From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Mon, 19 Jan 2026 07:13:52 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-qv1-f56.google.com (mail-qv1-f56.google.com [209.85.219.56]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 60J6DkY0024174 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 19 Jan 2026 07:13:52 +0100 Received: by mail-qv1-f56.google.com with SMTP id 6a1803df08f44-88a2d8b7ea5sf44774766d6.0 for ; Sun, 18 Jan 2026 22:13:47 -0800 (PST) ARC-Seal: i=3; a=rsa-sha256; t=1768803221; cv=pass; d=google.com; s=arc-20240605; b=LjSetVtllMPczhmUDrgjav2tHX6TaItBXd17c80KW+WQ/wOAOQxnpPmU4yDQEXllx/ RpBT8a9ECUAPRtIhvhEhnzNDCS6kGvxG1D9cpvFuuBQoUgKpjMR5kuvHYy5hYgjJ+lLA 70wqO7X539PcG9p2mAEh/OJBHp8KQWzIE3uXtcNJ9osuC8Z7tWFPhKAfPIr/WvMXO0o2 /38IRT4+6XV5a+0iI9CDBGe/rnjKQyqLGPSXfj+GgVcStfOd8NzpNTEU2NL2gHf8BGvR rgzZvQ1FQE/1P8rc2V7vkGtk9M9WF+zvH/LzpKwtMtBMroQevJgroCjSh/FVs1QEnXam aFTw== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:in-reply-to :autocrypt:content-language:from:references:cc:to:subject:user-agent :date:message-id:dkim-signature; bh=hHZr+R5ugypa6gtLwxiMM34yGOTi8M0xPNOu8Wqujiw=; fh=4XlHgGGqyHKmELllSbXJG2VCI/Nwx4/b7MGD36zO80o=; b=jM7pLBbcABxIqlfSrhaf0tpOZUteD3qWHWJNpoalriKmbfgcw/eg5E8a6T+3lbdFWF w/3IWsR6JaP+KjeiH9i6g2x4t7tQik7vkLmGH1az126PkbnSiU1iM0TaSuhztobYTsyN RWcHwIv7884WWemlNpsyh8z10oxtY3hpA15YVwNA8DiOvriRslAPwiAv7B1U+9LjjwZd hAd32OW5WWRQf+ks42LJgB9ZlIKQEfxf6eUHP9dKlfm1hWWvgz6W/2b6aglbj+WONG0o mv0DLS5gnYuUQKrP9zW/Nd6G35HIVYpKZTRc4bWYGnn7kcCsMNfZXQuQxS/q2Zz0bkth kg9Q==; darn=ilbers.de ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=hCBmAon3; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of jan.kiszka@siemens.com designates 2a01:111:f403:c201::6 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1768803221; x=1769408021; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :in-reply-to:autocrypt:content-language:from:references:cc:to :subject:user-agent:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=hHZr+R5ugypa6gtLwxiMM34yGOTi8M0xPNOu8Wqujiw=; b=FtsclnVLfK17TKAkPOZpI/R+yWLWxzL9BJzX3UMFlpSB9rpv9STp+cavebRX2gkZ+N L3FwNr3KElYR+EbZA/aX+mlmZSpEMXY0QuHptNHUbuMSzEzj4X0T6LQ7vOK+xPkNOzc4 dMBbISUTPx0T+G9NgwybKAmpqVJtECXqGHyOXm3qhWLdUxFoQK9bSawYTGs7yp9S9qEb jiJUYK/KMDNBR0RRCMluVWmTqg6fMQR+7HtkYauaV+TmpvbN8je2ti/AogVfBaIfxmEK zjjKj6Hp6jlumdtu21vxuXSQ3wLPp/QMwdio+c8Hh6xA0vYWfWteUE4VKXWHo4hxqfU+ aYgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768803221; x=1769408021; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :in-reply-to:autocrypt:content-language:from:references:cc:to :subject:user-agent:date:message-id:x-beenthere:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=hHZr+R5ugypa6gtLwxiMM34yGOTi8M0xPNOu8Wqujiw=; b=gG3UumKXJtVMoxFE5LRjbDnc2CiY9nqI/zRQtKYXHafLZhXvDCImAQMe5LXlBEaA3I WP66ZFmTMW139YpQOVy49z7zZAG1cIbsiRLv0Cc+aM8UdNrNhohXpnOh2UtbcGali23w mr1u9o90xXAD6BlNdV/uT7vgbXM4UlI+rjGSPnNosQOYvJnfh7TxobyWpg4fkSjga0vn KQNaa8A/+UQ9owTTiu7FsGSP+AFhTaHHJFVJI3T0FWjwGkQ5JZtSf9LWPXOotcKqMAn7 UghlY3PCm9VxNsydYAZaxl5JFzhTXKuG8+gTpGUS8S/C3SUwlPmAn3lUwN/oWwTkOerz Q9gg== X-Forwarded-Encrypted: i=3; AJvYcCVSyxFZydm13rHJpSIrXHgxMDvEsZ2pAGhTAEI9T+5tVXSSODSi2rbvVYc6FZ9ywhvpoKyW@ilbers.de X-Gm-Message-State: AOJu0YyBZSgvEPJmmFnQt7tI1Upynxd06VCTJ37tzr2HWNPI+TGw1woU 5zw2OQfnoXl3nhzrF10ONCDgXuhBwKoguxsn4X617IHin0EWS8CLKXFm X-Received: by 2002:a05:6214:1c86:b0:785:aa57:b5bb with SMTP id 6a1803df08f44-8942dd6f813mr151967516d6.43.1768803220669; Sun, 18 Jan 2026 22:13:40 -0800 (PST) X-BeenThere: isar-users@googlegroups.com; h="AV1CL+FrxUaMYeiK/JuTN8tBp7SKgm++KfclMl4EiHerY+sYIQ==" Received: by 2002:a05:6214:c87:b0:888:3f27:d2e2 with SMTP id 6a1803df08f44-894222f3e3bls69045446d6.2.-pod-prod-08-us; Sun, 18 Jan 2026 22:13:39 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCUjCCOABr/pcItw9NLxmh7CwtcpGyn6MfJn7ErwgvagRYE2+Jz3Azy0Xaa169LlksLnlOrEfja0R813@googlegroups.com X-Received: by 2002:a05:6214:ccf:b0:890:259c:80ff with SMTP id 6a1803df08f44-8942daf1e12mr147289526d6.11.1768803219327; Sun, 18 Jan 2026 22:13:39 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1768803219; cv=pass; d=google.com; s=arc-20240605; b=lTciKG48hogVg9P9BZSsNo3h2dr/QWyT3Ys6zCreQPTjsUOI+sbC7DXHMhw4WSFisG KBWo3LeAqUTIHAETZqBfEtpBGSWdICjyQKlShewtRDSViDjbYnnLiUW/kFdlfACjxA0s Ymt4tUhD8YlP3sYzkEhIDoR0qIH8hxRpQq3wGcAzycx/IQGYEnAT/vbwWSX5/GRF+CQe snflod/4IwRy40w0YL8dAvidjiwewxvO0AuiPcBv7hu2pFW40ESbFOybbyluNpXHf68d szuUufpD+tn4aOlQ+VMt4tUF7HZcO5KfX/pJpFRCuPFIZyG/ns6HVeaxfy9AMWKzKYjO KJSg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:content-transfer-encoding:in-reply-to:autocrypt :content-language:from:references:cc:to:subject:user-agent:date :message-id:dkim-signature; bh=4mTrsPtvL0liaHNCiZewTDzOqNZjhz5QjyBjJEaP2e4=; fh=wsrkzUkc8Kz3Csg1IeH5I6zz40SoFFyLmbQjYprjwlk=; b=UO9DBkjxEnXkXekqIUWpbhJzOQdB7SoeGaqv7tV6ipkzCAftmLKx0qTqZHb8R82XOZ DQXonkSLD/Us8EjDqjVR3GcLWrRASR/C6hMgS5rqvWaEK+WR9qqIgxKdIEa0iIMTLLJR X7CfsI1KtmoKGw4JFnATXHn6KoFmqmGFwspRPNCPNDpEEhGnrRJTe/HAvduVqYNLXtoV 9sEM/5494Oci1cUAjiKqTtqhWQwKO8bPjLRlm3Ml6PedUawYSM5njewU1/07S57JRHtI Zx3HgA/SKS8B1FfrG+G7bxRUdw8IOVHDmVUXyFILAdp8J/UrEy9LiDgsekiHf8T7kn1K MowA==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=hCBmAon3; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of jan.kiszka@siemens.com designates 2a01:111:f403:c201::6 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from AM0PR02CU008.outbound.protection.outlook.com (mail-westeuropeazlp170130006.outbound.protection.outlook.com. [2a01:111:f403:c201::6]) by gmr-mx.google.com with ESMTPS id 6a1803df08f44-8942e68cf32si2334706d6.8.2026.01.18.22.13.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 18 Jan 2026 22:13:39 -0800 (PST) Received-SPF: pass (google.com: domain of jan.kiszka@siemens.com designates 2a01:111:f403:c201::6 as permitted sender) client-ip=2a01:111:f403:c201::6; ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=kbxfGT4eSmckMaGDtsCVViYQX6A0mbaT8zJ2+0BxLdpHIZtt20yvob/Z5XI7N8lkDn/4xmKgmR8XVB/aJpHfNij3Se4vLOG0eyScMV4nUjeAT3MWBkbaw6IbIpRXATrAq+axzDo8/iuzmyfJrQKGP7I+2ifCdnmRW33bIe8KG49ZnpT0W+Svegi+WZDbncRLuXDDYjyMqVVqwWUF7HhJE9J/39lcCtEt8KT1NtwxTuUWegDJ3VXhVkH9kCed94omGG0GjdSKY/tFS9OBwvuYcFMXrau1ARuHvqNmQhZYwFY5zgCSHnKIYPpVe3w/w9oIMvN+WQAXrlAG/2HbUp2lgA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=4mTrsPtvL0liaHNCiZewTDzOqNZjhz5QjyBjJEaP2e4=; b=kWLFu+1G0WXjidtAlseNC8Q52w+5zDEiSdhwRL/NnVrLJBrs+FrQufoDJids/hIPa8oGneR49tj1L5xZrLQrTMchNz+XI87VnLYNAl+05oR2TuI20kyvMTkCK4bFzdt/hwToP6W53gtc2gzohxGkirg+gDV7qJtHO2A0sufaHMPOEGM88OjFa5vaA1gAR6QTfcdvzkFXHpXIyjYgns/9EKl7nzC9vggpTmXEQX5+HGU9XQJ91e7ME/u7VSpjbH4HfQ/H91nHmTvtry7U0OYRtjbK4TH9saol0XLs39SJ/kvnL3FbDQ85waPJtPtokdM40b4aM+QhrdwgoQaFQ+3s5w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none Received: from AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:588::19) by DB9PR10MB5503.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:306::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9520.11; Mon, 19 Jan 2026 06:13:35 +0000 Received: from AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM ([fe80::be9f:e8ca:ee9:83e1]) by AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM ([fe80::be9f:e8ca:ee9:83e1%6]) with mapi id 15.20.9520.010; Mon, 19 Jan 2026 06:13:35 +0000 Message-ID: <5b6b7fee-feb7-4c87-895f-9dca339d4063@siemens.com> Date: Mon, 19 Jan 2026 07:13:34 +0100 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] linux-custom: generate secrets package for out-of-tree module signing To: Badrikesh Prusty , isar-users@googlegroups.com Cc: cedric.hombourger@siemens.com References: <20260119060648.40011-1-badrikesh.prusty@siemens.com> From: "'Jan Kiszka' via isar-users" Content-Language: en-US Autocrypt: addr=jan.kiszka@siemens.com; keydata= xsFNBGZY+hkBEACkdtFD81AUVtTVX+UEiUFs7ZQPQsdFpzVmr6R3D059f+lzr4Mlg6KKAcNZ uNUqthIkgLGWzKugodvkcCK8Wbyw+1vxcl4Lw56WezLsOTfu7oi7Z0vp1XkrLcM0tofTbClW xMA964mgUlBT2m/J/ybZd945D0wU57k/smGzDAxkpJgHBrYE/iJWcu46jkGZaLjK4xcMoBWB I6hW9Njxx3Ek0fpLO3876bszc8KjcHOulKreK+ezyJ01Hvbx85s68XWN6N2ulLGtk7E/sXlb 79hylHy5QuU9mZdsRjjRGJb0H9Buzfuz0XrcwOTMJq7e7fbN0QakjivAXsmXim+s5dlKlZjr L3ILWte4ah7cGgqc06nFb5jOhnGnZwnKJlpuod3pc/BFaFGtVHvyoRgxJ9tmDZnjzMfu8YrA +MVv6muwbHnEAeh/f8e9O+oeouqTBzgcaWTq81IyS56/UD6U5GHet9Pz1MB15nnzVcyZXIoC roIhgCUkcl+5m2Z9G56bkiUcFq0IcACzjcRPWvwA09ZbRHXAK/ao/+vPAIMnU6OTx3ejsbHn oh6VpHD3tucIt+xA4/l3LlkZMt5FZjFdkZUuAVU6kBAwElNBCYcrrLYZBRkSGPGDGYZmXAW/ VkNUVTJkRg6MGIeqZmpeoaV2xaIGHBSTDX8+b0c0hT/Bgzjv8QARAQABzSNKYW4gS2lzemth IDxqYW4ua2lzemthQHNpZW1lbnMuY29tPsLBlAQTAQoAPhYhBABMZH11cs99cr20+2mdhQqf QXvYBQJmWPvXAhsDBQkFo5qABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEGmdhQqfQXvY zPAP/jGiVJ2VgPcRWt2P8FbByfrJJAPCsos+SZpncRi7tl9yTEpS+t57h7myEKPdB3L+kxzg K3dt1UhYp4FeIHA3jpJYaFvD7kNZJZ1cU55QXrJI3xu/xfB6VhCs+VAUlt7XhOsOmTQqCpH7 pRcZ5juxZCOxXG2fTQTQo0gfF5+PQwQYUp0NdTbVox5PTx5RK3KfPqmAJsBKdwEaIkuY9FbM 9lGg8XBNzD2R/13cCd4hRrZDtyegrtocpBAruVqOZhsMb/h7Wd0TGoJ/zJr3w3WnDM08c+RA 5LHMbiA29MXq1KxlnsYDfWB8ts3HIJ3ROBvagA20mbOm26ddeFjLdGcBTrzbHbzCReEtN++s gZneKsYiueFDTxXjUOJgp8JDdVPM+++axSMo2js8TwVefTfCYt0oWMEqlQqSqgQwIuzpRO6I ik7HAFq8fssy2cY8Imofbj77uKz0BNZC/1nGG1OI9cU2jHrqsn1i95KaS6fPu4EN6XP/Gi/O 0DxND+HEyzVqhUJkvXUhTsOzgzWAvW9BlkKRiVizKM6PLsVm/XmeapGs4ir/U8OzKI+SM3R8 VMW8eovWgXNUQ9F2vS1dHO8eRn2UqDKBZSo+qCRWLRtsqNzmU4N0zuGqZSaDCvkMwF6kIRkD ZkDjjYQtoftPGchLBTUzeUa2gfOr1T4xSQUHhPL8zsFNBGZY+hkBEADb5quW4M0eaWPIjqY6 aC/vHCmpELmS/HMa5zlA0dWlxCPEjkchN8W4PB+NMOXFEJuKLLFs6+s5/KlNok/kGKg4fITf Vcd+BQd/YRks3qFifckU+kxoXpTc2bksTtLuiPkcyFmjBph/BGms35mvOA0OaEO6fQbauiHa QnYrgUQM+YD4uFoQOLnWTPmBjccoPuiJDafzLxwj4r+JH4fA/4zzDa5OFbfVq3ieYGqiBrtj tBFv5epVvGK1zoQ+Rc+h5+dCWPwC2i3cXTUVf0woepF8mUXFcNhY+Eh8vvh1lxfD35z2CJeY txMcA44Lp06kArpWDjGJddd+OTmUkFWeYtAdaCpj/GItuJcQZkaaTeiHqPPrbvXM361rtvaw XFUzUlvoW1Sb7/SeE/BtWoxkeZOgsqouXPTjlFLapvLu5g9MPNimjkYqukASq/+e8MMKP+EE v3BAFVFGvNE3UlNRh+ppBqBUZiqkzg4q2hfeTjnivgChzXlvfTx9M6BJmuDnYAho4BA6vRh4 Dr7LYTLIwGjguIuuQcP2ENN+l32nidy154zCEp5/Rv4K8SYdVegrQ7rWiULgDz9VQWo2zAjo TgFKg3AE3ujDy4V2VndtkMRYpwwuilCDQ+Bpb5ixfbFyZ4oVGs6F3jhtWN5Uu43FhHSCqUv8 FCzl44AyGulVYU7hTQARAQABwsF8BBgBCgAmFiEEAExkfXVyz31yvbT7aZ2FCp9Be9gFAmZY +hkCGwwFCQWjmoAACgkQaZ2FCp9Be9hN3g/8CdNqlOfBZGCFNZ8Kf4tpRpeN3TGmekGRpohU bBMvHYiWW8SvmCgEuBokS+Lx3pyPJQCYZDXLCq47gsLdnhVcQ2ZKNCrr9yhrj6kHxe1Sqv1S MhxD8dBqW6CFe/mbiK9wEMDIqys7L0Xy/lgCFxZswlBW3eU2Zacdo0fDzLiJm9I0C9iPZzkJ gITjoqsiIi/5c3eCY2s2OENL9VPXiH1GPQfHZ23ouiMf+ojVZ7kycLjz+nFr5A14w/B7uHjz uL6tnA+AtGCredDne66LSK3HD0vC7569sZ/j8kGKjlUtC+zm0j03iPI6gi8YeCn9b4F8sLpB lBdlqo9BB+uqoM6F8zMfIfDsqjB0r/q7WeJaI8NKfFwNOGPuo93N+WUyBi2yYCXMOgBUifm0 T6Hbf3SHQpbA56wcKPWJqAC2iFaxNDowcJij9LtEqOlToCMtDBekDwchRvqrWN1mDXLg+av8 qH4kDzsqKX8zzTzfAWFxrkXA/kFpR3JsMzNmvextkN2kOLCCHkym0zz5Y3vxaYtbXG2wTrqJ 8WpkWIE8STUhQa9AkezgucXN7r6uSrzW8IQXxBInZwFIyBgM0f/fzyNqzThFT15QMrYUqhhW ZffO4PeNJOUYfXdH13A6rbU0y6xE7Okuoa01EqNi9yqyLA8gPgg/DhOpGtK8KokCsdYsTbk= In-Reply-To: <20260119060648.40011-1-badrikesh.prusty@siemens.com> Content-Type: text/plain; charset="UTF-8" X-ClientProxiedBy: FR0P281CA0151.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:b3::19) To AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:588::19) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AS4PR10MB6181:EE_|DB9PR10MB5503:EE_ X-MS-Office365-Filtering-Correlation-Id: ed597d80-82e7-4086-c18d-08de5721e0c5 X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|376014; X-Microsoft-Antispam-Message-Info: =?utf-8?B?blJBSWUzNzBkd0YyWEhUS3FnNzBHdG5uZ1NINVJsQm4rTTRnZXJqVThCRWxO?= =?utf-8?B?SVZGVlIzVEQySXVtcHVERjFCR0tjVlY3MG5HVElURFU2R1JxUGM1VWw0WjhE?= =?utf-8?B?MHNTUERUa2xDMGRnZXNxR2EvWVJ6dzNKeFl4TmVhM24yRXUyb2lMdE5VNnhX?= =?utf-8?B?UlpjWVRKWHRJZGMyNVJabUVMR1Z6TUltbnhFK3RwZzd5M0Z6UFhwR2RoSmlO?= =?utf-8?B?WG9xTjlzTHJNdE1CKzMvcmVjcUNvOExFcGhpdzVsTmFIS0l5cHdka2duZmFV?= =?utf-8?B?MWhuMXYvY0dJYUFNY3BlOVZJSjVudlc3dldwRkIxK052eFRGUGcvZCtuR0tS?= =?utf-8?B?UTR0OHUzTEJIRDhyMTJCMFZtRW9FZnZtL1JLMFFBQzNMb0Y4T0diQ1ZCZzhY?= =?utf-8?B?TG93U2l1ZndMOVB6eXRIcExVc2Y2RGlBN1hrbXBSZkRQNTUxdW5tM243RDdj?= =?utf-8?B?MldQSXRnTjhBTHFWMmlmd1NGWVlXb3U3eU9KVTdQM1FvUXNPZ0dEbTR4c1dI?= =?utf-8?B?dGJVa2wzTFhlUU0rQXpsd1B0S1NDWDJCd1RHd1YzSUdzVWl3WHljM0M1QjZN?= =?utf-8?B?RmFtMTZvbFZwQTNNU2l4R3p4MzBKbmRCdDlWVFZrTGJWdThlTDBheXVOUHN6?= =?utf-8?B?ZGdwdTJHTm80WG50QWRIU0U3eFZlU2lacDh3eDFiVkk2cHlNZGNIY0xTRnFK?= =?utf-8?B?Z24rUVgrRCtaVTBESTNUNGZqZnNCM0E3d2JORms3MzcrUWVyOGhHYkF5cjA2?= =?utf-8?B?TUZDSllRRTVJdHlJYWt1WUhHRFJmUlpibTF4UDR5ODVvQjdOTEtCMk8xQk5C?= =?utf-8?B?b2hDaUZtT2RmeTlvdk92K3dVVlI2bGNURWNpYTFXWlVzbm4yK01kL1lwaU9w?= =?utf-8?B?YTVmSXBzdXdTc1QzdjF3LzZSNHladTY3a1NLclZzOFNHdTE2NnZyTVJsdjBo?= =?utf-8?B?MmpaVEpQeHFza3VJWFNzeGdzS0JYRG1maDNrVzdvTHpyR1dGaElEZjkwWkJE?= =?utf-8?B?OEpROU5rcTdsTTN1R0t0K1p3eDNpZUVqTUlpSUQ5TDNNSFZ5aUEyaTFPeCt2?= =?utf-8?B?ZkhHQXNqL0pLeFlxbHhNV0w3ZmUzaXE2TC9FcU1wUzQ5dEdFMXhEQyt1QVdw?= =?utf-8?B?ZEVHTXducDFYM0QxNDB6dU01K2NPbWNzYkU0TDdxYTEwbnJXTkR6dlZUUzRk?= =?utf-8?B?Uy8xTFpuREFQZlpFYnh3K1V3dFJhRUlKR1lzVzltZ0s4cDZNNk1Dd1J6cWEx?= =?utf-8?B?ckdBY0RLUS92eG5LQ2xZSUtHS2IweCtsYU93MlNKWWtLOHNkUEt0N1c0ZTND?= =?utf-8?B?Q0ZaWU94KzNpdFJrWHozem5ld29vU2xqdUFYYlJNQTJHb1RWOTFNY0ZGWW82?= =?utf-8?B?b0x0L244NTR4WVJwMFhsbm9FQmg2eExOOHNueXhvNUhmQllpUzN0TDk1Q09F?= =?utf-8?B?N1g5bHFLYWIrbXJMRXFRRVlUWjh4d2VwSnJPc21zT0V2TjdiVHNNcThnRGlh?= =?utf-8?B?VEdIaktqVzhpK3FUWjNpYjdtNlFOQ3JjRS9MK0RwYXA0Sm55OUtGbXFDOVBX?= =?utf-8?B?R1hRa1E2Kys0VlJISC9aWTdjTWR2Mk03dGhIS2hzd2Y2OGF4YnhSREg3VmJO?= =?utf-8?B?NkhDU2hyY2xaVkVjbzdobnVaL1RJTVFqNjRBN3Iwc3gxdXM4RDhEaGc5ZU0x?= =?utf-8?B?YnRWRXFMRmtmS3B4VnJ6TlZabWxPZUQwZ0FxTHhoVGpyUWNFMElSd2d2U1Qz?= =?utf-8?B?Y09ZYWx3OXN1Sk56aHhwbjZXQWJNWkNpNG5CMExnRnlSZjNzZkJXQzJJWHcx?= =?utf-8?B?ZDc4UUozOXVua0tzYmxvbmYwRnd1M01MNWwvdzZML3V6Y0hzZGtNVHU3SDht?= =?utf-8?B?OUYrTkU3dHFXMDVrRTNVdEtJOGRQWG83V3VQYW1JQVljRzNtbkdrRE5GblRq?= =?utf-8?B?Z0tGSXVjYVp3eUZDYXRQejJGV2ZxbGl1N2dYTnNGRUxVMi9jMTJsZWFnYkIr?= =?utf-8?B?K3VkT1VUeEpCZGM2d1VIc2dTbVYxOVVyNm9GTFN5YUpQaXFjaUg4OTZPSDZT?= =?utf-8?B?TWFmN1dsVGsyZzBUMXZWWko0Qm9UWFJ4SnVvVlJ2OHE3MFE1dEVXbklrbG5k?= =?utf-8?Q?u4RfWcyiWPFepJ1VsiULIIWyz?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?MmxzZE8yem1iWGUxN2xMdm55b00wN0NLT0xSNW5hcHZseVpmU24ray9ZMFFT?= =?utf-8?B?MXlFL29sK21CRStWb1BFeTV6MnRZc01TZWFzYmd5MzJWVkttVDBvL1FwNnNp?= =?utf-8?B?NWRlbmpTZFYzSHp5MUppY3hwdXVuazF5dXZUNmdvaVZGR1VOblNFMDFqQjll?= =?utf-8?B?SUdnQWIrMyt0V1ZnU1MvSk1PSFFHN2VPMnhPay9ocndEc0lGTUxkaTBYMnZj?= =?utf-8?B?MVRzQjBLc280QzhubExMNTVGdlRpakNJU2RUZy9Sbmp1UlpNd05uaDVsdlZD?= =?utf-8?B?SlJKQ0ZKSTlYTmJxVHg2ZW5nMnRyMzQzSXVzblU3NUREdHdnRElwQ2U0bkc3?= =?utf-8?B?R1kwK1VrT0l1ZkE5TEEzMVA4TzhBQnBpYk5hT0pXbzBTbi9hdEFJeVpOU3Rl?= =?utf-8?B?WGZUZFNnWUJUZEdUZU9KalE5YTJuU0wyaWZuS2JZanZPdTVWWG5DdVVHUDFt?= =?utf-8?B?eE5JWXhEb0loWHA5eksvbGZXcU9LT1l5WlNXUWo5bzhyMVlzeENZa0djeXRu?= =?utf-8?B?UXFmZklDbTJ5Y1Vzd0hSa3FTZzRpbElUenRrZTlkQ1gzaHpDRGRFN0xUbUxn?= =?utf-8?B?MDEyZVVCVnVHSFB6YVFwZ2hsMGZVQmxqK09ESURUdjhQMVVEU1dKK0xiZWpE?= =?utf-8?B?UjJVZFhvVTkvSFgzWFAyU1ZIaXhmOFhMZkU4a2V4enZxZ2dteGN5bkt2T29C?= =?utf-8?B?Q3NKS0wwWmtBOXh6cnRxeUhReGFXNVpnNlBxcTBCTWp3N1lJRXdmb2xTOThO?= =?utf-8?B?THdoZURPdXVNK01BQjNoTGIxQk9WakhKR0Fubkg2VmJOQ0lRZXhDOUFXU3Jv?= =?utf-8?B?VHhlNlU2U24vRlp4ZUVkeVNSQTlvSUVOOFptY3pZZCtRQ0RNM21FNWNRZURS?= =?utf-8?B?Q1VaY2YrK3FOV2lXdVN6Y1VvaGpvckRiMUdSSlV0eEpnZXMzTDluOWM2Q3Q5?= =?utf-8?B?L0JKLysxN3pzbWNwdFVyU1Fzd3NJd3hONkNoVGlyZmxWMlkxVnhCeXNUT0Iy?= =?utf-8?B?OGNDcFdBa1dhMDU1MkhqbVBqVXE1UzFRNTNVNjlFWk9HSnRKLzIyYlNLWGtU?= =?utf-8?B?dmNYNlJ4VzJiSGhabzJpdWV1bzQ5QjUvRGVFOUdJZWdXQ21xWlZjTDRzblVj?= =?utf-8?B?UFlidEhUdERDWkd4c1pkeEN3alhmUVMzSTdKRXk2R3lMNk9TOStqWTJ6T0Jy?= =?utf-8?B?d2tmZmJxQkRGOGUyVlBpU09LQnEyTFdqbDZPNjh2REFJeXV0UkJycU4xTnlz?= =?utf-8?B?Y082cW1RNENvbTFQRGdxU2NKMyt4ZGROMWtBVEtJaGpUY0N6Q09kZnlXYUpF?= =?utf-8?B?TmJ4WTRjai83cTlOQmRTMUpnWllacEZ5MU0wU09HZHZVcEYrZUZVYVl1UWhq?= =?utf-8?B?UEZGVVk5cE5sa1JZRGViNnhOS3JBL1gvVFhkelBaeXdheVRVS2JWMG1RQjVP?= =?utf-8?B?RUxWYWlVdnZtcVlKcDI0QTBNclpNMzFtWi9uc08wR3I4S05zMGcvQUNWQWFM?= =?utf-8?B?Vkttb0hHVkVKWEwrT2U1Ykx0SHB5V3lhMzB6cE5iUUZpOXJySmdPRWEra244?= =?utf-8?B?MVZJRDg4bDhuQitUeGNqUjF6TGZUMGh1S2MxTjZlWDBxUHVHRGhySkIybXF1?= =?utf-8?B?Z25aS0o3REdKMlhTcGI3aHpVTCtNWnJ2TWNUSzRqdjM5cVo4aktCTFVDVjAz?= =?utf-8?B?SmVVR2ZFK0NXWUdncEpqSjlFWUVhM2VtcUlGaVp4QkVnMnpoK0FWak9aczJv?= =?utf-8?B?R005WUxad0M5a0F0ZFQ4Q1NmM2pLd0NvMVMrRTVOMDdoY0gvc1FzdDZTSHpY?= =?utf-8?B?UVZuWHJUaTMvZTJIM1M5TGhydFkwRy9TVVhDRHZ0bEt1V3JHbHZPV3FLN25F?= =?utf-8?B?QmRGOWtyUytReFhuNnppQzd4bERscElNV1lrUUR0TVJSdW11T3hieFZ4bkx3?= =?utf-8?B?WGZOR0lFcUVVd2FhZU9PZEpzTHJlak5OZWNMNzlXWnhaYjFRSmhZWUtkM0dn?= =?utf-8?B?b1VzOEtBd1ROOFZZbGNyRmRZeW1PV0h0cVl4cGJya3NHTVpMWUNqc3kwRm5a?= =?utf-8?B?YTVCWWZkZWZkR0tkanhTYzdPUzM4cFhEVUJINEVoVkpURW8vZW5BNlh5OHJW?= =?utf-8?B?NkdvRWJDYlU3bUVHYUFiMStOMWVSZHRqR1BxcUplek0zdDNRQXlucVlLaGtC?= =?utf-8?B?QTBrL0Fab0ltZVd5UDlFbFJteEJpWS9GVDJBR282QXNJc3pvekJoQU5YWFp1?= =?utf-8?B?c1Q1WEJRZCtGa0c0U0k5N0JwS2pzYnBKWklVNzl1OWJMVmQ3VVNZbEEwcUxX?= =?utf-8?B?YXRLT2VTU3lqVVBhci84dENrT0RwNnNSS3NVRURVb3hUTm5uUXNJUT09?= X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: ed597d80-82e7-4086-c18d-08de5721e0c5 X-MS-Exchange-CrossTenant-AuthSource: AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Jan 2026 06:13:35.1207 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: OrkAMzy8gdOdr+SmbGezx8Da/aNg4nBWh+pSY/zE1/jE28gTd5CAQe+N+uWVKy0Kz75AA/u5aWMR8Fy32Y2dOg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR10MB5503 X-Original-Sender: jan.kiszka@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=hCBmAon3; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of jan.kiszka@siemens.com designates 2a01:111:f403:c201::6 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Jan Kiszka Reply-To: Jan Kiszka Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: hWmCUI5KzOhm On 19.01.26 07:06, 'Badrikesh Prusty' via isar-users wrote: > Add a new package, linux-image--secrets, to ship the kernel > module signing keys required for signing out-of-tree kernel modules. > > The package is built only when the pkg..secrets build profile is > enabled and installs the signing_key artifacts generated during the > kernel build into /usr/share/linux-secrets. > > This allows out-of-tree modules to be signed with the same key used for > in-tree modules. > > Usage: > In the out-of-tree module recipe: > SIGNATURE_KEYFILE = "/usr/share/linux-secrets/signing_key.pem" > SIGNATURE_CERTFILE = "/usr/share/linux-secrets/signing_key.x509" > DEBIAN_BUILD_DEPENDS:append = ", linux-secrets" > > In the kernel recipe, enable the secrets build profile: > BUILD_PROFILES:append = " pkg.${BPN}.secrets" > > NOTE: The linux-image--secrets package contains the private > module signing key. Care must be taken NOT to distribute this package > in package feeds or images, as this would allow anyone to sign kernel > modules that the kernel would trust. > > Signed-off-by: Badrikesh Prusty > --- > RECIPE-API-CHANGELOG.md | 24 +++++++++++++++++++ > .../linux/files/debian/control.tmpl | 7 ++++++ > .../linux/files/debian/isar/common.tmpl | 1 + > .../linux/files/debian/isar/install.tmpl | 19 +++++++++++++++ > 4 files changed, 51 insertions(+) > > diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md > index 0bad8a44..1a33d6ae 100644 > --- a/RECIPE-API-CHANGELOG.md > +++ b/RECIPE-API-CHANGELOG.md > @@ -962,3 +962,27 @@ INSTALLER_UNATTENDED_ABORT_ENABLE = "1" > # Optional: set countdown timeout in seconds (default 5) > INSTALLER_UNATTENDED_ABORT_TIMEOUT = "5" > ``` > + > +### Add linux-image--secrets package for out-of-tree module signing > + > +linux-image--secrets ships kernel module signing keys required for > +signing out-of-tree kernel modules. > + > +The package is built only when the `pkg..secrets` build profile is > +enabled and installs the signing_key artifacts generated during the kernel > +build into `/usr/share/linux-secrets`. > + > +Usage: > +``` > +# In the out-of-tree module recipe: > +SIGNATURE_KEYFILE = "/usr/share/linux-secrets/signing_key.pem" > +SIGNATURE_CERTFILE = "/usr/share/linux-secrets/signing_key.x509" > +DEBIAN_BUILD_DEPENDS:append = ", linux-secrets" > + > +# In the kernel recipe, enable the secrets build profile: > +BUILD_PROFILES:append = " pkg.${BPN}.secrets" > +``` > + > +SECURITY NOTE: This package contains the private module signing key. Do not > +distribute it in package feeds or images, as this would allow anyone to sign > +kernel modules that the kernel would trust. > diff --git a/meta/recipes-kernel/linux/files/debian/control.tmpl b/meta/recipes-kernel/linux/files/debian/control.tmpl > index ee87cf92..969f6b0c 100644 > --- a/meta/recipes-kernel/linux/files/debian/control.tmpl > +++ b/meta/recipes-kernel/linux/files/debian/control.tmpl > @@ -69,3 +69,10 @@ Conflicts: linux-kbuild-${KERNEL_NAME_PROVIDED} > Description: ${KERNEL_NAME_PROVIDED} Linux kbuild scripts and tools for @KR@ > This package provides kernel kbuild scripts and tools for @KR@ > This is useful for people who need to build external modules > + > +Package: linux-image-${KERNEL_NAME_PROVIDED}-secrets > +Build-Profiles: > +Section: devel > +Provides: linux-secrets > +Architecture: all > +Description: Linux kernel module signing secrets > diff --git a/meta/recipes-kernel/linux/files/debian/isar/common.tmpl b/meta/recipes-kernel/linux/files/debian/isar/common.tmpl > index f9cc2f02..6554cdb0 100644 > --- a/meta/recipes-kernel/linux/files/debian/isar/common.tmpl > +++ b/meta/recipes-kernel/linux/files/debian/isar/common.tmpl > @@ -38,6 +38,7 @@ deb_libc_hdr_dir=${deb_top_dir}/${KERNEL_PKG_LIBC_HEADERS} > deb_libc_hdr_cross_dir=${deb_top_dir}/${KERNEL_PKG_LIBC_HEADERS_CROSS} > deb_kern_kbuild_dir=${deb_top_dir}/${KERNEL_PKG_KERN_KBUILD} > deb_kern_kbuild_cross_dir=${deb_top_dir}/${KERNEL_PKG_KERN_KBUILD_CROSS} > +deb_kern_secrets=${deb_top_dir}/${KERNEL_PKG_IMAGE}-secrets > > # Array of packages to be generated > declare -A kern_pkgs > diff --git a/meta/recipes-kernel/linux/files/debian/isar/install.tmpl b/meta/recipes-kernel/linux/files/debian/isar/install.tmpl > index 6fa94508..99d64ca5 100644 > --- a/meta/recipes-kernel/linux/files/debian/isar/install.tmpl > +++ b/meta/recipes-kernel/linux/files/debian/isar/install.tmpl > @@ -70,6 +70,11 @@ do_install() { > install_headers > fi > > + if echo "${DEB_BUILD_PROFILES}" | grep -q "pkg.${BPN}.secrets"; then > + kern_secrets_path="${deb_kern_secrets}/usr/share/linux-secrets" > + install_module_signing_secrets "${kern_secrets_path}" > + fi > + > # Stop tracing > set +x > } > @@ -271,4 +276,18 @@ install_kbuild() { > kernel_tools > } > > +install_module_signing_secrets() { > + local dest="${1}" > + local keydir="${KERNEL_BUILD_DIR}/certs" > + local priv="${keydir}/signing_key.pem" > + local cert="${keydir}/signing_key.x509" > + if [ ! -f "${priv}" ] || [ ! -f "${cert}" ]; then > + echo "error: module signing keys not found but pkg.${BPN}.secrets is enabled" >&2 > + return 1 > + fi > + install -d -m 0755 ${dest} > + install -m 0400 ${KERNEL_BUILD_DIR}/certs/signing_key.pem ${dest}/ > + install -m 0444 ${KERNEL_BUILD_DIR}/certs/signing_key.x509 ${dest}/ > +} > + > main install ${*} Given the risk that comes with this new packages and also in the light of [1], I think we should rather enable consistent module signing with existing, managed key providers. Jan [1] https://gitlab.com/cip-project/cip-core/isar-cip-core/-/issues/144 -- Siemens AG, Foundational Technologies Linux Expert Center -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/5b6b7fee-feb7-4c87-895f-9dca339d4063%40siemens.com.