From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Fri, 23 Jul 2021 16:30:05 +0200 Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33]) by lore.white.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1m6wBh-00077H-I2 for lore@lore.pengutronix.de; Fri, 23 Jul 2021 16:30:05 +0200 Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1m6wBh-00023l-4b; Fri, 23 Jul 2021 16:30:05 +0200 Received: from dude.hi.pengutronix.de ([2001:67c:670:100:1d::7]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1m6wBa-000233-Kx; Fri, 23 Jul 2021 16:29:58 +0200 Received: from rhi by dude.hi.pengutronix.de with local (Exim 4.92) (envelope-from ) id 1m6wBa-0008KN-CE; Fri, 23 Jul 2021 16:29:58 +0200 From: Roland Hieber To: ptxdist@pengutronix.de Date: Fri, 23 Jul 2021 16:29:54 +0200 Message-Id: <20210723142956.31879-1-rhi@pengutronix.de> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Mail-Followup-To: Roland Hieber , ptxdist@pengutronix.de Subject: [ptxdist] [PATCH v2 1/3] kernel: add CAs from the code signing provider to the kernel trust root X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: Roland Hieber Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false Additional trusted CAs can be necessary for certain use cases, see the snippet in the docs. Current kernels don't cope well with an empty CONFIG_SYSTEM_TRUSTED_KEYS variable, so only add it when the singing provider actually supplies a non-empty list of CA certificates. The cs_get_* functions print undefined strings when the code signing provider hasn't been installed into sysroot-host yet, which is usually the case when kernel.make is parsed at PTXdist startup. Therefore, all variables that make use of need to be evaluated recursively when they are used ('=' instead of ':=', except the options for the perf and iio tools, were this is not needed. All other recipes using KERNEL_* variables also already take care of this.) Signed-off-by: Roland Hieber --- PATCH v2: - new in v2, split off from "[PATCH] kernel: add support for kernel module signing" - split docs into extra sections for trust root and module signing - add extra KERNEL_CODE_SIGNING platformconfig option - add kernel config options to KERNEL_BASE_OPT instead of using KERNEL_SIGN_OPT, and guard it with ifdef PTXCONF_KERNEL_CODE_SIGNING doc/daily_work.inc | 34 ++++++++++++++++++++++++++++++++++ platforms/kernel.in | 14 ++++++++++++++ rules/kernel.make | 16 +++++++++++----- 3 files changed, 59 insertions(+), 5 deletions(-) diff --git a/doc/daily_work.inc b/doc/daily_work.inc index 3b436c21ff28..4562b5ca70b9 100644 --- a/doc/daily_work.inc +++ b/doc/daily_work.inc @@ -123,6 +123,40 @@ To rebuild the kernel: package. A ``ptxdist clean kernel`` call will only delete the symlinks in the build directory, but not clean the kernel compiled files. +Using the Code Signing Infrastructure with the Kernel Recipe +------------------------------------------------------------ + +The kernel recipe can make use of the :ref:`code signing infrastructure +` to supply cryptographic key material for several kernel features. +They can be enabled in the `Linux kernel` section of ``ptxdist platformconfig``. + +.. important:: + + When supplying the kernel with key material, you should also make sure that + all necessary crypto algorithms are enabled in the kernel. + For example, if your module signing key is signed with an SHA256 hash, + you must enable ``CONFIG_CRYPTO_SHA256`` so that the signature can be verified. + Otherwise, some older kernels throw a stack trace on boot, and will not load + the supplied key material. + +.. _kernel_trust_root: + +Trusted Root CAs +~~~~~~~~~~~~~~~~ + +In some setups additional trusted CAs can be necessary; +for example, when using EVM, the EVM key must be issued by a certificate that +is trusted by the kernel. + +When ``PTXCONF_KERNEL_CODE_SIGNING`` ("depend on code signing infrastructure") +is enabled in the platformconfig, and if the code signing provider supplies CA +certificates in the ``kernel-trusted`` role, +PTXdist adds the option ``CONFIG_SYSTEM_TRUSTED_KEYS`` to the kernel config to +add those certificates to the kernel trust root. +(The code signing provider should use :ref:`cs_append_ca_from_der`, +:ref:`cs_append_ca_from_pem`, or :ref:`cs_append_ca_from_uri` with the +``kernel-trusted`` role to supply those certificates.) + Discovering Runtime Dependencies -------------------------------- diff --git a/platforms/kernel.in b/platforms/kernel.in index c9511729f7f1..8fe47b741fa7 100644 --- a/platforms/kernel.in +++ b/platforms/kernel.in @@ -3,6 +3,7 @@ menuconfig KERNEL bool default y + select CODE_SIGNING if KERNEL_CODE_SIGNING select HOST_U_BOOT_TOOLS if KERNEL_IMAGE_U || (KERNEL_IMAGE_SIMPLE && ARCH_MICROBLAZE) select HOST_ZSTD if KERNEL_ZSTD select HOST_XZ if KERNEL_XZ @@ -182,6 +183,19 @@ config KERNEL_DTS endif +config KERNEL_CODE_SIGNING + prompt "use code signing infrastructure" + select KERNEL_OPENSSL + bool + help + Enable this option if you want the kernel to make use of the code + signing infrastructure, e.g. to supply trust roots from the + 'kernel-trusted' code signing role. + + See the section "Using the Code Signing Infrastructure with the Kernel + Recipe" in the "Daily Use" chapter in the PTXdist manual for use + cases and more information. + config KERNEL_ZSTD prompt "build zstd hosttool" bool diff --git a/rules/kernel.make b/rules/kernel.make index 526bcd9beb3f..ac27450832df 100644 --- a/rules/kernel.make +++ b/rules/kernel.make @@ -67,17 +67,23 @@ endef KERNEL_MAKEVARS = $(call kernel/deprecated, KERNEL_MAKEVARS) # like kernel-opts but with different CROSS_COMPILE= -KERNEL_BASE_OPT := \ +KERNEL_BASE_OPT = \ $(call kernel-opts, KERNEL,$(KERNEL_CROSS_COMPILE)) \ $(call remove_quotes,$(PTXCONF_KERNEL_EXTRA_MAKEVARS)) +ifdef PTXCONF_KERNEL_CODE_SIGNING +KERNEL_BASE_OPT += \ + $(if $(shell cs_get_ca kernel-trusted), \ + CONFIG_SYSTEM_TRUSTED_KEYS=$(shell cs_get_ca kernel-trusted)) +endif + # Intermediate option. This will be used by kernel module packages. -KERNEL_MODULE_OPT := \ +KERNEL_MODULE_OPT = \ -C $(KERNEL_DIR) \ O=$(KERNEL_BUILD_DIR) \ $(KERNEL_BASE_OPT) -KERNEL_SHARED_OPT := \ +KERNEL_SHARED_OPT = \ $(KERNEL_MODULE_OPT) ifndef PTXCONF_KERNEL_GCC_PLUGINS @@ -92,7 +98,7 @@ KERNEL_MAKE_ENV := \ endif KERNEL_CONF_TOOL := kconfig -KERNEL_CONF_OPT := \ +KERNEL_CONF_OPT = \ $(KERNEL_SHARED_OPT) ifdef PTXCONF_KERNEL_CONFIG_BASE_VERSION @@ -244,7 +250,7 @@ endif # Install # ---------------------------------------------------------------------------- -KERNEL_INSTALL_OPT := \ +KERNEL_INSTALL_OPT = \ $(KERNEL_BASE_OPT) \ modules_install -- 2.30.2 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de