[PATCH 0/3] Allow use of external scripts to sign modules
32 views
Skip to first unread message
Gokhan Cetin
Jan 23, 2025, 9:51:53 AM1/23/25
to isar-...@googlegroups.com, gokhan...@siemens.com, felix.mo...@siemens.com
Considering the comments from https://groups.google.com/g/isar-users/c/qmVCSWlpTeU
Gokhan Cetin (3):
meta/recipes-kernel/linux-module: Allow use of external scripts to
sign modules
module-signer-example: add example signer hook and signed variant for
example-module
doc/user_manual: describe module signing and custom signer hooks
doc/user_manual.md | 24 +++++++++++
.../files/sign-module.sh | 40 +++++++++++++++++++
.../module-signer-example.bb | 20 ++++++++++
.../example-module-signedwith.bb | 15 +++++++
.../linux-module/files/debian/rules.tmpl | 4 ++
meta/recipes-kernel/linux-module/module.inc | 2 +
6 files changed, 105 insertions(+)
create mode 100644 meta-isar/recipes-devtools/module-signer-example/files/sign-module.sh
create mode 100644 meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb
create mode 100644 meta-isar/recipes-kernel/example-module/example-module-signedwith.bb
--
2.39.2
Gokhan Cetin (3):
meta/recipes-kernel/linux-module: Allow use of external scripts to
sign modules
module-signer-example: add example signer hook and signed variant for
example-module
doc/user_manual: describe module signing and custom signer hooks
doc/user_manual.md | 24 +++++++++++
.../files/sign-module.sh | 40 +++++++++++++++++++
.../module-signer-example.bb | 20 ++++++++++
.../example-module-signedwith.bb | 15 +++++++
.../linux-module/files/debian/rules.tmpl | 4 ++
meta/recipes-kernel/linux-module/module.inc | 2 +
6 files changed, 105 insertions(+)
create mode 100644 meta-isar/recipes-devtools/module-signer-example/files/sign-module.sh
create mode 100644 meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb
create mode 100644 meta-isar/recipes-kernel/example-module/example-module-signedwith.bb
--
2.39.2
Gokhan Cetin
Jan 23, 2025, 9:51:56 AM1/23/25
to isar-...@googlegroups.com, gokhan...@siemens.com, felix.mo...@siemens.com
This facilitates the integration of scripts developed for signing solutions like HSM
where private keys are not accessible and allows the use of detached signatures
produced by such solutions.
Signed-off-by: Gokhan Cetin <gokhan...@siemens.com>
---
meta/recipes-kernel/linux-module/files/debian/rules.tmpl | 4 ++++
meta/recipes-kernel/linux-module/module.inc | 2 ++
2 files changed, 6 insertions(+)
diff --git a/meta/recipes-kernel/linux-module/files/debian/rules.tmpl b/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
index ad743437..30d7ce0f 100755
--- a/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
+++ b/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
@@ -56,6 +56,10 @@ endif
ifneq ($(filter pkg.sign,$(DEB_BUILD_PROFILES)),)
find . -name "*.ko" -print -exec $(KDIR)/scripts/sign-file ${SIGNATURE_HASHFN} ${SIGNATURE_KEYFILE} ${SIGNATURE_CERTFILE} {} \;
endif
+ifneq ($(filter pkg.signwith,$(DEB_BUILD_PROFILES)),)
+ find . -name "*.ko" | xargs -i ${SIGNATURE_SIGNWITH} {} {}.signature ${SIGNATURE_HASHFN} ${SIGNATURE_CERTFILE}
+ find . -name "*.ko" | xargs -i $(KDIR)/scripts/sign-file -s {}.signature ${SIGNATURE_HASHFN} ${SIGNATURE_CERTFILE} {}
+endif
override_dh_auto_install:
$(MAKE) -C $(KDIR) M=${MODULE_DIR} INSTALL_MOD_PATH=$(PWD)/debian/${PN} modules_install
diff --git a/meta/recipes-kernel/linux-module/module.inc b/meta/recipes-kernel/linux-module/module.inc
index 3e8e5e7a..d7432bf7 100644
--- a/meta/recipes-kernel/linux-module/module.inc
+++ b/meta/recipes-kernel/linux-module/module.inc
@@ -25,6 +25,7 @@ DEB_BUILD_OPTIONS += "noautodbgsym"
SIGNATURE_KEYFILE ??= ""
SIGNATURE_CERTFILE ??= ""
SIGNATURE_HASHFN ??= "sha256"
+SIGNATURE_SIGNWITH ??= ""
SRC_URI += "file://debian/"
@@ -57,6 +58,7 @@ TEMPLATE_VARS += " \
SIGNATURE_KEYFILE \
SIGNATURE_CERTFILE \
SIGNATURE_HASHFN \
+ SIGNATURE_SIGNWITH \
PN \
DEBIAN_COMPAT"
--
2.39.2
where private keys are not accessible and allows the use of detached signatures
produced by such solutions.
Signed-off-by: Gokhan Cetin <gokhan...@siemens.com>
---
meta/recipes-kernel/linux-module/files/debian/rules.tmpl | 4 ++++
meta/recipes-kernel/linux-module/module.inc | 2 ++
2 files changed, 6 insertions(+)
diff --git a/meta/recipes-kernel/linux-module/files/debian/rules.tmpl b/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
index ad743437..30d7ce0f 100755
--- a/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
+++ b/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
@@ -56,6 +56,10 @@ endif
ifneq ($(filter pkg.sign,$(DEB_BUILD_PROFILES)),)
find . -name "*.ko" -print -exec $(KDIR)/scripts/sign-file ${SIGNATURE_HASHFN} ${SIGNATURE_KEYFILE} ${SIGNATURE_CERTFILE} {} \;
endif
+ifneq ($(filter pkg.signwith,$(DEB_BUILD_PROFILES)),)
+ find . -name "*.ko" | xargs -i ${SIGNATURE_SIGNWITH} {} {}.signature ${SIGNATURE_HASHFN} ${SIGNATURE_CERTFILE}
+ find . -name "*.ko" | xargs -i $(KDIR)/scripts/sign-file -s {}.signature ${SIGNATURE_HASHFN} ${SIGNATURE_CERTFILE} {}
+endif
override_dh_auto_install:
$(MAKE) -C $(KDIR) M=${MODULE_DIR} INSTALL_MOD_PATH=$(PWD)/debian/${PN} modules_install
diff --git a/meta/recipes-kernel/linux-module/module.inc b/meta/recipes-kernel/linux-module/module.inc
index 3e8e5e7a..d7432bf7 100644
--- a/meta/recipes-kernel/linux-module/module.inc
+++ b/meta/recipes-kernel/linux-module/module.inc
@@ -25,6 +25,7 @@ DEB_BUILD_OPTIONS += "noautodbgsym"
SIGNATURE_KEYFILE ??= ""
SIGNATURE_CERTFILE ??= ""
SIGNATURE_HASHFN ??= "sha256"
+SIGNATURE_SIGNWITH ??= ""
SRC_URI += "file://debian/"
@@ -57,6 +58,7 @@ TEMPLATE_VARS += " \
SIGNATURE_KEYFILE \
SIGNATURE_CERTFILE \
SIGNATURE_HASHFN \
+ SIGNATURE_SIGNWITH \
PN \
DEBIAN_COMPAT"
--
2.39.2
Gokhan Cetin
Jan 23, 2025, 9:51:57 AM1/23/25
to isar-...@googlegroups.com, gokhan...@siemens.com, felix.mo...@siemens.com
This patch introduces an example signer hook that generates raw detached signatures
for out-of-tree kernel modules.
new file mode 100644
index 00000000..4d22532b
--- /dev/null
+++ b/meta-isar/recipes-devtools/module-signer-example/files/sign-module.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+#
+# Example signer script that generates detached signatures for modules
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2025
+#
+# SPDX-License-Identifier: MIT
+
+set -e
+
+module=$1
+signature=$2
+hashfn=$3
+certfile=$4
+
+if [ -z "$module" ] || [ -z "$signature" ] || [ -z "$hashfn" ] || [ -z "$certfile" ] ; then
+ exit 1
+fi
+
+echo "Signing module $module with hash function $hashfn and certificate $certfile"
+
+openssl smime -sign -nocerts -noattr -binary \
+ -in "$module" \
+ -md "$hashfn" \
+ -inkey /etc/sb-mok-keys/MOK/MOK.priv \
+ -signer /etc/sb-mok-keys/MOK/MOK.der \
+ -outform DER \
+ -out "$signature"
+
+echo "Verifying signature of module $module with hash function $hashfn and certificate $certfile"
+
+openssl smime -verify \
+ -in "$signature" \
+ -md "$hashfn" \
+ -content "$module" \
+ -certfile /etc/sb-mok-keys/MOK/MOK.der \
+ -noverify \
+ -inform DER \
+ -out /dev/null
diff --git a/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb b/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb
new file mode 100644
index 00000000..001e8cc8
--- /dev/null
+++ b/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb
@@ -0,0 +1,20 @@
+# Example recipe for signing a kernel module with custom signer script
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2025
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg-raw
+
+DPKG_ARCH = "all"
+
+DEPENDS = "sb-mok-keys"
+DEBIAN_DEPENDS += "openssl, sb-mok-keys"
+
+SRC_URI = "file://sign-module.sh"
+
+do_install[cleandirs] = "${D}/usr/bin/"
+do_install() {
+ install -m 0755 ${WORKDIR}/sign-module.sh ${D}/usr/bin/sign-module.sh
+}
diff --git a/meta-isar/recipes-kernel/example-module/example-module-signedwith.bb b/meta-isar/recipes-kernel/example-module/example-module-signedwith.bb
new file mode 100644
index 00000000..f611169c
--- /dev/null
+++ b/meta-isar/recipes-kernel/example-module/example-module-signedwith.bb
@@ -0,0 +1,15 @@
+# Example recipe for building a custom module
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2025
+#
+# SPDX-License-Identifier: MIT
+
+require example-module.bb
+
+DEPENDS += "module-signer-example"
+DEBIAN_BUILD_DEPENDS .= ', module-signer-example'
+
+DEB_BUILD_PROFILES += 'pkg.signwith'
+SIGNATURE_CERTFILE = '/etc/sb-mok-keys/MOK/MOK.der'
+SIGNATURE_SIGNWITH = '/usr/bin/sign-module.sh'
--
2.39.2
for out-of-tree kernel modules.
.../files/sign-module.sh | 40 +++++++++++++++++++
.../module-signer-example.bb | 20 ++++++++++
.../example-module-signedwith.bb | 15 +++++++
3 files changed, 75 insertions(+)
.../module-signer-example.bb | 20 ++++++++++
.../example-module-signedwith.bb | 15 +++++++
create mode 100644 meta-isar/recipes-devtools/module-signer-example/files/sign-module.sh
create mode 100644 meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb
create mode 100644 meta-isar/recipes-kernel/example-module/example-module-signedwith.bb
diff --git a/meta-isar/recipes-devtools/module-signer-example/files/sign-module.sh b/meta-isar/recipes-devtools/module-signer-example/files/sign-module.sh
create mode 100644 meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb
create mode 100644 meta-isar/recipes-kernel/example-module/example-module-signedwith.bb
new file mode 100644
index 00000000..4d22532b
--- /dev/null
+++ b/meta-isar/recipes-devtools/module-signer-example/files/sign-module.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+#
+# Example signer script that generates detached signatures for modules
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2025
+#
+# SPDX-License-Identifier: MIT
+
+set -e
+
+module=$1
+signature=$2
+hashfn=$3
+certfile=$4
+
+if [ -z "$module" ] || [ -z "$signature" ] || [ -z "$hashfn" ] || [ -z "$certfile" ] ; then
+ exit 1
+fi
+
+echo "Signing module $module with hash function $hashfn and certificate $certfile"
+
+openssl smime -sign -nocerts -noattr -binary \
+ -in "$module" \
+ -md "$hashfn" \
+ -inkey /etc/sb-mok-keys/MOK/MOK.priv \
+ -signer /etc/sb-mok-keys/MOK/MOK.der \
+ -outform DER \
+ -out "$signature"
+
+echo "Verifying signature of module $module with hash function $hashfn and certificate $certfile"
+
+openssl smime -verify \
+ -in "$signature" \
+ -md "$hashfn" \
+ -content "$module" \
+ -certfile /etc/sb-mok-keys/MOK/MOK.der \
+ -noverify \
+ -inform DER \
+ -out /dev/null
diff --git a/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb b/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb
new file mode 100644
index 00000000..001e8cc8
--- /dev/null
+++ b/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb
@@ -0,0 +1,20 @@
+# Example recipe for signing a kernel module with custom signer script
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2025
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg-raw
+
+DPKG_ARCH = "all"
+
+DEPENDS = "sb-mok-keys"
+DEBIAN_DEPENDS += "openssl, sb-mok-keys"
+
+SRC_URI = "file://sign-module.sh"
+
+do_install[cleandirs] = "${D}/usr/bin/"
+do_install() {
+ install -m 0755 ${WORKDIR}/sign-module.sh ${D}/usr/bin/sign-module.sh
+}
diff --git a/meta-isar/recipes-kernel/example-module/example-module-signedwith.bb b/meta-isar/recipes-kernel/example-module/example-module-signedwith.bb
new file mode 100644
index 00000000..f611169c
--- /dev/null
+++ b/meta-isar/recipes-kernel/example-module/example-module-signedwith.bb
@@ -0,0 +1,15 @@
+# Example recipe for building a custom module
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2025
+#
+# SPDX-License-Identifier: MIT
+
+require example-module.bb
+
+DEPENDS += "module-signer-example"
+DEBIAN_BUILD_DEPENDS .= ', module-signer-example'
+
+DEB_BUILD_PROFILES += 'pkg.signwith'
+SIGNATURE_CERTFILE = '/etc/sb-mok-keys/MOK/MOK.der'
+SIGNATURE_SIGNWITH = '/usr/bin/sign-module.sh'
--
2.39.2
Gokhan Cetin
Jan 23, 2025, 9:51:59 AM1/23/25
to isar-...@googlegroups.com, gokhan...@siemens.com, felix.mo...@siemens.com
Mentions why kernel module signing is needed and how to implement.
doc/user_manual.md | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/doc/user_manual.md b/doc/user_manual.md
index 62d16c8c..477070d1 100644
--- a/doc/user_manual.md
+++ b/doc/user_manual.md
@@ -1133,6 +1133,30 @@ Use the previously definded password to enroll the key, then reboot.
Now the image should be up again and `modprobe example-module` should work.
+**Sign kernel modules with custom signer hooks**
+
+The kernel module signing process establishes a chain of trust from the kernel to the modules, ensuring that
+all components of the system are from trusted sources. If Secure Boot is enabled or the module signing
+facility is enabled by kernel configuration or via `module.sig_enforce` kernel parameter, the kernel checks
+the signature of the modules against the public keys from kernel system keyring and kernel platform keyring.
+
+Please note that if the certificates you use to sign modules are not included in one of these keyrings or are
+blacklisted, the signature will be rejected and the module will not be loaded by the kernel.
+
+Many regulatory standards and compliance frameworks require the use of signing methods that are
+designed to protect cryptographic keys and signing operations to ensure a high level of security.
+
+In order to use solutions like Hardware Security Module (HSM) or server-side signing, which
+are usually made available via a client, an API endpoint or a plug-in, for signing kernel modules,
+Isar provides a build profile called `pkg.signwith` for kernel module recipes.
+
+To provide a signer script that implements your custom signing solution, `SIGNATURE_SIGNWITH` variable
+can be set for the script path within the module recipe together with `SIGNATURE_CERTFILE` to define the public
+certificate path of the signer.
+
+Please see how `module-signer-example` hook generates a detached signature for the kernel module implemented in
+`example-module-signedwith` recipe.
+
### Cross Support for Imagers
If `ISAR_CROSS_COMPILE = "1"`, the imager and optional compression tasks
--
2.39.2
doc/user_manual.md | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/doc/user_manual.md b/doc/user_manual.md
index 62d16c8c..477070d1 100644
--- a/doc/user_manual.md
+++ b/doc/user_manual.md
@@ -1133,6 +1133,30 @@ Use the previously definded password to enroll the key, then reboot.
Now the image should be up again and `modprobe example-module` should work.
+**Sign kernel modules with custom signer hooks**
+
+The kernel module signing process establishes a chain of trust from the kernel to the modules, ensuring that
+all components of the system are from trusted sources. If Secure Boot is enabled or the module signing
+facility is enabled by kernel configuration or via `module.sig_enforce` kernel parameter, the kernel checks
+the signature of the modules against the public keys from kernel system keyring and kernel platform keyring.
+
+Please note that if the certificates you use to sign modules are not included in one of these keyrings or are
+blacklisted, the signature will be rejected and the module will not be loaded by the kernel.
+
+Many regulatory standards and compliance frameworks require the use of signing methods that are
+designed to protect cryptographic keys and signing operations to ensure a high level of security.
+
+In order to use solutions like Hardware Security Module (HSM) or server-side signing, which
+are usually made available via a client, an API endpoint or a plug-in, for signing kernel modules,
+Isar provides a build profile called `pkg.signwith` for kernel module recipes.
+
+To provide a signer script that implements your custom signing solution, `SIGNATURE_SIGNWITH` variable
+can be set for the script path within the module recipe together with `SIGNATURE_CERTFILE` to define the public
+certificate path of the signer.
+
+Please see how `module-signer-example` hook generates a detached signature for the kernel module implemented in
+`example-module-signedwith` recipe.
+
### Cross Support for Imagers
If `ISAR_CROSS_COMPILE = "1"`, the imager and optional compression tasks
--
2.39.2
MOESSBAUER, Felix
Jan 31, 2025, 6:38:53 AM1/31/25
to isar-...@googlegroups.com, Cetin, Gokhan, Kiszka, Jan
On Thu, 2025-01-23 at 15:51 +0100, Gokhan Cetin wrote:
> Considering the comments from
> https://groups.google.com/g/isar-users/c/qmVCSWlpTeU
Hi,
> Considering the comments from
> https://groups.google.com/g/isar-users/c/qmVCSWlpTeU
this is actually the v2 of the "Allow use of external scripts to sign
modules" series. Code wise it looks fine. In case a v3 should be
required, please generate the patches with "git format-patch --subject-
prefix='PATCH v3' ...".
Acked-by: Felix Moessbauer <felix.mo...@siemens.com>
Felix
Linux Expert Center
Friedrich-Ludwig-Bauer-Str. 3
85748 Garching, Germany
Uladzimir Bely
Feb 7, 2025, 2:59:10 AM2/7/25
to Gokhan Cetin, isar-...@googlegroups.com
On Thu, 2025-01-23 at 15:51 +0100, 'Gokhan Cetin' via isar-users wrote:
> Considering the comments from
> https://groups.google.com/g/isar-users/c/qmVCSWlpTeU
>
> Gokhan Cetin (3):
> meta/recipes-kernel/linux-module: Allow use of external scripts to
> sign modules
> module-signer-example: add example signer hook and signed variant
> for
> example-module
> doc/user_manual: describe module signing and custom signer hooks
>
> doc/user_manual.md | 24 +++++++++++
> .../files/sign-module.sh | 40
> +++++++++++++++++++
> .../module-signer-example.bb | 20 ++++++++++
> .../example-module-signedwith.bb | 15 +++++++
> .../linux-module/files/debian/rules.tmpl | 4 ++
> meta/recipes-kernel/linux-module/module.inc | 2 +
> 6 files changed, 105 insertions(+)
> Considering the comments from
> https://groups.google.com/g/isar-users/c/qmVCSWlpTeU
>
> Gokhan Cetin (3):
> meta/recipes-kernel/linux-module: Allow use of external scripts to
> sign modules
> module-signer-example: add example signer hook and signed variant
> for
> example-module
> doc/user_manual: describe module signing and custom signer hooks
>
> doc/user_manual.md | 24 +++++++++++
> .../files/sign-module.sh | 40
> +++++++++++++++++++
> .../module-signer-example.bb | 20 ++++++++++
> .../example-module-signedwith.bb | 15 +++++++
> .../linux-module/files/debian/rules.tmpl | 4 ++
> meta/recipes-kernel/linux-module/module.inc | 2 +
> 6 files changed, 105 insertions(+)
> create mode 100644 meta-isar/recipes-devtools/module-signer-
> example/files/sign-module.sh
> create mode 100644 meta-isar/recipes-devtools/module-signer-
> example/module-signer-example.bb
> create mode 100644 meta-isar/recipes-kernel/example-module/example-
> module-signedwith.bb
>
> --
> 2.39.2
> example/files/sign-module.sh
> create mode 100644 meta-isar/recipes-devtools/module-signer-
> example/module-signer-example.bb
> create mode 100644 meta-isar/recipes-kernel/example-module/example-
> module-signedwith.bb
>
> --
>
Applied to next, thanks.
--
Best regards,
Uladzimir.
Reply all
Reply to author
Forward
0 new messages