diff options
| author | Roland Hieber <rhi@pengutronix.de> | 2021-07-23 16:29:55 +0200 |
|---|---|---|
| committer | Michael Olbrich <m.olbrich@pengutronix.de> | 2021-07-26 11:32:46 +0200 |
| commit | 3ffb3585dd13de9e20d10b6e3fac142e8c7102b8 (patch) | |
| tree | c29f0dd1f128a8666841975d423fde5b803fa81c | |
| parent | 7771a8c434c34cf8276be8f143e0182fac0909b5 (diff) | |
| download | ptxdist-3ffb3585dd13de9e20d10b6e3fac142e8c7102b8.tar.gz ptxdist-3ffb3585dd13de9e20d10b6e3fac142e8c7102b8.tar.xz | |
kernel: add support for module signing
Use the code signing role 'kernel-modules' to supply the kernel with the
key for kernel module singing. This only works if kernel module signing
is enabled in the kernel config file, so write a short paragraph for the
"daily use" chapter in the docs what has to be considered when using
module signing in PTXdist.
Signed-off-by: Roland Hieber <rhi@pengutronix.de>
Message-Id: <20210723142956.31879-2-rhi@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
| -rw-r--r-- | doc/daily_work.inc | 38 | ||||
| -rw-r--r-- | platforms/kernel.in | 15 | ||||
| -rw-r--r-- | rules/kernel.make | 4 |
3 files changed, 57 insertions, 0 deletions
diff --git a/doc/daily_work.inc b/doc/daily_work.inc index 4562b5ca7..37bb9bc48 100644 --- a/doc/daily_work.inc +++ b/doc/daily_work.inc @@ -157,6 +157,44 @@ add those certificates to the kernel trust root. :ref:`cs_append_ca_from_pem`, or :ref:`cs_append_ca_from_uri` with the ``kernel-trusted`` role to supply those certificates.) +Note that the kernel also always adds the module signing key to the trust root +(see :ref:`kernel_module_signing` below). +If the EVM key is signed by the module signing key (or if the two keys are the +same *and* it is self-signed), no additional trust CA is necessary. + +.. _kernel_module_signing: + +Kernel Module Signing +~~~~~~~~~~~~~~~~~~~~~ + +The kernel's build system can generate cryptographic signatures for all +kernel modules during the build process. +This can ensure that all modules loaded on the target at runtime have been +built by a trustworthy source. + +If ``PTXCONF_KERNEL_MODULES_SIGN`` ("sign modules") is enabled in the +platformconfig, PTXdist augments the kernel config with the following config +options during the `kernel.compile` and `kernel.install` stages: + +* ``CONFIG_MODULE_SIG_KEY`` ("File name or PKCS#11 URI of module signing key"): + PTXdist supplies the URI from the ``kernel-modules`` role of the configured + code signing provider. + (The code signing provider should use :ref:`cs_set_uri` to set the URI.) + +However, additional settings must also be enabled in the kernel config: + +* ``CONFIG_MODULE_SIG=y`` ("Module signature verification"): + Enable this option for module signing, and to get access to its sub-options. +* ``CONFIG_MODULE_SIG_ALL=y`` ("Automatically sign all modules"): + Enable this option so that the kernel's build system signs the modules during + PTXdist's `kernel.install` stage. +* Additionally, ``CONFIG_MODULE_SIG_FORCE`` ("Require modules to be validly + signed") can be useful so that the kernel refuses loading modules with + invalid, untrusted, or no signature. + +For the full overview, refer to the `kernel's module signing documentation +<https://www.kernel.org/doc/html/latest/admin-guide/module-signing.html>`_. + Discovering Runtime Dependencies -------------------------------- diff --git a/platforms/kernel.in b/platforms/kernel.in index 8fe47b741..ff3cc8df4 100644 --- a/platforms/kernel.in +++ b/platforms/kernel.in @@ -39,6 +39,21 @@ config KERNEL_MODULES_INSTALL prompt "Install modules into /lib/modules" depends on KERNEL_MODULES +config KERNEL_MODULES_SIGN + bool + depends on KERNEL_MODULES + select KERNEL_CODE_SIGNING + select KERNEL_MODULES_INSTALL + prompt "sign modules" + help + If enabled, kernel modules are signed during the install stage with + the key specified by the code signing provider in the "kernel-modules" + role. + + See the section "Kernel module signing" in the "Daily Work" chapter in + the PTXdist manual for use cases and more infos about what needs to be + enabled in the kernel config file. + config KERNEL_VERSION prompt "kernel version" string diff --git a/rules/kernel.make b/rules/kernel.make index ac2745083..9caff6779 100644 --- a/rules/kernel.make +++ b/rules/kernel.make @@ -76,6 +76,10 @@ KERNEL_BASE_OPT += \ $(if $(shell cs_get_ca kernel-trusted), \ CONFIG_SYSTEM_TRUSTED_KEYS=$(shell cs_get_ca kernel-trusted)) endif +ifdef PTXCONF_KERNEL_MODULES_SIGN +KERNEL_BASE_OPT += \ + CONFIG_MODULE_SIG_KEY='"$(shell cs_get_uri kernel-modules)"' +endif # Intermediate option. This will be used by kernel module packages. KERNEL_MODULE_OPT = \ |