[PATCH] meta/recipes-kernel/linux-module: Allow use of external scripts to sign modules
29 views
Skip to first unread message
Cetin, Gokhan
Jan 20, 2025, 2:14:26 PM1/20/25
to isar-...@googlegroups.com, quirin.g...@siemens.com, MOESSBAUER, Felix
This facilitates the integration of scripts developed for signing solutions like HSM
where private keys are not accessible and allows the use of detached signatures
produced by such solutions.
Signed-off-by: Gokhan Cetin <gokhan...@siemens.com>
---
meta/recipes-kernel/linux-module/files/debian/rules.tmpl | 4 ++++
meta/recipes-kernel/linux-module/module.inc | 2 ++
2 files changed, 6 insertions(+)
diff --git a/meta/recipes-kernel/linux-module/files/debian/rules.tmpl b/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
index ad743437..30d7ce0f 100755
--- a/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
+++ b/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
@@ -56,6 +56,10 @@ endif
ifneq ($(filter pkg.sign,$(DEB_BUILD_PROFILES)),)
find . -name "*.ko" -print -exec $(KDIR)/scripts/sign-file ${SIGNATURE_HASHFN} ${SIGNATURE_KEYFILE} ${SIGNATURE_CERTFILE} {} \;
endif
+ifneq ($(filter pkg.signwith,$(DEB_BUILD_PROFILES)),)
+ find . -name "*.ko" | xargs -i ${SIGNATURE_SIGNWITH} {} {}.signature ${SIGNATURE_HASHFN} ${SIGNATURE_CERTFILE}
+ find . -name "*.ko" | xargs -i $(KDIR)/scripts/sign-file -s {}.signature ${SIGNATURE_HASHFN} ${SIGNATURE_CERTFILE} {}
+endif
override_dh_auto_install:
$(MAKE) -C $(KDIR) M=${MODULE_DIR} INSTALL_MOD_PATH=$(PWD)/debian/${PN} modules_install
diff --git a/meta/recipes-kernel/linux-module/module.inc b/meta/recipes-kernel/linux-module/module.inc
index 3e8e5e7a..d7432bf7 100644
--- a/meta/recipes-kernel/linux-module/module.inc
+++ b/meta/recipes-kernel/linux-module/module.inc
@@ -25,6 +25,7 @@ DEB_BUILD_OPTIONS += "noautodbgsym"
SIGNATURE_KEYFILE ??= ""
SIGNATURE_CERTFILE ??= ""
SIGNATURE_HASHFN ??= "sha256"
+SIGNATURE_SIGNWITH ??= ""
SRC_URI += "file://debian/"
@@ -57,6 +58,7 @@ TEMPLATE_VARS += " \
SIGNATURE_KEYFILE \
SIGNATURE_CERTFILE \
SIGNATURE_HASHFN \
+ SIGNATURE_SIGNWITH \
PN \
DEBIAN_COMPAT"
--
2.39.2
where private keys are not accessible and allows the use of detached signatures
produced by such solutions.
Signed-off-by: Gokhan Cetin <gokhan...@siemens.com>
---
meta/recipes-kernel/linux-module/files/debian/rules.tmpl | 4 ++++
meta/recipes-kernel/linux-module/module.inc | 2 ++
2 files changed, 6 insertions(+)
diff --git a/meta/recipes-kernel/linux-module/files/debian/rules.tmpl b/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
index ad743437..30d7ce0f 100755
--- a/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
+++ b/meta/recipes-kernel/linux-module/files/debian/rules.tmpl
@@ -56,6 +56,10 @@ endif
ifneq ($(filter pkg.sign,$(DEB_BUILD_PROFILES)),)
find . -name "*.ko" -print -exec $(KDIR)/scripts/sign-file ${SIGNATURE_HASHFN} ${SIGNATURE_KEYFILE} ${SIGNATURE_CERTFILE} {} \;
endif
+ifneq ($(filter pkg.signwith,$(DEB_BUILD_PROFILES)),)
+ find . -name "*.ko" | xargs -i ${SIGNATURE_SIGNWITH} {} {}.signature ${SIGNATURE_HASHFN} ${SIGNATURE_CERTFILE}
+ find . -name "*.ko" | xargs -i $(KDIR)/scripts/sign-file -s {}.signature ${SIGNATURE_HASHFN} ${SIGNATURE_CERTFILE} {}
+endif
override_dh_auto_install:
$(MAKE) -C $(KDIR) M=${MODULE_DIR} INSTALL_MOD_PATH=$(PWD)/debian/${PN} modules_install
diff --git a/meta/recipes-kernel/linux-module/module.inc b/meta/recipes-kernel/linux-module/module.inc
index 3e8e5e7a..d7432bf7 100644
--- a/meta/recipes-kernel/linux-module/module.inc
+++ b/meta/recipes-kernel/linux-module/module.inc
@@ -25,6 +25,7 @@ DEB_BUILD_OPTIONS += "noautodbgsym"
SIGNATURE_KEYFILE ??= ""
SIGNATURE_CERTFILE ??= ""
SIGNATURE_HASHFN ??= "sha256"
+SIGNATURE_SIGNWITH ??= ""
SRC_URI += "file://debian/"
@@ -57,6 +58,7 @@ TEMPLATE_VARS += " \
SIGNATURE_KEYFILE \
SIGNATURE_CERTFILE \
SIGNATURE_HASHFN \
+ SIGNATURE_SIGNWITH \
PN \
DEBIAN_COMPAT"
--
2.39.2
MOESSBAUER, Felix
Jan 21, 2025, 4:23:17 AM1/21/25
to isar-...@googlegroups.com, Cetin, Gokhan, quirin.g...@siemens.com
On Mon, 2025-01-20 at 18:23 +0000, Çetin, Gökhan (FT D EU TR C&E)
wrote:
somewhere in the docs (maybe with a short explanation how to use it).
Felix
Acked-by: Felix Moessbauer <felix.mo...@siemens.com>
wrote:
> This facilitates the integration of scripts developed for signing
> solutions like HSM
> where private keys are not accessible and allows the use of detached
> signatures
> produced by such solutions.
Hi, the patch itself is fine, but it would be good to also mention this
> solutions like HSM
> where private keys are not accessible and allows the use of detached
> signatures
> produced by such solutions.
somewhere in the docs (maybe with a short explanation how to use it).
Felix
Acked-by: Felix Moessbauer <felix.mo...@siemens.com>
Jan Kiszka
Jan 21, 2025, 4:37:33 AM1/21/25
to MOESSBAUER, Felix, isar-...@googlegroups.com, Cetin, Gokhan, quirin.g...@siemens.com
On 21.01.25 10:23, 'MOESSBAUER, Felix' via isar-users wrote:
> On Mon, 2025-01-20 at 18:23 +0000, Çetin, Gökhan (FT D EU TR C&E)
> wrote:
>> This facilitates the integration of scripts developed for signing
>> solutions like HSM
>> where private keys are not accessible and allows the use of detached
>> signatures
>> produced by such solutions.
>
> Hi, the patch itself is fine, but it would be good to also mention this
> somewhere in the docs (maybe with a short explanation how to use it).
>
...and that documentation should also clarify why the hook is only
> On Mon, 2025-01-20 at 18:23 +0000, Çetin, Gökhan (FT D EU TR C&E)
> wrote:
>> This facilitates the integration of scripts developed for signing
>> solutions like HSM
>> where private keys are not accessible and allows the use of detached
>> signatures
>> produced by such solutions.
>
> Hi, the patch itself is fine, but it would be good to also mention this
> somewhere in the docs (maybe with a short explanation how to use it).
>
needed for the modules, not for the kernel but rather for its UKI -
which is provided by isar-cip-core only so far.
Jan
Siemens AG, Foundational Technologies
Linux Expert Center
Reply all
Reply to author
Forward
0 new messages