From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6821118203682357248 Date: Wed, 29 Apr 2020 09:51:03 -0700 (PDT) From: =?UTF-8?Q?Mustafa_Y=C3=BCcel?= To: isar-users Message-Id: In-Reply-To: References: <9a590808-34da-493f-9ea2-219d17cd87c9@googlegroups.com> Subject: Re: signing support for (in-tree and external) kernel modules MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_3141_746113893.1588179063206" X-Google-Token: EPfgpvUFHgbTeZtuSyE0 X-Google-IP: 185.96.76.65 X-TUID: mtd8m5rBZnZC ------=_Part_3141_746113893.1588179063206 Content-Type: multipart/alternative; boundary="----=_Part_3142_1162694224.1588179063207" ------=_Part_3142_1162694224.1588179063207 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit I checked again, sign-file is included in linux-headers package: ~myproject/out/build/tmp/deploy/isar-apt/apt/debian-buster/pool/main/l/linux-cip$ dpkg -c linux-headers-cip_4.19.113-cip23+r0_amd64.deb | grep sign-file -rw-r--r-- root/root 7047 2020-04-29 16:56 ./usr/src/linux-headers-4.19.113-cip23/scripts/.sign-file.cmd -rwxr-xr-x root/root 14624 2020-04-29 16:56 ./usr/src/linux-headers-4.19.113-cip23/scripts/sign-file -rw-r--r-- root/root 9994 2020-03-28 01:06 ./usr/src/linux-headers-4.19.113-cip23/scripts/sign-file.c from where you got CONFIG_MODULE_SIG_FORMAT? CONFIG_MODULE_SIG is the trigger to create this binary: scripts/Makefile:hostprogs-$(CONFIG_MODULE_SIG) += sign-file Musti On Wednesday, April 29, 2020 at 5:35:15 PM UTC+2, Jan Kiszka wrote: > > On 29.04.20 15:00, yue...@gmail.com wrote: > > In tree kernel modules gets signed with the CONFIG_MODULE_SIG_ALL kernel > > option, but extra (resp. external) modules not. If you (resp. isar) not > > provide an (external) signing key, the kernel build autogenerates a > > private/public key pair. It would be nice if the isar build system > > provide some support for signing kernel modules. > > > > I see currently 2 use cases: > > 1) let the kernel build to autogenerate private/public key for kernel > > module signing and kernel-module reuse the key for signing (evt. isar > > deletes the private key after image generation) > > 2) provide an (external) private and public key for kernel module > > signing and will be used in kernel and kernel-module recipes > > > > We likely want to go for path 2 because the first option prevents > reproducibility. And that means we need to define a channel how to > provide those keys both to the kernel build as well as the external > module builds. > > Did you happen to observe if kernel-headers will include at least the > script/sign-file host tool when CONFIG_MODULE_SIG_FORMAT is enabled? > That - together with the keys - would be needed in order to sign > external modules already during their build. > > Jan > > -- > Siemens AG, Corporate Technology, CT RDA IOT SES-DE > Corporate Competence Center Embedded Linux > ------=_Part_3142_1162694224.1588179063207 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
I checked again, sign-file is included in linux-heade= rs package:

~myproject/out/build/tmp/deploy/isar-a= pt/apt/debian-buster/pool/main/l/linux-cip$ dpkg -c linux-headers-cip_4.19.= 113-cip23+r0_amd64.deb | grep sign-file
-rw-r--r-- root/root=C2= =A0 =C2=A0 =C2=A0 7047 2020-04-29 16:56 ./usr/src/linux-headers-4.19.113-ci= p23/scripts/.sign-file.cmd
-rwxr-xr-x root/root=C2=A0 =C2=A0 =C2= =A014624 2020-04-29 16:56 ./usr/src/linux-headers-4.19.113-cip23/scripts/si= gn-file
-rw-r--r-- root/root=C2=A0 =C2=A0 =C2=A0 9994 2020-03-28 = 01:06 ./usr/src/linux-headers-4.19.113-cip23/scripts/sign-file.c
=
from where you got CONFIG_MODULE_SIG_FORMAT? CONFIG_MODULE_S= IG is the trigger to create this binary:

scripts/M= akefile:hostprogs-$(CONFIG_MODULE_SIG)=09 +=3D sign-file

Musti

On Wednesd= ay, April 29, 2020 at 5:35:15 PM UTC+2, Jan Kiszka wrote:
On 29.04.20 15:00, yue...@gmail.com wrote:
> In tree kernel modules gets signed with the CONFIG_MODULE_SIG_ALL = kernel=20
> option, but extra (resp. external) modules not. If you (resp. isar= ) not=20
> provide an (external) signing key, the kernel build autogenerates = a=20
> private/public key pair. It would be nice if the isar build system= =20
> provide some support for signing kernel modules.
>=20
> I see currently 2 use cases:
> 1) let the kernel build to autogenerate private/public key for ker= nel=20
> module signing and kernel-module reuse the key for signing (evt. i= sar=20
> deletes the private key after image generation)
> 2) provide an (external) private and public key for kernel module= =20
> signing and will be used in kernel and kernel-module recipes
>=20

We likely want to go for path 2 because the first option prevents=20
reproducibility. And that means we need to define a channel how to=20
provide those keys both to the kernel build as well as the external=20
module builds.

Did you happen to observe if kernel-headers will include at least the= =20
script/sign-file host tool when CONFIG_MODULE_SIG_FORMAT is enabled?=20
That - together with the keys - would be needed in order to sign=20
external modules already during their build.

Jan

--=20
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux
------=_Part_3142_1162694224.1588179063207-- ------=_Part_3141_746113893.1588179063206--