[ptxdist] [PATCH v2 1/3] kernel: add CAs from the code signing provider to the kernel trust root

[Roland Hieber <rhi@pengutronix.de>]

Additional trusted CAs can be necessary for certain use cases, see the
snippet in the docs.

Current kernels don't cope well with an empty CONFIG_SYSTEM_TRUSTED_KEYS
variable, so only add it when the singing provider actually supplies a
non-empty list of CA certificates.

The cs_get_* functions print undefined strings when the code signing
provider hasn't been installed into sysroot-host yet, which is usually
the case when kernel.make is parsed at PTXdist startup. Therefore, all
variables that make use of need to be evaluated recursively when they
are used ('=' instead of ':=', except the options for the perf and iio
tools, were this is not needed. All other recipes using KERNEL_*
variables also already take care of this.)

Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
PATCH v2:
 - new in v2, split off from "[PATCH] kernel: add support for kernel
   module signing"
 - split docs into extra sections for trust root and module signing
 - add extra KERNEL_CODE_SIGNING platformconfig option
 - add kernel config options to KERNEL_BASE_OPT instead of using
   KERNEL_SIGN_OPT, and guard it with ifdef PTXCONF_KERNEL_CODE_SIGNING

 doc/daily_work.inc  | 34 ++++++++++++++++++++++++++++++++++
 platforms/kernel.in | 14 ++++++++++++++
 rules/kernel.make   | 16 +++++++++++-----
 3 files changed, 59 insertions(+), 5 deletions(-)

diff --git a/doc/daily_work.inc b/doc/daily_work.inc
index 3b436c21ff28..4562b5ca70b9 100644
--- a/doc/daily_work.inc
+++ b/doc/daily_work.inc
@@ -123,6 +123,40 @@ To rebuild the kernel:
          package. A ``ptxdist clean kernel`` call will only delete the
          symlinks in the build directory, but not clean the kernel compiled files.
 
+Using the Code Signing Infrastructure with the Kernel Recipe
+------------------------------------------------------------
+
+The kernel recipe can make use of the :ref:`code signing infrastructure
+<code_signing>` to supply cryptographic key material for several kernel features.
+They can be enabled in the `Linux kernel` section of ``ptxdist platformconfig``.
+
+.. important::
+
+   When supplying the kernel with key material, you should also make sure that
+   all necessary crypto algorithms are enabled in the kernel.
+   For example, if your module signing key is signed with an SHA256 hash,
+   you must enable ``CONFIG_CRYPTO_SHA256`` so that the signature can be verified.
+   Otherwise, some older kernels throw a stack trace on boot, and will not load
+   the supplied key material.
+
+.. _kernel_trust_root:
+
+Trusted Root CAs
+~~~~~~~~~~~~~~~~
+
+In some setups additional trusted CAs can be necessary;
+for example, when using EVM, the EVM key must be issued by a certificate that
+is trusted by the kernel.
+
+When ``PTXCONF_KERNEL_CODE_SIGNING`` ("depend on code signing infrastructure")
+is enabled in the platformconfig, and if the code signing provider supplies CA
+certificates in the ``kernel-trusted`` role,
+PTXdist adds the option ``CONFIG_SYSTEM_TRUSTED_KEYS`` to the kernel config to
+add those certificates to the kernel trust root.
+(The code signing provider should use :ref:`cs_append_ca_from_der`,
+:ref:`cs_append_ca_from_pem`, or :ref:`cs_append_ca_from_uri` with the
+``kernel-trusted`` role to supply those certificates.)
+
 Discovering Runtime Dependencies
 --------------------------------
 
diff --git a/platforms/kernel.in b/platforms/kernel.in
index c9511729f7f1..8fe47b741fa7 100644
--- a/platforms/kernel.in
+++ b/platforms/kernel.in
@@ -3,6 +3,7 @@
 menuconfig KERNEL
 	bool
 	default y
+	select CODE_SIGNING		if KERNEL_CODE_SIGNING
 	select HOST_U_BOOT_TOOLS	if KERNEL_IMAGE_U || (KERNEL_IMAGE_SIMPLE && ARCH_MICROBLAZE)
 	select HOST_ZSTD		if KERNEL_ZSTD
 	select HOST_XZ			if KERNEL_XZ
@@ -182,6 +183,19 @@ config KERNEL_DTS
 
 endif
 
+config KERNEL_CODE_SIGNING
+	prompt "use code signing infrastructure"
+	select KERNEL_OPENSSL
+	bool
+	help
+	  Enable this option if you want the kernel to make use of the code
+	  signing infrastructure, e.g. to supply trust roots from the
+	  'kernel-trusted' code signing role.
+
+	  See the section "Using the Code Signing Infrastructure with the Kernel
+	  Recipe" in the "Daily Use" chapter in the PTXdist manual for use
+	  cases and more information.
+
 config KERNEL_ZSTD
 	prompt "build zstd hosttool"
 	bool
diff --git a/rules/kernel.make b/rules/kernel.make
index 526bcd9beb3f..ac27450832df 100644
--- a/rules/kernel.make
+++ b/rules/kernel.make
@@ -67,17 +67,23 @@ endef
 KERNEL_MAKEVARS = $(call kernel/deprecated, KERNEL_MAKEVARS)
 
 # like kernel-opts but with different CROSS_COMPILE=
-KERNEL_BASE_OPT		:= \
+KERNEL_BASE_OPT		= \
 	$(call kernel-opts, KERNEL,$(KERNEL_CROSS_COMPILE)) \
 	$(call remove_quotes,$(PTXCONF_KERNEL_EXTRA_MAKEVARS))
 
+ifdef PTXCONF_KERNEL_CODE_SIGNING
+KERNEL_BASE_OPT		+= \
+	$(if $(shell cs_get_ca kernel-trusted), \
+		CONFIG_SYSTEM_TRUSTED_KEYS=$(shell cs_get_ca kernel-trusted))
+endif
+
 # Intermediate option. This will be used by kernel module packages.
-KERNEL_MODULE_OPT	:= \
+KERNEL_MODULE_OPT	= \
 	-C $(KERNEL_DIR) \
 	O=$(KERNEL_BUILD_DIR) \
 	$(KERNEL_BASE_OPT)
 
-KERNEL_SHARED_OPT	:= \
+KERNEL_SHARED_OPT	= \
 	$(KERNEL_MODULE_OPT)
 
 ifndef PTXCONF_KERNEL_GCC_PLUGINS
@@ -92,7 +98,7 @@ KERNEL_MAKE_ENV		:= \
 endif
 
 KERNEL_CONF_TOOL	:= kconfig
-KERNEL_CONF_OPT		:= \
+KERNEL_CONF_OPT		= \
 	$(KERNEL_SHARED_OPT)
 
 ifdef PTXCONF_KERNEL_CONFIG_BASE_VERSION
@@ -244,7 +250,7 @@ endif
 # Install
 # ----------------------------------------------------------------------------
 
-KERNEL_INSTALL_OPT := \
+KERNEL_INSTALL_OPT = \
 	$(KERNEL_BASE_OPT) \
 	modules_install
 
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de