mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed
From: Roland Hieber <rhi@pengutronix.de>
To: ptxdist@pengutronix.de
Cc: Roland Hieber <rhi@pengutronix.de>
Subject: [ptxdist] [PATCH v2 2/3] kernel: add support for module signing
Date: Fri, 23 Jul 2021 16:29:55 +0200
Message-ID: <20210723142956.31879-2-rhi@pengutronix.de> (raw)
In-Reply-To: <20210723142956.31879-1-rhi@pengutronix.de>

Use the code signing role 'kernel-modules' to supply the kernel with the
key for kernel module singing. This only works if kernel module signing
is enabled in the kernel config file, so write a short paragraph for the
"daily use" chapter in the docs what has to be considered when using
module signing in PTXdist.

Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
PATCH v2:
 - rebase to current master
 - split trusted key handling into its own patch (see previous patch)
 - add CONFIG_MODULE_SIG_KEY to KENREL_BASE_OPT instead of
   KERNEL_SIGN_OPT, and only if module signing is enabled in the
   platformconfig
 - fix some typos and adapt documentation

PATCH v1: https://lore.ptxdist.org/ptxdist/20210719183053.3799-1-rhi@pengutronix.de

 doc/daily_work.inc  | 38 ++++++++++++++++++++++++++++++++++++++
 platforms/kernel.in | 15 +++++++++++++++
 rules/kernel.make   |  4 ++++
 3 files changed, 57 insertions(+)

diff --git a/doc/daily_work.inc b/doc/daily_work.inc
index 4562b5ca70b9..37bb9bc48180 100644
--- a/doc/daily_work.inc
+++ b/doc/daily_work.inc
@@ -157,6 +157,44 @@ add those certificates to the kernel trust root.
 :ref:`cs_append_ca_from_pem`, or :ref:`cs_append_ca_from_uri` with the
 ``kernel-trusted`` role to supply those certificates.)
 
+Note that the kernel also always adds the module signing key to the trust root
+(see :ref:`kernel_module_signing` below).
+If the EVM key is signed by the module signing key (or if the two keys are the
+same *and* it is self-signed), no additional trust CA is necessary.
+
+.. _kernel_module_signing:
+
+Kernel Module Signing
+~~~~~~~~~~~~~~~~~~~~~
+
+The kernel's build system can generate cryptographic signatures for all
+kernel modules during the build process.
+This can ensure that all modules loaded on the target at runtime have been
+built by a trustworthy source.
+
+If ``PTXCONF_KERNEL_MODULES_SIGN`` ("sign modules") is enabled in the
+platformconfig, PTXdist augments the kernel config with the following config
+options during the `kernel.compile` and `kernel.install` stages:
+
+* ``CONFIG_MODULE_SIG_KEY`` ("File name or PKCS#11 URI of module signing key"):
+  PTXdist supplies the URI from the ``kernel-modules`` role of the configured
+  code signing provider.
+  (The code signing provider should use :ref:`cs_set_uri` to set the URI.)
+
+However, additional settings must also be enabled in the kernel config:
+
+* ``CONFIG_MODULE_SIG=y`` ("Module signature verification"):
+  Enable this option for module signing, and to get access to its sub-options.
+* ``CONFIG_MODULE_SIG_ALL=y`` ("Automatically sign all modules"):
+  Enable this option so that the kernel's build system signs the modules during
+  PTXdist's `kernel.install` stage.
+* Additionally, ``CONFIG_MODULE_SIG_FORCE`` ("Require modules to be validly
+  signed") can be useful so that the kernel refuses loading modules with
+  invalid, untrusted, or no signature.
+
+For the full overview, refer to the `kernel's module signing documentation
+<https://www.kernel.org/doc/html/latest/admin-guide/module-signing.html>`_.
+
 Discovering Runtime Dependencies
 --------------------------------
 
diff --git a/platforms/kernel.in b/platforms/kernel.in
index 8fe47b741fa7..ff3cc8df4f47 100644
--- a/platforms/kernel.in
+++ b/platforms/kernel.in
@@ -39,6 +39,21 @@ config KERNEL_MODULES_INSTALL
 	prompt "Install modules into /lib/modules"
 	depends on KERNEL_MODULES
 
+config KERNEL_MODULES_SIGN
+	bool
+	depends on KERNEL_MODULES
+	select KERNEL_CODE_SIGNING
+	select KERNEL_MODULES_INSTALL
+	prompt "sign modules"
+	help
+	  If enabled, kernel modules are signed during the install stage with
+	  the key specified by the code signing provider in the "kernel-modules"
+	  role.
+
+	  See the section "Kernel module signing" in the "Daily Work" chapter in
+	  the PTXdist manual for use cases and more infos about what needs to be
+	  enabled in the kernel config file.
+
 config KERNEL_VERSION
 	prompt "kernel version"
 	string
diff --git a/rules/kernel.make b/rules/kernel.make
index ac27450832df..9caff677918e 100644
--- a/rules/kernel.make
+++ b/rules/kernel.make
@@ -76,6 +76,10 @@ KERNEL_BASE_OPT		+= \
 	$(if $(shell cs_get_ca kernel-trusted), \
 		CONFIG_SYSTEM_TRUSTED_KEYS=$(shell cs_get_ca kernel-trusted))
 endif
+ifdef PTXCONF_KERNEL_MODULES_SIGN
+KERNEL_BASE_OPT		+= \
+	CONFIG_MODULE_SIG_KEY='"$(shell cs_get_uri kernel-modules)"'
+endif
 
 # Intermediate option. This will be used by kernel module packages.
 KERNEL_MODULE_OPT	= \
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


  reply	other threads:[~2021-07-23 14:30 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-23 14:29 [ptxdist] [PATCH v2 1/3] kernel: add CAs from the code signing provider to the kernel trust root Roland Hieber
2021-07-23 14:29 ` Roland Hieber [this message]
2021-07-27  6:21   ` [ptxdist] [APPLIED] kernel: add support for module signing Michael Olbrich
2021-07-23 14:29 ` [ptxdist] [PATCH v2 3/3] host-ptx-code-signing-dev: version bump 0.5 -> 0.6 Roland Hieber
2021-07-27  6:21   ` [ptxdist] [APPLIED] " Michael Olbrich
2021-07-27  6:21 ` [ptxdist] [APPLIED] kernel: add CAs from the code signing provider to the kernel trust root Michael Olbrich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210723142956.31879-2-rhi@pengutronix.de \
    --to=rhi@pengutronix.de \
    --cc=ptxdist@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

mailarchive of the ptxdist mailing list

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://lore.ptxdist.org/ptxdist/0 ptxdist/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 ptxdist ptxdist/ https://lore.ptxdist.org/ptxdist \
		ptxdist@pengutronix.de
	public-inbox-index ptxdist

Example config snippet for mirrors.


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git