From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6821118203682357248
X-Received: by 2002:a2e:2c11:: with SMTP id s17mr21195800ljs.119.1588181921564;
        Wed, 29 Apr 2020 10:38:41 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a2e:3208:: with SMTP id y8ls6714529ljy.6.gmail; Wed, 29 Apr
 2020 10:38:40 -0700 (PDT)
X-Google-Smtp-Source: APiQypIhjhLFsNBH/C23m64Fa7JaSHH8DXn3m+yFKMWyG6/4kiM5tqFRc3ZcaywPU31TQoWVPEhq
X-Received: by 2002:a2e:9842:: with SMTP id e2mr21810602ljj.273.1588181920730;
        Wed, 29 Apr 2020 10:38:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1588181920; cv=none;
        d=google.com; s=arc-20160816;
        b=fgRsaUiLuLKEWf53pYrT6ud8f1FHLIDsObk0Vf17zTq1ed0LRrqvi43+p7TFlEFZgL
         wNxbWnKBRzom+nVQ7DKSeXOSgdcHcfT85pTNcBUfYUlLNdvPR+FdM2BlnWZ08L2WP4I+
         +2wkki87jzuxMMlTrRejQBKXQ67eBbSn+ug8Z2BhOUiRfYPTpFA7edJlGKQJEjiHKrrE
         tvgV+oC992TmY/t0APcbxsg0GfJFJq1GJUMJAMdxaW/jhowf0OgUbp7lvM/MUQMHm+M5
         CWvIjG2dYyagy6LH9OE8YRYwzeEb9ri6Xha7fmK9UkzqW9D3g8VeIP9vXJXFbQ5ANpSG
         ZJSw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:content-language:in-reply-to:mime-version
         :user-agent:date:message-id:from:references:to:subject;
        bh=t5uixw5ef2gydpisp+GMnhlD/c9aWXfMHqvbjG2nzUU=;
        b=spuvWZqr+1OPVmtR7RvNMON1sfJ7pqffGwNple74mCtU0oyoDtErb2mEJHe6I7+kYT
         EKBfH1kNIhEZ0VLNfVNyexyjswYCBAnHSfK/hxdGsyEIdXranz2uECfZIM7qKv5VGOSE
         cf+JgDu2ePaC5uZLIrWitN/V0gOibANEYM/haWBBAcMTF3AFwGdfKJD4M9qqJwavNAAB
         u6ycCf8jEzsgWX+/9d7DOP0VuvLs3HRDJUhhLaDchmjf8QhX4t6qEPTX5CmhyVbDQrBM
         kNoGirgCLI8aOUQFbQQUHjJqH+FfD92MqCfcftYJ+X5efhksBy1e2EksrQZSXmDKCIcG
         8M9w==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of jan.kiszka@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Return-Path: <jan.kiszka@siemens.com>
Received: from gecko.sbs.de (gecko.sbs.de. [194.138.37.40])
        by gmr-mx.google.com with ESMTPS id a21si216503lfr.4.2020.04.29.10.38.39
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 29 Apr 2020 10:38:39 -0700 (PDT)
Received-SPF: pass (google.com: domain of jan.kiszka@siemens.com designates 194.138.37.40 as permitted sender) client-ip=194.138.37.40;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: domain of jan.kiszka@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66])
	by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id 03THccZS019554
	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Wed, 29 Apr 2020 19:38:38 +0200
Received: from [167.87.133.207] ([167.87.133.207])
	by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 03THcarL023330;
	Wed, 29 Apr 2020 19:38:37 +0200
Subject: Re: signing support for (in-tree and external) kernel modules
To: =?UTF-8?Q?Mustafa_Y=c3=bccel?= <yuecelm@gmail.com>,
        isar-users <isar-users@googlegroups.com>
References: <9a590808-34da-493f-9ea2-219d17cd87c9@googlegroups.com>
 <bee889af-ce37-2c81-c0a2-5e5ad0f179f4@siemens.com>
 <a5a4a11a-9c3f-4367-b264-bba84bd2727c@googlegroups.com>
From: Jan Kiszka <jan.kiszka@siemens.com>
Message-ID: <9d4818d5-e884-a600-0504-996042f31e3b@siemens.com>
Date: Wed, 29 Apr 2020 19:38:35 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <a5a4a11a-9c3f-4367-b264-bba84bd2727c@googlegroups.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-TUID: Qfthr3UHeDHs

On 29.04.20 18:51, Mustafa Yücel wrote:
> I checked again, sign-file is included in linux-headers package:
> 
> ~myproject/out/build/tmp/deploy/isar-apt/apt/debian-buster/pool/main/l/linux-cip$ 
> dpkg -c linux-headers-cip_4.19.113-cip23+r0_amd64.deb | grep sign-file
> -rw-r--r-- root/root      7047 2020-04-29 16:56 
> ./usr/src/linux-headers-4.19.113-cip23/scripts/.sign-file.cmd
> -rwxr-xr-x root/root     14624 2020-04-29 16:56 
> ./usr/src/linux-headers-4.19.113-cip23/scripts/sign-file
> -rw-r--r-- root/root      9994 2020-03-28 01:06 
> ./usr/src/linux-headers-4.19.113-cip23/scripts/sign-file.c
> 

OK, that's good.

> from where you got CONFIG_MODULE_SIG_FORMAT? CONFIG_MODULE_SIG is the 
> trigger to create this binary:
> 
> scripts/Makefile:hostprogs-$(CONFIG_MODULE_SIG)+= sign-file
> 

I was looking at kernel 5.6.

Then we likely need multiple condition when to run sign-file while 
building an external module.

And we also need some idea how to deploy the shared keys to all recipes. 
If we only talk about two or three, the kernel recipe could carry the 
keys as artifacts, and other recipes would simply link them. But that is 
not really nice to maintain. We could, of course, package the keys into 
linux-headers. Downside: Someone may then accidentally ship them on a 
device.

Jan

> Musti
> 
> On Wednesday, April 29, 2020 at 5:35:15 PM UTC+2, Jan Kiszka wrote:
> 
>     On 29.04.20 15:00, yue...@gmail.com <javascript:> wrote:
>      > In tree kernel modules gets signed with the CONFIG_MODULE_SIG_ALL
>     kernel
>      > option, but extra (resp. external) modules not. If you (resp.
>     isar) not
>      > provide an (external) signing key, the kernel build autogenerates a
>      > private/public key pair. It would be nice if the isar build system
>      > provide some support for signing kernel modules.
>      >
>      > I see currently 2 use cases:
>      > 1) let the kernel build to autogenerate private/public key for
>     kernel
>      > module signing and kernel-module reuse the key for signing (evt.
>     isar
>      > deletes the private key after image generation)
>      > 2) provide an (external) private and public key for kernel module
>      > signing and will be used in kernel and kernel-module recipes
>      >
> 
>     We likely want to go for path 2 because the first option prevents
>     reproducibility. And that means we need to define a channel how to
>     provide those keys both to the kernel build as well as the external
>     module builds.
> 
>     Did you happen to observe if kernel-headers will include at least the
>     script/sign-file host tool when CONFIG_MODULE_SIG_FORMAT is enabled?
>     That - together with the keys - would be needed in order to sign
>     external modules already during their build.
> 
>     Jan
> 
>     -- 
>     Siemens AG, Corporate Technology, CT RDA IOT SES-DE
>     Corporate Competence Center Embedded Linux
> 
> -- 
> You received this message because you are subscribed to the Google 
> Groups "isar-users" group.
> To unsubscribe from this group and stop receiving emails from it, send 
> an email to isar-users+unsubscribe@googlegroups.com 
> <mailto:isar-users+unsubscribe@googlegroups.com>.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/isar-users/a5a4a11a-9c3f-4367-b264-bba84bd2727c%40googlegroups.com 
> <https://groups.google.com/d/msgid/isar-users/a5a4a11a-9c3f-4367-b264-bba84bd2727c%40googlegroups.com?utm_medium=email&utm_source=footer>.

-- 
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux