes-kernel/linux/files/debian/isar/common.tmpl b/meta/recipes-kernel/linux/files/debian/isar/common.tmpl
index f9cc2f02..6554cdb0 100644
--- a/meta/recipes-kernel/linux/files/debian/isar/common.tmpl
+++ b/meta/recipes-kernel/linux/files/debian/isar/common.tmpl
@@ -38,6 +38,7 @@ deb_libc_hdr_dir=${deb_top_dir}/${KERNEL_PKG_LIBC_HEADERS}
 deb_libc_hdr_cross_dir=${deb_top_dir}/${KERNEL_PKG_LIBC_HEADERS_CROSS}
 deb_kern_kbuild_dir=${deb_top_dir}/${KERNEL_PKG_KERN_KBUILD}
 deb_kern_kbuild_cross_dir=${deb_top_dir}/${KERNEL_PKG_KERN_KBUILD_CROSS}
+deb_kern_secrets=${deb_top_dir}/${KERNEL_PKG_IMAGE}-secrets
 
 # Array of packages to be generated
 declare -A kern_pkgs
diff --git a/meta/recipes-kernel/linux/files/debian/isar/install.tmpl b/meta/recipes-kernel/linux/files/debian/isar/install.tmpl
index 6fa94508..99d64ca5 100644
--- a/meta/recipes-kernel/linux/files/debian/isar/install.tmpl
+++ b/meta/recipes-kernel/linux/files/debian/isar/install.tmpl
@@ -70,6 +70,11 @@ do_install() {
         install_headers
     fi
 
+    if echo "${DEB_BUILD_PROFILES}" | grep -q "pkg.${BPN}.secrets"; then
+        kern_secrets_path="${deb_kern_secrets}/usr/share/linux-secrets"
+        install_module_signing_secrets "${kern_secrets_path}"
+    fi
+
     # Stop tracing
     set +x
 }
@@ -271,4 +276,18 @@ install_kbuild() {
     kernel_tools
 }
 
+install_module_signing_secrets() {
+    local dest="${1}"
+    local keydir="${KERNEL_BUILD_DIR}/certs"
+    local priv="${keydir}/signing_key.pem"
+    local cert="${keydir}/signing_key.x509"
+    if [ ! -f "${priv}" ] || [ ! -f "${cert}" ]; then
+        echo "error: module signing keys not found but pkg.${BPN}.secrets is enabled" >&2
+        return 1
+    fi
+    install -d -m 0755 ${dest}
+    install -m 0400 ${KERNEL_BUILD_DIR}/certs/signing_key.pem ${dest}/
+    install -m 0444 ${KERNEL_BUILD_DIR}/certs/signing_key.x509 ${dest}/
+}
+
 main install ${*}
-- 
2.39.5

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20260119060648.40011-1-badrikesh.prusty%40siemens.com.

Re: [PATCH] linux-custom: generate secrets package for out-of-tree module signing

['Jan Kiszka' via isar-users]

On 19.01.26 07:06, 'Badrikesh Prusty' via isar-users wrote:
> Add a new package, linux-image-<kernel>-secrets, to ship the kernel
> module signing keys required for signing out-of-tree kernel modules.
> 
> The package is built only when the pkg.<BPN>.secrets build profile is
> enabled and installs the signing_key artifacts generated during the
> kernel build into /usr/share/linux-secrets.
> 
> This allows out-of-tree modules to be signed with the same key used for
> in-tree modules.
> 
> Usage:
> In the out-of-tree module recipe:
>     SIGNATURE_KEYFILE = "/usr/share/linux-secrets/signing_key.pem"
>     SIGNATURE_CERTFILE = "/usr/share/linux-secrets/signing_key.x509"
>     DEBIAN_BUILD_DEPENDS:append = ", linux-secrets"
> 
> In the kernel recipe, enable the secrets build profile:
>     BUILD_PROFILES:append = " pkg.${BPN}.secrets"
> 
> NOTE: The linux-image-<kernel>-secrets package contains the private
> module signing key. Care must be taken NOT to distribute this package
> in package feeds or images, as this would allow anyone to sign kernel
> modules that the kernel would trust.
> 
> Signed-off-by: Badrikesh Prusty <badrikesh.prusty@siemens.com>
> ---
>  RECIPE-API-CHANGELOG.md                       | 24 +++++++++++++++++++
>  .../linux/files/debian/control.tmpl           |  7 ++++++
>  .../linux/files/debian/isar/common.tmpl       |  1 +
>  .../linux/files/debian/isar/install.tmpl      | 19 +++++++++++++++
>  4 files changed, 51 insertions(+)
> 
> diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
> index 0bad8a44..1a33d6ae 100644
> --- a/RECIPE-API-CHANGELOG.md
> +++ b/RECIPE-API-CHANGELOG.md
> @@ -962,3 +962,27 @@ INSTALLER_UNATTENDED_ABORT_ENABLE = "1"
>  # Optional: set countdown timeout in seconds (default 5)
>  INSTALLER_UNATTENDED_ABORT_TIMEOUT = "5"
>  ```
> +
> +### Add linux-image-<kernel>-secrets package for out-of-tree module signing
> +
> +linux-image-<kernel>-secrets ships kernel module signing keys required for
> +signing out-of-tree kernel modules.
> +
> +The package is built only when the `pkg.<BPN>.secrets` build profile is
> +enabled and installs the signing_key artifacts generated during the kernel
> +build into `/usr/share/linux-secrets`.
> +
> +Usage:
> +```
> +# In the out-of-tree module recipe:
> +SIGNATURE_KEYFILE = "/usr/share/linux-secrets/signing_key.pem"
> +SIGNATURE_CERTFILE = "/usr/share/linux-secrets/signing_key.x509"
> +DEBIAN_BUILD_DEPENDS:append = ", linux-secrets"
> +
> +# In the kernel recipe, enable the secrets build profile:
> +BUILD_PROFILES:append = " pkg.${BPN}.secrets"
> +```
> +
> +SECURITY NOTE: This package contains the private module signing key. Do not
> +distribute it in package feeds or images, as this would allow anyone to sign
> +kernel modules that the kernel would trust.
> diff --git a/meta/recipes-kernel/linux/files/debian/control.tmpl b/meta/recipes-kernel/linux/files/debian/control.tmpl
> index ee87cf92..969f6b0c 100644
> --- a/meta/recipes-kernel/linux/files/debian/control.tmpl
> +++ b/meta/recipes-kernel/linux/files/debian/control.tmpl
> @@ -69,3 +69,10 @@ Conflicts: linux-kbuild-${KERNEL_NAME_PROVIDED}
>  Description: ${KERNEL_NAME_PROVIDED} Linux kbuild scripts and tools for @KR@
>   This package provides kernel kbuild scripts and tools for @KR@
>   This is useful for people who need to build external modules
> +
> +Package: linux-image-${KERNEL_NAME_PROVIDED}-secrets
> +Build-Profiles: <pkg.${BPN}.secrets>
> +Section: devel
> +Provides: linux-secrets
> +Architecture: all
> +Description: Linux kernel module signing secrets
> diff --git a/meta/recipes-kernel/linux/files/debian/isar/common.tmpl b/meta/recipes-kernel/linux/files/debian/isar/common.tmpl
> index f9cc2f02..6554cdb0 100644
> --- a/meta/recipes-kernel/linux/files/debian/isar/common.tmpl
> +++ b/meta/recipes-kernel/linux/files/debian/isar/common.tmpl
> @@ -38,6 +38,7 @@ deb_libc_hdr_dir=${deb_top_dir}/${KERNEL_PKG_LIBC_HEADERS}
>  deb_libc_hdr_cross_dir=${deb_top_dir}/${KERNEL_PKG_LIBC_HEADERS_CROSS}
>  deb_kern_kbuild_dir=${deb_top_dir}/${KERNEL_PKG_KERN_KBUILD}
>  deb_kern_kbuild_cross_dir=${deb_top_dir}/${KERNEL_PKG_KERN_KBUILD_CROSS}
> +deb_kern_secrets=${deb_top_dir}/${KERNEL_PKG_IMAGE}-secrets
>  
>  # Array of packages to be generated
>  declare -A kern_pkgs
> diff --git a/meta/recipes-kernel/linux/files/debian/isar/install.tmpl b/meta/recipes-kernel/linux/files/debian/isar/install.tmpl
> index 6fa94508..99d64ca5 100644
> --- a/meta/recipes-kernel/linux/files/debian/isar/install.tmpl
> +++ b/meta/recipes-kernel/linux/files/debian/isar/install.tmpl
> @@ -70,6 +70,11 @@ do_install() {
>          install_headers
>      fi
>  
> +    if echo "${DEB_BUILD_PROFILES}" | grep -q "pkg.${BPN}.secrets"; then
> +        kern_secrets_path="${deb_kern_secrets}/usr/share/linux-secrets"
> +        install_module_signing_secrets "${kern_secrets_path}"
> +    fi
> +
>      # Stop tracing
>      set +x
>  }
> @@ -271,4 +276,18 @@ install_kbuild() {
>      kernel_tools
>  }
>  
> +install_module_signing_secrets() {
> +    local dest="${1}"
> +    local keydir="${KERNEL_BUILD_DIR}/certs"
> +    local priv="${keydir}/signing_key.pem"
> +    local cert="${keydir}/signing_key.x509"
> +    if [ ! -f "${priv}" ] || [ ! -f "${cert}" ]; then
> +        echo "error: module signing keys not found but pkg.${BPN}.secrets is enabled" >&2
> +        return 1
> +    fi
> +    install -d -m 0755 ${dest}
> +    install -m 0400 ${KERNEL_BUILD_DIR}/certs/signing_key.pem ${dest}/
> +    install -m 0444 ${KERNEL_BUILD_DIR}/certs/signing_key.x509 ${dest}/
> +}
> +
>  main install ${*}

Given the risk that comes with this new packages and also in the light
of [1], I think we should rather enable consistent module signing with
existing, managed key providers.

Jan

[1] https://gitlab.com/cip-project/cip-core/isar-cip-core/-/issues/144

-- 
Siemens AG, Foundational Technologies
Linux Expert Center

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/5b6b7fee-feb7-4c87-895f-9dca339d4063%40siemens.com.