[PATCH] linux-custom: generate secrets package for out-of-tree module signing
8 views
Skip to first unread message
Badrikesh Prusty
Jan 19, 2026, 1:07:08 AMJan 19
to isar-...@googlegroups.com, cedric.h...@siemens.com, Badrikesh Prusty
Add a new package, linux-image-<kernel>-secrets, to ship the kernel
module signing keys required for signing out-of-tree kernel modules.
The package is built only when the pkg.<BPN>.secrets build profile is
enabled and installs the signing_key artifacts generated during the
kernel build into /usr/share/linux-secrets.
This allows out-of-tree modules to be signed with the same key used for
in-tree modules.
Usage:
In the out-of-tree module recipe:
SIGNATURE_KEYFILE = "/usr/share/linux-secrets/signing_key.pem"
SIGNATURE_CERTFILE = "/usr/share/linux-secrets/signing_key.x509"
DEBIAN_BUILD_DEPENDS:append = ", linux-secrets"
In the kernel recipe, enable the secrets build profile:
BUILD_PROFILES:append = " pkg.${BPN}.secrets"
NOTE: The linux-image-<kernel>-secrets package contains the private
module signing key. Care must be taken NOT to distribute this package
in package feeds or images, as this would allow anyone to sign kernel
modules that the kernel would trust.
Signed-off-by: Badrikesh Prusty <badrikes...@siemens.com>
---
RECIPE-API-CHANGELOG.md | 24 +++++++++++++++++++
.../linux/files/debian/control.tmpl | 7 ++++++
.../linux/files/debian/isar/common.tmpl | 1 +
.../linux/files/debian/isar/install.tmpl | 19 +++++++++++++++
4 files changed, 51 insertions(+)
diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
index 0bad8a44..1a33d6ae 100644
--- a/RECIPE-API-CHANGELOG.md
+++ b/RECIPE-API-CHANGELOG.md
@@ -962,3 +962,27 @@ INSTALLER_UNATTENDED_ABORT_ENABLE = "1"
# Optional: set countdown timeout in seconds (default 5)
INSTALLER_UNATTENDED_ABORT_TIMEOUT = "5"
```
+
+### Add linux-image-<kernel>-secrets package for out-of-tree module signing
+
+linux-image-<kernel>-secrets ships kernel module signing keys required for
+signing out-of-tree kernel modules.
+
+The package is built only when the `pkg.<BPN>.secrets` build profile is
+enabled and installs the signing_key artifacts generated during the kernel
+build into `/usr/share/linux-secrets`.
+
+Usage:
+```
+# In the out-of-tree module recipe:
+SIGNATURE_KEYFILE = "/usr/share/linux-secrets/signing_key.pem"
+SIGNATURE_CERTFILE = "/usr/share/linux-secrets/signing_key.x509"
+DEBIAN_BUILD_DEPENDS:append = ", linux-secrets"
+
+# In the kernel recipe, enable the secrets build profile:
+BUILD_PROFILES:append = " pkg.${BPN}.secrets"
+```
+
+SECURITY NOTE: This package contains the private module signing key. Do not
+distribute it in package feeds or images, as this would allow anyone to sign
+kernel modules that the kernel would trust.
diff --git a/meta/recipes-kernel/linux/files/debian/control.tmpl b/meta/recipes-kernel/linux/files/debian/control.tmpl
index ee87cf92..969f6b0c 100644
--- a/meta/recipes-kernel/linux/files/debian/control.tmpl
+++ b/meta/recipes-kernel/linux/files/debian/control.tmpl
@@ -69,3 +69,10 @@ Conflicts: linux-kbuild-${KERNEL_NAME_PROVIDED}
Description: ${KERNEL_NAME_PROVIDED} Linux kbuild scripts and tools for @KR@
This package provides kernel kbuild scripts and tools for @KR@
This is useful for people who need to build external modules
+
+Package: linux-image-${KERNEL_NAME_PROVIDED}-secrets
+Build-Profiles: <pkg.${BPN}.secrets>
+Section: devel
+Provides: linux-secrets
+Architecture: all
+Description: Linux kernel module signing secrets
diff --git a/meta/recipes-kernel/linux/files/debian/isar/common.tmpl b/meta/recipes-kernel/linux/files/debian/isar/common.tmpl
index f9cc2f02..6554cdb0 100644
--- a/meta/recipes-kernel/linux/files/debian/isar/common.tmpl
+++ b/meta/recipes-kernel/linux/files/debian/isar/common.tmpl
@@ -38,6 +38,7 @@ deb_libc_hdr_dir=${deb_top_dir}/${KERNEL_PKG_LIBC_HEADERS}
deb_libc_hdr_cross_dir=${deb_top_dir}/${KERNEL_PKG_LIBC_HEADERS_CROSS}
deb_kern_kbuild_dir=${deb_top_dir}/${KERNEL_PKG_KERN_KBUILD}
deb_kern_kbuild_cross_dir=${deb_top_dir}/${KERNEL_PKG_KERN_KBUILD_CROSS}
+deb_kern_secrets=${deb_top_dir}/${KERNEL_PKG_IMAGE}-secrets
# Array of packages to be generated
declare -A kern_pkgs
diff --git a/meta/recipes-kernel/linux/files/debian/isar/install.tmpl b/meta/recipes-kernel/linux/files/debian/isar/install.tmpl
index 6fa94508..99d64ca5 100644
--- a/meta/recipes-kernel/linux/files/debian/isar/install.tmpl
+++ b/meta/recipes-kernel/linux/files/debian/isar/install.tmpl
@@ -70,6 +70,11 @@ do_install() {
install_headers
fi
+ if echo "${DEB_BUILD_PROFILES}" | grep -q "pkg.${BPN}.secrets"; then
+ kern_secrets_path="${deb_kern_secrets}/usr/share/linux-secrets"
+ install_module_signing_secrets "${kern_secrets_path}"
+ fi
+
# Stop tracing
set +x
}
@@ -271,4 +276,18 @@ install_kbuild() {
kernel_tools
}
+install_module_signing_secrets() {
+ local dest="${1}"
+ local keydir="${KERNEL_BUILD_DIR}/certs"
+ local priv="${keydir}/signing_key.pem"
+ local cert="${keydir}/signing_key.x509"
+ if [ ! -f "${priv}" ] || [ ! -f "${cert}" ]; then
+ echo "error: module signing keys not found but pkg.${BPN}.secrets is enabled" >&2
+ return 1
+ fi
+ install -d -m 0755 ${dest}
+ install -m 0400 ${KERNEL_BUILD_DIR}/certs/signing_key.pem ${dest}/
+ install -m 0444 ${KERNEL_BUILD_DIR}/certs/signing_key.x509 ${dest}/
+}
+
main install ${*}
--
2.39.5
module signing keys required for signing out-of-tree kernel modules.
The package is built only when the pkg.<BPN>.secrets build profile is
enabled and installs the signing_key artifacts generated during the
kernel build into /usr/share/linux-secrets.
This allows out-of-tree modules to be signed with the same key used for
in-tree modules.
Usage:
In the out-of-tree module recipe:
SIGNATURE_KEYFILE = "/usr/share/linux-secrets/signing_key.pem"
SIGNATURE_CERTFILE = "/usr/share/linux-secrets/signing_key.x509"
DEBIAN_BUILD_DEPENDS:append = ", linux-secrets"
In the kernel recipe, enable the secrets build profile:
BUILD_PROFILES:append = " pkg.${BPN}.secrets"
NOTE: The linux-image-<kernel>-secrets package contains the private
module signing key. Care must be taken NOT to distribute this package
in package feeds or images, as this would allow anyone to sign kernel
modules that the kernel would trust.
Signed-off-by: Badrikesh Prusty <badrikes...@siemens.com>
---
RECIPE-API-CHANGELOG.md | 24 +++++++++++++++++++
.../linux/files/debian/control.tmpl | 7 ++++++
.../linux/files/debian/isar/common.tmpl | 1 +
.../linux/files/debian/isar/install.tmpl | 19 +++++++++++++++
4 files changed, 51 insertions(+)
diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
index 0bad8a44..1a33d6ae 100644
--- a/RECIPE-API-CHANGELOG.md
+++ b/RECIPE-API-CHANGELOG.md
@@ -962,3 +962,27 @@ INSTALLER_UNATTENDED_ABORT_ENABLE = "1"
# Optional: set countdown timeout in seconds (default 5)
INSTALLER_UNATTENDED_ABORT_TIMEOUT = "5"
```
+
+### Add linux-image-<kernel>-secrets package for out-of-tree module signing
+
+linux-image-<kernel>-secrets ships kernel module signing keys required for
+signing out-of-tree kernel modules.
+
+The package is built only when the `pkg.<BPN>.secrets` build profile is
+enabled and installs the signing_key artifacts generated during the kernel
+build into `/usr/share/linux-secrets`.
+
+Usage:
+```
+# In the out-of-tree module recipe:
+SIGNATURE_KEYFILE = "/usr/share/linux-secrets/signing_key.pem"
+SIGNATURE_CERTFILE = "/usr/share/linux-secrets/signing_key.x509"
+DEBIAN_BUILD_DEPENDS:append = ", linux-secrets"
+
+# In the kernel recipe, enable the secrets build profile:
+BUILD_PROFILES:append = " pkg.${BPN}.secrets"
+```
+
+SECURITY NOTE: This package contains the private module signing key. Do not
+distribute it in package feeds or images, as this would allow anyone to sign
+kernel modules that the kernel would trust.
diff --git a/meta/recipes-kernel/linux/files/debian/control.tmpl b/meta/recipes-kernel/linux/files/debian/control.tmpl
index ee87cf92..969f6b0c 100644
--- a/meta/recipes-kernel/linux/files/debian/control.tmpl
+++ b/meta/recipes-kernel/linux/files/debian/control.tmpl
@@ -69,3 +69,10 @@ Conflicts: linux-kbuild-${KERNEL_NAME_PROVIDED}
Description: ${KERNEL_NAME_PROVIDED} Linux kbuild scripts and tools for @KR@
This package provides kernel kbuild scripts and tools for @KR@
This is useful for people who need to build external modules
+
+Package: linux-image-${KERNEL_NAME_PROVIDED}-secrets
+Build-Profiles: <pkg.${BPN}.secrets>
+Section: devel
+Provides: linux-secrets
+Architecture: all
+Description: Linux kernel module signing secrets
diff --git a/meta/recipes-kernel/linux/files/debian/isar/common.tmpl b/meta/recipes-kernel/linux/files/debian/isar/common.tmpl
index f9cc2f02..6554cdb0 100644
--- a/meta/recipes-kernel/linux/files/debian/isar/common.tmpl
+++ b/meta/recipes-kernel/linux/files/debian/isar/common.tmpl
@@ -38,6 +38,7 @@ deb_libc_hdr_dir=${deb_top_dir}/${KERNEL_PKG_LIBC_HEADERS}
deb_libc_hdr_cross_dir=${deb_top_dir}/${KERNEL_PKG_LIBC_HEADERS_CROSS}
deb_kern_kbuild_dir=${deb_top_dir}/${KERNEL_PKG_KERN_KBUILD}
deb_kern_kbuild_cross_dir=${deb_top_dir}/${KERNEL_PKG_KERN_KBUILD_CROSS}
+deb_kern_secrets=${deb_top_dir}/${KERNEL_PKG_IMAGE}-secrets
# Array of packages to be generated
declare -A kern_pkgs
diff --git a/meta/recipes-kernel/linux/files/debian/isar/install.tmpl b/meta/recipes-kernel/linux/files/debian/isar/install.tmpl
index 6fa94508..99d64ca5 100644
--- a/meta/recipes-kernel/linux/files/debian/isar/install.tmpl
+++ b/meta/recipes-kernel/linux/files/debian/isar/install.tmpl
@@ -70,6 +70,11 @@ do_install() {
install_headers
fi
+ if echo "${DEB_BUILD_PROFILES}" | grep -q "pkg.${BPN}.secrets"; then
+ kern_secrets_path="${deb_kern_secrets}/usr/share/linux-secrets"
+ install_module_signing_secrets "${kern_secrets_path}"
+ fi
+
# Stop tracing
set +x
}
@@ -271,4 +276,18 @@ install_kbuild() {
kernel_tools
}
+install_module_signing_secrets() {
+ local dest="${1}"
+ local keydir="${KERNEL_BUILD_DIR}/certs"
+ local priv="${keydir}/signing_key.pem"
+ local cert="${keydir}/signing_key.x509"
+ if [ ! -f "${priv}" ] || [ ! -f "${cert}" ]; then
+ echo "error: module signing keys not found but pkg.${BPN}.secrets is enabled" >&2
+ return 1
+ fi
+ install -d -m 0755 ${dest}
+ install -m 0400 ${KERNEL_BUILD_DIR}/certs/signing_key.pem ${dest}/
+ install -m 0444 ${KERNEL_BUILD_DIR}/certs/signing_key.x509 ${dest}/
+}
+
main install ${*}
--
2.39.5
Jan Kiszka
Jan 19, 2026, 1:13:40 AMJan 19
to Badrikesh Prusty, isar-...@googlegroups.com, cedric.h...@siemens.com
of [1], I think we should rather enable consistent module signing with
existing, managed key providers.
Jan
[1] https://gitlab.com/cip-project/cip-core/isar-cip-core/-/issues/144
--
Siemens AG, Foundational Technologies
Linux Expert Center
Reply all
Reply to author
Forward
0 new messages