From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6821118203682357248
X-Received: by 2002:a9d:1d08:: with SMTP id m8mr26755220otm.364.1588165341873;
        Wed, 29 Apr 2020 06:02:21 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a54:4418:: with SMTP id k24ls4095337oiw.3.gmail; Wed, 29 Apr
 2020 06:02:21 -0700 (PDT)
X-Received: by 2002:aca:4d0d:: with SMTP id a13mr1469700oib.160.1588165341606;
        Wed, 29 Apr 2020 06:02:21 -0700 (PDT)
Received: by 2002:aca:c349:0:0:0:0:0 with SMTP id t70msoif;
        Wed, 29 Apr 2020 06:00:59 -0700 (PDT)
X-Google-Smtp-Source: APiQypJpD3ZSwwdDbCqpV2DgbpMGBq6WTQc7GrHgpKv/gegKQX5ZiRYxjU8Iv+4sBWjhelnSYm0O4rA/AA==
X-Received: by 2002:a4a:5747:: with SMTP id u68mr27485613ooa.32.1588165258807;
        Wed, 29 Apr 2020 06:00:58 -0700 (PDT)
X-Google-Thread-Subscription: Yes
X-Google-Web-Client: true
Date: Wed, 29 Apr 2020 06:00:58 -0700 (PDT)
From: yuecelm@gmail.com
To: isar-users <isar-users@googlegroups.com>
Message-Id: <9a590808-34da-493f-9ea2-219d17cd87c9@googlegroups.com>
Subject: signing support for (in-tree and external) kernel modules
MIME-Version: 1.0
Content-Type: multipart/mixed; 
	boundary="----=_Part_2970_420902257.1588165258612"
X-Google-Token: EIr1pfUFnjk9dbAvMcQ0
X-Google-IP: 185.96.76.65
X-TUID: 5HR3biCgwHw0

------=_Part_2970_420902257.1588165258612
Content-Type: multipart/alternative; 
	boundary="----=_Part_2971_29022589.1588165258612"

------=_Part_2971_29022589.1588165258612
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

In tree kernel modules gets signed with the CONFIG_MODULE_SIG_ALL kernel 
option, but extra (resp. external) modules not. If you (resp. isar) not 
provide an (external) signing key, the kernel build autogenerates a 
private/public key pair. It would be nice if the isar build system provide 
some support for signing kernel modules.

I see currently 2 use cases:
1) let the kernel build to autogenerate private/public key for kernel 
module signing and kernel-module reuse the key for signing (evt. isar 
deletes the private key after image generation)
2) provide an (external) private and public key for kernel module signing 
and will be used in kernel and kernel-module recipes



------=_Part_2971_29022589.1588165258612
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

<div dir="ltr">In tree kernel modules gets signed with the CONFIG_MODULE_SIG_ALL kernel option, but extra (resp. external) modules not. If you (resp. isar) not provide an (external) signing key, the kernel build autogenerates a private/public key pair. It would be nice if the isar build system provide some support for signing kernel modules.<br><div><br></div><div>I see currently 2 use cases:</div><div>1) let the kernel build to autogenerate private/public key for kernel module signing and kernel-module reuse the key for signing (evt. isar deletes the private key after image generation)</div><div>2) provide an (external) private and public key for kernel module signing and will be used in kernel and kernel-module recipes</div><div><br></div><div><br></div></div>
------=_Part_2971_29022589.1588165258612--

------=_Part_2970_420902257.1588165258612--