From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Tue, 27 Jul 2021 08:22:35 +0200 Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33]) by lore.white.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1m8GU7-0002Tp-2N for lore@lore.pengutronix.de; Tue, 27 Jul 2021 08:22:35 +0200 Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1m8GU6-0001MR-A3; Tue, 27 Jul 2021 08:22:34 +0200 Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1m8GTL-0000gW-IC; Tue, 27 Jul 2021 08:21:47 +0200 Received: from [2a0a:edc0:0:1101:1d::39] (helo=dude03.red.stw.pengutronix.de) by drehscheibe.grey.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1m8GTL-0005iL-1m; Tue, 27 Jul 2021 08:21:47 +0200 Received: from mol by dude03.red.stw.pengutronix.de with local (Exim 4.92) (envelope-from ) id 1m8GTK-008MnL-VC; Tue, 27 Jul 2021 08:21:47 +0200 From: Michael Olbrich To: ptxdist@pengutronix.de Date: Tue, 27 Jul 2021 08:21:46 +0200 Message-Id: <20210727062146.1994204-1-m.olbrich@pengutronix.de> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210723142956.31879-1-rhi@pengutronix.de> References: <20210723142956.31879-1-rhi@pengutronix.de> MIME-Version: 1.0 Subject: Re: [ptxdist] [APPLIED] kernel: add CAs from the code signing provider to the kernel trust root X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: Roland Hieber Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false Thanks, applied as 7771a8c434c34cf8276be8f143e0182fac0909b5. Michael [sent from post-receive hook] On Tue, 27 Jul 2021 08:21:46 +0200, Roland Hieber wrote: > Additional trusted CAs can be necessary for certain use cases, see the > snippet in the docs. > > Current kernels don't cope well with an empty CONFIG_SYSTEM_TRUSTED_KEYS > variable, so only add it when the singing provider actually supplies a > non-empty list of CA certificates. > > The cs_get_* functions print undefined strings when the code signing > provider hasn't been installed into sysroot-host yet, which is usually > the case when kernel.make is parsed at PTXdist startup. Therefore, all > variables that make use of need to be evaluated recursively when they > are used ('=' instead of ':=', except the options for the perf and iio > tools, were this is not needed. All other recipes using KERNEL_* > variables also already take care of this.) > > Signed-off-by: Roland Hieber > Message-Id: <20210723142956.31879-1-rhi@pengutronix.de> > Signed-off-by: Michael Olbrich > > diff --git a/doc/daily_work.inc b/doc/daily_work.inc > index 3b436c21ff28..4562b5ca70b9 100644 > --- a/doc/daily_work.inc > +++ b/doc/daily_work.inc > @@ -123,6 +123,40 @@ To rebuild the kernel: > package. A ``ptxdist clean kernel`` call will only delete the > symlinks in the build directory, but not clean the kernel compiled files. > > +Using the Code Signing Infrastructure with the Kernel Recipe > +------------------------------------------------------------ > + > +The kernel recipe can make use of the :ref:`code signing infrastructure > +` to supply cryptographic key material for several kernel features. > +They can be enabled in the `Linux kernel` section of ``ptxdist platformconfig``. > + > +.. important:: > + > + When supplying the kernel with key material, you should also make sure that > + all necessary crypto algorithms are enabled in the kernel. > + For example, if your module signing key is signed with an SHA256 hash, > + you must enable ``CONFIG_CRYPTO_SHA256`` so that the signature can be verified. > + Otherwise, some older kernels throw a stack trace on boot, and will not load > + the supplied key material. > + > +.. _kernel_trust_root: > + > +Trusted Root CAs > +~~~~~~~~~~~~~~~~ > + > +In some setups additional trusted CAs can be necessary; > +for example, when using EVM, the EVM key must be issued by a certificate that > +is trusted by the kernel. > + > +When ``PTXCONF_KERNEL_CODE_SIGNING`` ("depend on code signing infrastructure") > +is enabled in the platformconfig, and if the code signing provider supplies CA > +certificates in the ``kernel-trusted`` role, > +PTXdist adds the option ``CONFIG_SYSTEM_TRUSTED_KEYS`` to the kernel config to > +add those certificates to the kernel trust root. > +(The code signing provider should use :ref:`cs_append_ca_from_der`, > +:ref:`cs_append_ca_from_pem`, or :ref:`cs_append_ca_from_uri` with the > +``kernel-trusted`` role to supply those certificates.) > + > Discovering Runtime Dependencies > -------------------------------- > > diff --git a/platforms/kernel.in b/platforms/kernel.in > index c9511729f7f1..8fe47b741fa7 100644 > --- a/platforms/kernel.in > +++ b/platforms/kernel.in > @@ -3,6 +3,7 @@ > menuconfig KERNEL > bool > default y > + select CODE_SIGNING if KERNEL_CODE_SIGNING > select HOST_U_BOOT_TOOLS if KERNEL_IMAGE_U || (KERNEL_IMAGE_SIMPLE && ARCH_MICROBLAZE) > select HOST_ZSTD if KERNEL_ZSTD > select HOST_XZ if KERNEL_XZ > @@ -182,6 +183,19 @@ config KERNEL_DTS > > endif > > +config KERNEL_CODE_SIGNING > + prompt "use code signing infrastructure" > + select KERNEL_OPENSSL > + bool > + help > + Enable this option if you want the kernel to make use of the code > + signing infrastructure, e.g. to supply trust roots from the > + 'kernel-trusted' code signing role. > + > + See the section "Using the Code Signing Infrastructure with the Kernel > + Recipe" in the "Daily Use" chapter in the PTXdist manual for use > + cases and more information. > + > config KERNEL_ZSTD > prompt "build zstd hosttool" > bool > diff --git a/rules/kernel.make b/rules/kernel.make > index 526bcd9beb3f..ac27450832df 100644 > --- a/rules/kernel.make > +++ b/rules/kernel.make > @@ -67,17 +67,23 @@ endef > KERNEL_MAKEVARS = $(call kernel/deprecated, KERNEL_MAKEVARS) > > # like kernel-opts but with different CROSS_COMPILE= > -KERNEL_BASE_OPT := \ > +KERNEL_BASE_OPT = \ > $(call kernel-opts, KERNEL,$(KERNEL_CROSS_COMPILE)) \ > $(call remove_quotes,$(PTXCONF_KERNEL_EXTRA_MAKEVARS)) > > +ifdef PTXCONF_KERNEL_CODE_SIGNING > +KERNEL_BASE_OPT += \ > + $(if $(shell cs_get_ca kernel-trusted), \ > + CONFIG_SYSTEM_TRUSTED_KEYS=$(shell cs_get_ca kernel-trusted)) > +endif > + > # Intermediate option. This will be used by kernel module packages. > -KERNEL_MODULE_OPT := \ > +KERNEL_MODULE_OPT = \ > -C $(KERNEL_DIR) \ > O=$(KERNEL_BUILD_DIR) \ > $(KERNEL_BASE_OPT) > > -KERNEL_SHARED_OPT := \ > +KERNEL_SHARED_OPT = \ > $(KERNEL_MODULE_OPT) > > ifndef PTXCONF_KERNEL_GCC_PLUGINS > @@ -92,7 +98,7 @@ KERNEL_MAKE_ENV := \ > endif > > KERNEL_CONF_TOOL := kconfig > -KERNEL_CONF_OPT := \ > +KERNEL_CONF_OPT = \ > $(KERNEL_SHARED_OPT) > > ifdef PTXCONF_KERNEL_CONFIG_BASE_VERSION > @@ -244,7 +250,7 @@ endif > # Install > # ---------------------------------------------------------------------------- > > -KERNEL_INSTALL_OPT := \ > +KERNEL_INSTALL_OPT = \ > $(KERNEL_BASE_OPT) \ > modules_install > _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de