* [PATCH] meta/recipes-kernel/linux-module: Allow use of external scripts to sign modules
@ 2025-01-20 18:23 'Cetin, Gokhan' via isar-users
2025-01-21 9:23 ` 'MOESSBAUER, Felix' via isar-users
0 siblings, 1 reply; 3+ messages in thread
From: 'Cetin, Gokhan' via isar-users @ 2025-01-20 18:23 UTC (permalink / raw)
To: isar-users; +Cc: quirin.gylstorff, MOESSBAUER, Felix
This facilitates the integration of scripts developed for signing solutions like HSM
where private keys are not accessible and allows the use of detached signatures
produced by such solutions.
Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com>
---
meta/recipes-kernel/linux-module/files/debian/rules.tmpl | 4 ++++
meta/recipes-kernel/linux-module/module.inc | 2 ++
2 files changed, 6 insertions(+)
diff --git a/meta/recipes-kernel/linux-module/files/debian/rules.tmpl b/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
index ad743437..30d7ce0f 100755
--- a/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
+++ b/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
@@ -56,6 +56,10 @@ endif
ifneq ($(filter pkg.sign,$(DEB_BUILD_PROFILES)),)
find . -name "*.ko" -print -exec $(KDIR)/scripts/sign-file ${SIGNATURE_HASHFN} ${SIGNATURE_KEYFILE} ${SIGNATURE_CERTFILE} {} \;
endif
+ifneq ($(filter pkg.signwith,$(DEB_BUILD_PROFILES)),)
+ find . -name "*.ko" | xargs -i ${SIGNATURE_SIGNWITH} {} {}.signature ${SIGNATURE_HASHFN} ${SIGNATURE_CERTFILE}
+ find . -name "*.ko" | xargs -i $(KDIR)/scripts/sign-file -s {}.signature ${SIGNATURE_HASHFN} ${SIGNATURE_CERTFILE} {}
+endif
override_dh_auto_install:
$(MAKE) -C $(KDIR) M=${MODULE_DIR} INSTALL_MOD_PATH=$(PWD)/debian/${PN} modules_install
diff --git a/meta/recipes-kernel/linux-module/module.inc b/meta/recipes-kernel/linux-module/module.inc
index 3e8e5e7a..d7432bf7 100644
--- a/meta/recipes-kernel/linux-module/module.inc
+++ b/meta/recipes-kernel/linux-module/module.inc
@@ -25,6 +25,7 @@ DEB_BUILD_OPTIONS += "noautodbgsym"
SIGNATURE_KEYFILE ??= ""
SIGNATURE_CERTFILE ??= ""
SIGNATURE_HASHFN ??= "sha256"
+SIGNATURE_SIGNWITH ??= ""
SRC_URI += "file://debian/"
@@ -57,6 +58,7 @@ TEMPLATE_VARS += " \
SIGNATURE_KEYFILE \
SIGNATURE_CERTFILE \
SIGNATURE_HASHFN \
+ SIGNATURE_SIGNWITH \
PN \
DEBIAN_COMPAT"
--
2.39.2
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/PRAPR10MB5422842E3C1E3945109CA50680E72%40PRAPR10MB5422.EURPRD10.PROD.OUTLOOK.COM.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] meta/recipes-kernel/linux-module: Allow use of external scripts to sign modules
2025-01-20 18:23 [PATCH] meta/recipes-kernel/linux-module: Allow use of external scripts to sign modules 'Cetin, Gokhan' via isar-users
@ 2025-01-21 9:23 ` 'MOESSBAUER, Felix' via isar-users
2025-01-21 9:37 ` 'Jan Kiszka' via isar-users
0 siblings, 1 reply; 3+ messages in thread
From: 'MOESSBAUER, Felix' via isar-users @ 2025-01-21 9:23 UTC (permalink / raw)
To: isar-users, Cetin, Gokhan; +Cc: quirin.gylstorff
On Mon, 2025-01-20 at 18:23 +0000, Çetin, Gökhan (FT D EU TR C&E)
wrote:
> This facilitates the integration of scripts developed for signing
> solutions like HSM
> where private keys are not accessible and allows the use of detached
> signatures
> produced by such solutions.
Hi, the patch itself is fine, but it would be good to also mention this
somewhere in the docs (maybe with a short explanation how to use it).
Felix
Acked-by: Felix Moessbauer <felix.moessbauer@siemens.com>
>
> Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com>
> ---
> meta/recipes-kernel/linux-module/files/debian/rules.tmpl | 4 ++++
> meta/recipes-kernel/linux-module/module.inc | 2 ++
> 2 files changed, 6 insertions(+)
>
> diff --git a/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
> b/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
> index ad743437..30d7ce0f 100755
> --- a/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
> +++ b/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
> @@ -56,6 +56,10 @@ endif
> ifneq ($(filter pkg.sign,$(DEB_BUILD_PROFILES)),)
> find . -name "*.ko" -print -exec $(KDIR)/scripts/sign-file
> ${SIGNATURE_HASHFN} ${SIGNATURE_KEYFILE} ${SIGNATURE_CERTFILE} {} \;
> endif
> +ifneq ($(filter pkg.signwith,$(DEB_BUILD_PROFILES)),)
> + find . -name "*.ko" | xargs -i ${SIGNATURE_SIGNWITH} {}
> {}.signature ${SIGNATURE_HASHFN} ${SIGNATURE_CERTFILE}
> + find . -name "*.ko" | xargs -i $(KDIR)/scripts/sign-file -s
> {}.signature ${SIGNATURE_HASHFN} ${SIGNATURE_CERTFILE} {}
> +endif
>
> override_dh_auto_install:
> $(MAKE) -C $(KDIR) M=${MODULE_DIR}
> INSTALL_MOD_PATH=$(PWD)/debian/${PN} modules_install
> diff --git a/meta/recipes-kernel/linux-module/module.inc
> b/meta/recipes-kernel/linux-module/module.inc
> index 3e8e5e7a..d7432bf7 100644
> --- a/meta/recipes-kernel/linux-module/module.inc
> +++ b/meta/recipes-kernel/linux-module/module.inc
> @@ -25,6 +25,7 @@ DEB_BUILD_OPTIONS += "noautodbgsym"
> SIGNATURE_KEYFILE ??= ""
> SIGNATURE_CERTFILE ??= ""
> SIGNATURE_HASHFN ??= "sha256"
> +SIGNATURE_SIGNWITH ??= ""
>
> SRC_URI += "file://debian/"
>
> @@ -57,6 +58,7 @@ TEMPLATE_VARS += " \
> SIGNATURE_KEYFILE \
> SIGNATURE_CERTFILE \
> SIGNATURE_HASHFN \
> + SIGNATURE_SIGNWITH \
> PN \
> DEBIAN_COMPAT"
>
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/9f25b996c73f1bd180baf53c8baf13a65f3d8c4c.camel%40siemens.com.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] meta/recipes-kernel/linux-module: Allow use of external scripts to sign modules
2025-01-21 9:23 ` 'MOESSBAUER, Felix' via isar-users
@ 2025-01-21 9:37 ` 'Jan Kiszka' via isar-users
0 siblings, 0 replies; 3+ messages in thread
From: 'Jan Kiszka' via isar-users @ 2025-01-21 9:37 UTC (permalink / raw)
To: MOESSBAUER, Felix, isar-users, Cetin, Gokhan; +Cc: quirin.gylstorff
On 21.01.25 10:23, 'MOESSBAUER, Felix' via isar-users wrote:
> On Mon, 2025-01-20 at 18:23 +0000, Çetin, Gökhan (FT D EU TR C&E)
> wrote:
>> This facilitates the integration of scripts developed for signing
>> solutions like HSM
>> where private keys are not accessible and allows the use of detached
>> signatures
>> produced by such solutions.
>
> Hi, the patch itself is fine, but it would be good to also mention this
> somewhere in the docs (maybe with a short explanation how to use it).
>
...and that documentation should also clarify why the hook is only
needed for the modules, not for the kernel but rather for its UKI -
which is provided by isar-cip-core only so far.
Jan
> Felix
>
> Acked-by: Felix Moessbauer <felix.moessbauer@siemens.com>
>
>
>>
>> Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com>
>> ---
>> meta/recipes-kernel/linux-module/files/debian/rules.tmpl | 4 ++++
>> meta/recipes-kernel/linux-module/module.inc | 2 ++
>> 2 files changed, 6 insertions(+)
>>
>> diff --git a/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
>> b/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
>> index ad743437..30d7ce0f 100755
>> --- a/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
>> +++ b/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
>> @@ -56,6 +56,10 @@ endif
>> ifneq ($(filter pkg.sign,$(DEB_BUILD_PROFILES)),)
>> find . -name "*.ko" -print -exec $(KDIR)/scripts/sign-file
>> ${SIGNATURE_HASHFN} ${SIGNATURE_KEYFILE} ${SIGNATURE_CERTFILE} {} \;
>> endif
>> +ifneq ($(filter pkg.signwith,$(DEB_BUILD_PROFILES)),)
>> + find . -name "*.ko" | xargs -i ${SIGNATURE_SIGNWITH} {}
>> {}.signature ${SIGNATURE_HASHFN} ${SIGNATURE_CERTFILE}
>> + find . -name "*.ko" | xargs -i $(KDIR)/scripts/sign-file -s
>> {}.signature ${SIGNATURE_HASHFN} ${SIGNATURE_CERTFILE} {}
>> +endif
>>
>> override_dh_auto_install:
>> $(MAKE) -C $(KDIR) M=${MODULE_DIR}
>> INSTALL_MOD_PATH=$(PWD)/debian/${PN} modules_install
>> diff --git a/meta/recipes-kernel/linux-module/module.inc
>> b/meta/recipes-kernel/linux-module/module.inc
>> index 3e8e5e7a..d7432bf7 100644
>> --- a/meta/recipes-kernel/linux-module/module.inc
>> +++ b/meta/recipes-kernel/linux-module/module.inc
>> @@ -25,6 +25,7 @@ DEB_BUILD_OPTIONS += "noautodbgsym"
>> SIGNATURE_KEYFILE ??= ""
>> SIGNATURE_CERTFILE ??= ""
>> SIGNATURE_HASHFN ??= "sha256"
>> +SIGNATURE_SIGNWITH ??= ""
>>
>> SRC_URI += "file://debian/"
>>
>> @@ -57,6 +58,7 @@ TEMPLATE_VARS += " \
>> SIGNATURE_KEYFILE \
>> SIGNATURE_CERTFILE \
>> SIGNATURE_HASHFN \
>> + SIGNATURE_SIGNWITH \
>> PN \
>> DEBIAN_COMPAT"
>>
>
--
Siemens AG, Foundational Technologies
Linux Expert Center
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/e0304d05-4e88-48bf-ba9b-fdab28b8cb84%40siemens.com.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-01-21 9:37 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-01-20 18:23 [PATCH] meta/recipes-kernel/linux-module: Allow use of external scripts to sign modules 'Cetin, Gokhan' via isar-users
2025-01-21 9:23 ` 'MOESSBAUER, Felix' via isar-users
2025-01-21 9:37 ` 'Jan Kiszka' via isar-users
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox