Re: [PATCH] meta/recipes-kernel/linux-module: Allow use of external scripts to sign modules

["'Jan Kiszka' via isar-users" <isar-users@googlegroups.com>]

On 21.01.25 10:23, 'MOESSBAUER, Felix' via isar-users wrote:
> On Mon, 2025-01-20 at 18:23 +0000, Çetin, Gökhan (FT D EU TR C&E)
> wrote:
>> This facilitates the integration of scripts developed for signing
>> solutions like HSM
>> where private keys are not accessible and allows the use of detached
>> signatures
>> produced by such solutions.
> 
> Hi, the patch itself is fine, but it would be good to also mention this
> somewhere in the docs (maybe with a short explanation how to use it).
> 

...and that documentation should also clarify why the hook is only
needed for the modules, not for the kernel but rather for its UKI -
which is provided by isar-cip-core only so far.

Jan

> Felix
> 
> Acked-by: Felix Moessbauer <felix.moessbauer@siemens.com>
> 
> 
>>
>> Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com>
>> ---
>>  meta/recipes-kernel/linux-module/files/debian/rules.tmpl | 4 ++++
>>  meta/recipes-kernel/linux-module/module.inc              | 2 ++
>>  2 files changed, 6 insertions(+)
>>
>> diff --git a/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
>> b/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
>> index ad743437..30d7ce0f 100755
>> --- a/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
>> +++ b/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
>> @@ -56,6 +56,10 @@ endif
>>  ifneq ($(filter pkg.sign,$(DEB_BUILD_PROFILES)),)
>>  	find . -name "*.ko" -print -exec $(KDIR)/scripts/sign-file
>> ${SIGNATURE_HASHFN} ${SIGNATURE_KEYFILE} ${SIGNATURE_CERTFILE} {} \;
>>  endif
>> +ifneq ($(filter pkg.signwith,$(DEB_BUILD_PROFILES)),)
>> +	find . -name "*.ko" | xargs -i ${SIGNATURE_SIGNWITH} {}
>> {}.signature ${SIGNATURE_HASHFN} ${SIGNATURE_CERTFILE}
>> +	find . -name "*.ko" | xargs -i $(KDIR)/scripts/sign-file -s
>> {}.signature ${SIGNATURE_HASHFN} ${SIGNATURE_CERTFILE} {}
>> +endif
>>  
>>  override_dh_auto_install:
>>  	$(MAKE) -C $(KDIR) M=${MODULE_DIR}
>> INSTALL_MOD_PATH=$(PWD)/debian/${PN} modules_install
>> diff --git a/meta/recipes-kernel/linux-module/module.inc
>> b/meta/recipes-kernel/linux-module/module.inc
>> index 3e8e5e7a..d7432bf7 100644
>> --- a/meta/recipes-kernel/linux-module/module.inc
>> +++ b/meta/recipes-kernel/linux-module/module.inc
>> @@ -25,6 +25,7 @@ DEB_BUILD_OPTIONS += "noautodbgsym"
>>  SIGNATURE_KEYFILE ??= ""
>>  SIGNATURE_CERTFILE ??= ""
>>  SIGNATURE_HASHFN ??= "sha256"
>> +SIGNATURE_SIGNWITH ??= ""
>>  
>>  SRC_URI += "file://debian/"
>>  
>> @@ -57,6 +58,7 @@ TEMPLATE_VARS += " \
>>      SIGNATURE_KEYFILE \
>>      SIGNATURE_CERTFILE \
>>      SIGNATURE_HASHFN \
>> +    SIGNATURE_SIGNWITH \
>>      PN \
>>      DEBIAN_COMPAT"
>>  
> 

-- 
Siemens AG, Foundational Technologies
Linux Expert Center

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/e0304d05-4e88-48bf-ba9b-fdab28b8cb84%40siemens.com.