[PATCH 0/5] Structure module signing dependencies and providers

[Gokhan Cetin]

As of now, in each kernel module, the same configuration block
has to be specified repeatedly for each module in module recipes
to specify build-time dependencies on recipes that provide the
required build profile and the scripts and certificates used in
kernel module signing.

With these changes, it is possible to enable a recommended signature
configuration for all module recipes without touching the modules,
while it is still possible to customize the configuration when necessary.

Gokhan Cetin (5):
module-signer-example: define virtual package name as module-signer
meta/recipes-kernel/linux-module: Define default paths for signing
related variables
meta-isar/recipes-secureboot/sb-mok-keys: define virtual package name
meta/recipes-kernel/linux-module: add option to set default signing
profile and dependencies
doc/user_manual: describe module signer and certificate provider
configuration

doc/user_manual.md | 8 ++++++++
.../module-signer-example/module-signer-example.bb | 3 +++
.../recipes-secureboot/sb-mok-keys/sb-mok-keys.bb | 2 ++
meta/recipes-kernel/linux-module/module.inc | 12 +++++++++---
4 files changed, 22 insertions(+), 3 deletions(-)

--
2.39.2

[Gokhan Cetin]

This will help to easily manage dependencies on providers implemented in downstreams.

Signed-off-by: Gokhan Cetin <gokhan...@siemens.com>
---
.../module-signer-example/module-signer-example.bb | 3 +++
1 file changed, 3 insertions(+)

diff --git a/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb b/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb
index 001e8cc8..58a84d01 100644
--- a/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb
+++ b/meta-isar/recipes-devtools/module-signer-example/module-signer-example.bb
@@ -9,6 +9,9 @@ inherit dpkg-raw

DPKG_ARCH = "all"

+PROVIDES = "module-signer"
+DEBIAN_PROVIDES = "module-signer"
+
DEPENDS = "sb-mok-keys"
DEBIAN_DEPENDS += "openssl, sb-mok-keys"

--
2.39.2

[Gokhan Cetin]

They are initialized with almost standardized paths in isar-cip-core and many other layers.
In this way, it is possible to get rid of dozens of repeating lines in module recipes.

Signed-off-by: Gokhan Cetin <gokhan...@siemens.com>
---

meta/recipes-kernel/linux-module/module.inc | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-kernel/linux-module/module.inc b/meta/recipes-kernel/linux-module/module.inc
index 3b0ceae7..45d88d48 100644
--- a/meta/recipes-kernel/linux-module/module.inc
+++ b/meta/recipes-kernel/linux-module/module.inc
@@ -23,10 +23,10 @@ DEBIAN_BUILD_DEPENDS = "${KERNEL_HEADERS_PKG}"
# Do not generate debug symbols packages, as not supported for modules
DEB_BUILD_OPTIONS += "noautodbgsym"

-SIGNATURE_KEYFILE ??= ""
-SIGNATURE_CERTFILE ??= ""
+SIGNATURE_KEYFILE ??= "/usr/share/secure-boot-secrets/secure-boot.key"
+SIGNATURE_CERTFILE ??= "/usr/share/secure-boot-secrets/secure-boot.pem"
SIGNATURE_HASHFN ??= "sha256"
-SIGNATURE_SIGNWITH ??= ""
+SIGNATURE_SIGNWITH ??= "/usr/bin/sign-module.sh"

SRC_URI += "file://debian/"

--
2.39.2

[Gokhan Cetin]

As done by 946b908b, this will allow more key providers to meet further
common dependencies.

Signed-off-by: Gokhan Cetin <gokhan...@siemens.com>
---

meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb | 2 ++
1 file changed, 2 insertions(+)

diff --git a/meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb b/meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb
index 61378347..2a8b66d4 100644
--- a/meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb
+++ b/meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb
@@ -5,6 +5,8 @@

inherit dpkg

+PROVIDES = "secure-boot-secrets"
+DEBIAN_PROVIDES = "secure-boot-secrets"

SRC_URI = "file://Makefile.tmpl"
S = "${WORKDIR}/src"
--
2.39.2

[Gokhan Cetin]

Introduces single configuration variable (`SIGNATURE_ENABLED`) to
set all predefined profile and dependencies need to be provided.

By using this option, downstreams will be able to sign all
kernel modules without appending any additional configuration
into their module recipes.

Signed-off-by: Gokhan Cetin <gokhan...@siemens.com>
---

meta/recipes-kernel/linux-module/module.inc | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/meta/recipes-kernel/linux-module/module.inc b/meta/recipes-kernel/linux-module/module.inc
index 45d88d48..576a2cad 100644
--- a/meta/recipes-kernel/linux-module/module.inc
+++ b/meta/recipes-kernel/linux-module/module.inc
@@ -27,6 +27,12 @@ SIGNATURE_KEYFILE ??= "/usr/share/secure-boot-secrets/secure-boot.key"

SIGNATURE_CERTFILE ??= "/usr/share/secure-boot-secrets/secure-boot.pem"
SIGNATURE_HASHFN ??= "sha256"

SIGNATURE_SIGNWITH ??= "/usr/bin/sign-module.sh"
+SIGNATURE_ENABLED ??= ""
+
+# Define signing profile and dependencies if SIGNATURE_ENABLED is set to "1"
+DEB_BUILD_PROFILES += "${@'pkg.signwith' if bb.utils.to_boolean(d.getVar('SIGNATURE_ENABLED')) else ''}"
+DEPENDS += "${@'module-signer secure-boot-secrets' if bb.utils.to_boolean(d.getVar('SIGNATURE_ENABLED')) else ''}"
+DEBIAN_BUILD_DEPENDS .= "${@', module-signer, secure-boot-secrets' if bb.utils.to_boolean(d.getVar('SIGNATURE_ENABLED')) else ''}"

[Gokhan Cetin]

Mentions how `SIGNATURE_ENABLED` can be used and how to manage the dependencies.

Signed-off-by: Gokhan Cetin <gokhan...@siemens.com>
---

doc/user_manual.md | 8 ++++++++
1 file changed, 8 insertions(+)

diff --git a/doc/user_manual.md b/doc/user_manual.md
index d8e5c33e..50d98f85 100644
--- a/doc/user_manual.md
+++ b/doc/user_manual.md
@@ -1162,9 +1162,17 @@ To provide a signer script that implements your custom signing solution, `SIGNAT
can be set for the script path within the module recipe together with `SIGNATURE_CERTFILE` to define the public
certificate path of the signer.

+In order to easily choose between different signing solutions, signer recipes should provide the `module-signer`
+and certificate provider recipes should provide the `secure-boot-secrets` as virtual package to meet build dependencies.
+This way, desired signers and certificates can be configured using `PREFERRED_PROVIDER`.
+
Please see how `module-signer-example` hook generates a detached signature for the kernel module implemented in
`example-module-signedwith` recipe.

+In order not to cause repetitive changes in kernel module recipes,
+if `SIGNATURE_ENABLED = "1"`, `pkg.signwith` build profile is added by default in addition to
+`module-signer` and `secure-boot-secrets` package dependencies to the kernel module recipes.
+
### Cross Support for Imagers

If `ISAR_CROSS_COMPILE = "1"`, the imager and optional compression tasks
--
2.39.2

[Jan Kiszka]

On 15.04.25 14:22, 'Gokhan Cetin' via isar-users wrote:
> Introduces single configuration variable (`SIGNATURE_ENABLED`) to
> set all predefined profile and dependencies need to be provided.
>
> By using this option, downstreams will be able to sign all
> kernel modules without appending any additional configuration
> into their module recipes.
>
> Signed-off-by: Gokhan Cetin <gokhan...@siemens.com>
> ---
> meta/recipes-kernel/linux-module/module.inc | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/meta/recipes-kernel/linux-module/module.inc b/meta/recipes-kernel/linux-module/module.inc
> index 45d88d48..576a2cad 100644
> --- a/meta/recipes-kernel/linux-module/module.inc
> +++ b/meta/recipes-kernel/linux-module/module.inc
> @@ -27,6 +27,12 @@ SIGNATURE_KEYFILE ??= "/usr/share/secure-boot-secrets/secure-boot.key"
> SIGNATURE_CERTFILE ??= "/usr/share/secure-boot-secrets/secure-boot.pem"
> SIGNATURE_HASHFN ??= "sha256"
> SIGNATURE_SIGNWITH ??= "/usr/bin/sign-module.sh"
> +SIGNATURE_ENABLED ??= ""

Should this last control actually be by module recipe (which includes
module.inc), or shouldn't we also support build-wide enabling via
local.conf etc.? In the latter case, isar should introduce a global
control variable, say KERNEL_MODULE_SIGNATURES, which controls that for
every module recipe.

Jan

> +
> +# Define signing profile and dependencies if SIGNATURE_ENABLED is set to "1"
> +DEB_BUILD_PROFILES += "${@'pkg.signwith' if bb.utils.to_boolean(d.getVar('SIGNATURE_ENABLED')) else ''}"
> +DEPENDS += "${@'module-signer secure-boot-secrets' if bb.utils.to_boolean(d.getVar('SIGNATURE_ENABLED')) else ''}"
> +DEBIAN_BUILD_DEPENDS .= "${@', module-signer, secure-boot-secrets' if bb.utils.to_boolean(d.getVar('SIGNATURE_ENABLED')) else ''}"
>
> SRC_URI += "file://debian/"
>


--

Siemens AG, Foundational Technologies
Linux Expert Center

[Jan Kiszka]

On 15.04.25 14:22, 'Gokhan Cetin' via isar-users wrote:

> Mentions how `SIGNATURE_ENABLED` can be used and how to manage the dependencies.
>
> Signed-off-by: Gokhan Cetin <gokhan...@siemens.com>
> ---
> doc/user_manual.md | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/doc/user_manual.md b/doc/user_manual.md
> index d8e5c33e..50d98f85 100644
> --- a/doc/user_manual.md
> +++ b/doc/user_manual.md
> @@ -1162,9 +1162,17 @@ To provide a signer script that implements your custom signing solution, `SIGNAT
> can be set for the script path within the module recipe together with `SIGNATURE_CERTFILE` to define the public
> certificate path of the signer.
>
> +In order to easily choose between different signing solutions, signer recipes should provide the `module-signer`

...target and package

> +and certificate provider recipes should provide the `secure-boot-secrets` as virtual package to meet build dependencies.
> +This way, desired signers and certificates can be configured using `PREFERRED_PROVIDER`.
> +
> Please see how `module-signer-example` hook generates a detached signature for the kernel module implemented in
> `example-module-signedwith` recipe.
>
> +In order not to cause repetitive changes in kernel module recipes,

I think this argument need not be in the user manual. It's enough to
state that there is variable to enable signing (per recipe or globally,
see patch 4).

> +if `SIGNATURE_ENABLED = "1"`, `pkg.signwith` build profile is added by default in addition to
> +`module-signer` and `secure-boot-secrets` package dependencies to the kernel module recipes.
> +
> ### Cross Support for Imagers
>
> If `ISAR_CROSS_COMPILE = "1"`, the imager and optional compression tasks

Jan

[Gokhan Cetin]

meta/recipes-kernel/linux-module/module.inc | 13 ++++++++++---
4 files changed, 23 insertions(+), 3 deletions(-)

--
2.39.2

[Gokhan Cetin]

This will help to easily manage dependencies on providers implemented in downstreams.

Signed-off-by: Gokhan Cetin <gokhan...@siemens.com>
---

[Gokhan Cetin]

As done by 946b908b, this will allow more key providers to meet further
common dependencies.

Signed-off-by: Gokhan Cetin <gokhan...@siemens.com>
---

[Gokhan Cetin]

They are initialized with almost standardized paths in isar-cip-core and many other layers.
In this way, it is possible to get rid of dozens of repeating lines in module recipes.

Signed-off-by: Gokhan Cetin <gokhan...@siemens.com>
---

meta/recipes-kernel/linux-module/module.inc | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-kernel/linux-module/module.inc b/meta/recipes-kernel/linux-module/module.inc
index 3b0ceae7..45d88d48 100644
--- a/meta/recipes-kernel/linux-module/module.inc
+++ b/meta/recipes-kernel/linux-module/module.inc

@@ -23,10 +23,10 @@ DEBIAN_BUILD_DEPENDS = "${KERNEL_HEADERS_PKG}"
# Do not generate debug symbols packages, as not supported for modules
DEB_BUILD_OPTIONS += "noautodbgsym"

-SIGNATURE_KEYFILE ??= ""
-SIGNATURE_CERTFILE ??= ""
+SIGNATURE_KEYFILE ??= "/usr/share/secure-boot-secrets/secure-boot.key"

+SIGNATURE_CERTFILE ??= "/usr/share/secure-boot-secrets/secure-boot.pem"
SIGNATURE_HASHFN ??= "sha256"

-SIGNATURE_SIGNWITH ??= ""
+SIGNATURE_SIGNWITH ??= "/usr/bin/sign-module.sh"

SRC_URI += "file://debian/"

--

2.39.2

[Gokhan Cetin]

Mentions how `KERNEL_MODULE_SIGNATURES` can be used and how to manage the dependencies.

Signed-off-by: Gokhan Cetin <gokhan...@siemens.com>
---

doc/user_manual.md | 8 ++++++++
1 file changed, 8 insertions(+)

diff --git a/doc/user_manual.md b/doc/user_manual.md

index d8e5c33e..627dacb7 100644

--- a/doc/user_manual.md
+++ b/doc/user_manual.md
@@ -1162,9 +1162,17 @@ To provide a signer script that implements your custom signing solution, `SIGNAT
can be set for the script path within the module recipe together with `SIGNATURE_CERTFILE` to define the public
certificate path of the signer.

+In order to choose between different signing solutions, signer recipes should provide the `module-signer`
+target and package while certificate provider recipes should provide the `secure-boot-secrets` as target and package
+to meet build dependencies. This way, desired signers and certificates can be configured using `PREFERRED_PROVIDER`.

+
Please see how `module-signer-example` hook generates a detached signature for the kernel module implemented in
`example-module-signedwith` recipe.

+You can enable build-wide kernel module signing by defining `KERNEL_MODULE_SIGNATURES = "1"` globally,
+in this case, `pkg.signwith` build profile is added by default in addition to
+`module-signer` and `secure-boot-secrets` target and package dependencies to the kernel module recipes.

+
### Cross Support for Imagers

If `ISAR_CROSS_COMPILE = "1"`, the imager and optional compression tasks

--
2.39.2

[Gokhan Cetin]

Introduces single control variable (`KERNEL_MODULE_SIGNATURES`) to
set all predefined build profile and dependencies need to be configured
for kernel module signing.

By using this option, downstreams will be able to enable build-wide signing
of kernel modules which include module.inc without appending any additional

configuration into their module recipes.

Signed-off-by: Gokhan Cetin <gokhan...@siemens.com>
---

meta/recipes-kernel/linux-module/module.inc | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/meta/recipes-kernel/linux-module/module.inc b/meta/recipes-kernel/linux-module/module.inc
index 45d88d48..8fe5eed4 100644
--- a/meta/recipes-kernel/linux-module/module.inc
+++ b/meta/recipes-kernel/linux-module/module.inc
@@ -28,6 +28,13 @@ SIGNATURE_CERTFILE ??= "/usr/share/secure-boot-secrets/secure-boot.pem"
SIGNATURE_HASHFN ??= "sha256"
SIGNATURE_SIGNWITH ??= "/usr/bin/sign-module.sh"

+KERNEL_MODULE_SIGNATURES ??= ""
+
+# Define signing profile and dependencies if KERNEL_MODULE_SIGNATURES is set to "1"
+DEB_BUILD_PROFILES += "${@'pkg.signwith' if bb.utils.to_boolean(d.getVar('KERNEL_MODULE_SIGNATURES')) else ''}"
+DEPENDS += "${@'module-signer secure-boot-secrets' if bb.utils.to_boolean(d.getVar('KERNEL_MODULE_SIGNATURES')) else ''}"
+DEBIAN_BUILD_DEPENDS .= "${@', module-signer, secure-boot-secrets' if bb.utils.to_boolean(d.getVar('KERNEL_MODULE_SIGNATURES')) else ''}"
+
SRC_URI += "file://debian/"

AUTOLOAD ?= ""
--
2.39.2

[Baurzhan Ismagulov]

On 2025-04-16 19:17, 'Gokhan Cetin' via isar-users wrote:
> As of now, in each kernel module, the same configuration block
> has to be specified repeatedly for each module in module recipes
> to specify build-time dependencies on recipes that provide the
> required build profile and the scripts and certificates used in
> kernel module signing.
>
> With these changes, it is possible to enable a recommended signature
> configuration for all module recipes without touching the modules,
> while it is still possible to customize the configuration when necessary.

Applied to next, thanks.

With kind regards,
Baurzhan