Re: [ptxdist] [APPLIED] kernel: add CAs from the code signing provider to the kernel trust root

[Michael Olbrich <m.olbrich@pengutronix.de>]

Thanks, applied as 7771a8c434c34cf8276be8f143e0182fac0909b5.

Michael

[sent from post-receive hook]

On Tue, 27 Jul 2021 08:21:46 +0200, Roland Hieber <rhi@pengutronix.de> wrote:
> Additional trusted CAs can be necessary for certain use cases, see the
> snippet in the docs.
> 
> Current kernels don't cope well with an empty CONFIG_SYSTEM_TRUSTED_KEYS
> variable, so only add it when the singing provider actually supplies a
> non-empty list of CA certificates.
> 
> The cs_get_* functions print undefined strings when the code signing
> provider hasn't been installed into sysroot-host yet, which is usually
> the case when kernel.make is parsed at PTXdist startup. Therefore, all
> variables that make use of need to be evaluated recursively when they
> are used ('=' instead of ':=', except the options for the perf and iio
> tools, were this is not needed. All other recipes using KERNEL_*
> variables also already take care of this.)
> 
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> Message-Id: <20210723142956.31879-1-rhi@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/doc/daily_work.inc b/doc/daily_work.inc
> index 3b436c21ff28..4562b5ca70b9 100644
> --- a/doc/daily_work.inc
> +++ b/doc/daily_work.inc
> @@ -123,6 +123,40 @@ To rebuild the kernel:
>           package. A ``ptxdist clean kernel`` call will only delete the
>           symlinks in the build directory, but not clean the kernel compiled files.
>  
> +Using the Code Signing Infrastructure with the Kernel Recipe
> +------------------------------------------------------------
> +
> +The kernel recipe can make use of the :ref:`code signing infrastructure
> +<code_signing>` to supply cryptographic key material for several kernel features.
> +They can be enabled in the `Linux kernel` section of ``ptxdist platformconfig``.
> +
> +.. important::
> +
> +   When supplying the kernel with key material, you should also make sure that
> +   all necessary crypto algorithms are enabled in the kernel.
> +   For example, if your module signing key is signed with an SHA256 hash,
> +   you must enable ``CONFIG_CRYPTO_SHA256`` so that the signature can be verified.
> +   Otherwise, some older kernels throw a stack trace on boot, and will not load
> +   the supplied key material.
> +
> +.. _kernel_trust_root:
> +
> +Trusted Root CAs
> +~~~~~~~~~~~~~~~~
> +
> +In some setups additional trusted CAs can be necessary;
> +for example, when using EVM, the EVM key must be issued by a certificate that
> +is trusted by the kernel.
> +
> +When ``PTXCONF_KERNEL_CODE_SIGNING`` ("depend on code signing infrastructure")
> +is enabled in the platformconfig, and if the code signing provider supplies CA
> +certificates in the ``kernel-trusted`` role,
> +PTXdist adds the option ``CONFIG_SYSTEM_TRUSTED_KEYS`` to the kernel config to
> +add those certificates to the kernel trust root.
> +(The code signing provider should use :ref:`cs_append_ca_from_der`,
> +:ref:`cs_append_ca_from_pem`, or :ref:`cs_append_ca_from_uri` with the
> +``kernel-trusted`` role to supply those certificates.)
> +
>  Discovering Runtime Dependencies
>  --------------------------------
>  
> diff --git a/platforms/kernel.in b/platforms/kernel.in
> index c9511729f7f1..8fe47b741fa7 100644
> --- a/platforms/kernel.in
> +++ b/platforms/kernel.in
> @@ -3,6 +3,7 @@
>  menuconfig KERNEL
>  	bool
>  	default y
> +	select CODE_SIGNING		if KERNEL_CODE_SIGNING
>  	select HOST_U_BOOT_TOOLS	if KERNEL_IMAGE_U || (KERNEL_IMAGE_SIMPLE && ARCH_MICROBLAZE)
>  	select HOST_ZSTD		if KERNEL_ZSTD
>  	select HOST_XZ			if KERNEL_XZ
> @@ -182,6 +183,19 @@ config KERNEL_DTS
>  
>  endif
>  
> +config KERNEL_CODE_SIGNING
> +	prompt "use code signing infrastructure"
> +	select KERNEL_OPENSSL
> +	bool
> +	help
> +	  Enable this option if you want the kernel to make use of the code
> +	  signing infrastructure, e.g. to supply trust roots from the
> +	  'kernel-trusted' code signing role.
> +
> +	  See the section "Using the Code Signing Infrastructure with the Kernel
> +	  Recipe" in the "Daily Use" chapter in the PTXdist manual for use
> +	  cases and more information.
> +
>  config KERNEL_ZSTD
>  	prompt "build zstd hosttool"
>  	bool
> diff --git a/rules/kernel.make b/rules/kernel.make
> index 526bcd9beb3f..ac27450832df 100644
> --- a/rules/kernel.make
> +++ b/rules/kernel.make
> @@ -67,17 +67,23 @@ endef
>  KERNEL_MAKEVARS = $(call kernel/deprecated, KERNEL_MAKEVARS)
>  
>  # like kernel-opts but with different CROSS_COMPILE=
> -KERNEL_BASE_OPT		:= \
> +KERNEL_BASE_OPT		= \
>  	$(call kernel-opts, KERNEL,$(KERNEL_CROSS_COMPILE)) \
>  	$(call remove_quotes,$(PTXCONF_KERNEL_EXTRA_MAKEVARS))
>  
> +ifdef PTXCONF_KERNEL_CODE_SIGNING
> +KERNEL_BASE_OPT		+= \
> +	$(if $(shell cs_get_ca kernel-trusted), \
> +		CONFIG_SYSTEM_TRUSTED_KEYS=$(shell cs_get_ca kernel-trusted))
> +endif
> +
>  # Intermediate option. This will be used by kernel module packages.
> -KERNEL_MODULE_OPT	:= \
> +KERNEL_MODULE_OPT	= \
>  	-C $(KERNEL_DIR) \
>  	O=$(KERNEL_BUILD_DIR) \
>  	$(KERNEL_BASE_OPT)
>  
> -KERNEL_SHARED_OPT	:= \
> +KERNEL_SHARED_OPT	= \
>  	$(KERNEL_MODULE_OPT)
>  
>  ifndef PTXCONF_KERNEL_GCC_PLUGINS
> @@ -92,7 +98,7 @@ KERNEL_MAKE_ENV		:= \
>  endif
>  
>  KERNEL_CONF_TOOL	:= kconfig
> -KERNEL_CONF_OPT		:= \
> +KERNEL_CONF_OPT		= \
>  	$(KERNEL_SHARED_OPT)
>  
>  ifdef PTXCONF_KERNEL_CONFIG_BASE_VERSION
> @@ -244,7 +250,7 @@ endif
>  # Install
>  # ----------------------------------------------------------------------------
>  
> -KERNEL_INSTALL_OPT := \
> +KERNEL_INSTALL_OPT = \
>  	$(KERNEL_BASE_OPT) \
>  	modules_install
>  

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de