From mboxrd@z Thu Jan  1 00:00:00 1970
Delivery-date: Tue, 27 Jul 2021 08:22:37 +0200
Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33])
	by lore.white.stw.pengutronix.de with esmtp (Exim 4.92)
	(envelope-from <ptxdist-bounces+lore=lore.pengutronix.de@pengutronix.de>)
	id 1m8GU9-0002UK-MD
	for lore@lore.pengutronix.de; Tue, 27 Jul 2021 08:22:37 +0200
Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de)
	by metis.ext.pengutronix.de with esmtp (Exim 4.92)
	(envelope-from <ptxdist-bounces@pengutronix.de>)
	id 1m8GU9-0001XB-4o; Tue, 27 Jul 2021 08:22:37 +0200
Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2])
 by metis.ext.pengutronix.de with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mol@pengutronix.de>)
 id 1m8GTM-0000gw-Uh; Tue, 27 Jul 2021 08:21:48 +0200
Received: from [2a0a:edc0:0:1101:1d::39] (helo=dude03.red.stw.pengutronix.de)
 by drehscheibe.grey.stw.pengutronix.de with esmtp (Exim 4.92)
 (envelope-from <mol@pengutronix.de>)
 id 1m8GTM-0005iQ-EP; Tue, 27 Jul 2021 08:21:48 +0200
Received: from mol by dude03.red.stw.pengutronix.de with local (Exim 4.92)
 (envelope-from <mol@pengutronix.de>)
 id 1m8GTM-008Moc-Bb; Tue, 27 Jul 2021 08:21:48 +0200
From: Michael Olbrich <m.olbrich@pengutronix.de>
To: ptxdist@pengutronix.de
Date: Tue, 27 Jul 2021 08:21:48 +0200
Message-Id: <20210727062148.1994283-1-m.olbrich@pengutronix.de>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20210723142956.31879-2-rhi@pengutronix.de>
References: <20210723142956.31879-2-rhi@pengutronix.de>
MIME-Version: 1.0
Subject: Re: [ptxdist] [APPLIED] kernel: add support for module signing
X-BeenThere: ptxdist@pengutronix.de
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <http://metis.pengutronix.de/cgi-bin/mailman/options/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <http://metis.pengutronix.de/cgi-bin/mailman/private/ptxdist/>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <http://metis.pengutronix.de/cgi-bin/mailman/listinfo/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Reply-To: ptxdist@pengutronix.de
Cc: Roland Hieber <rhi@pengutronix.de>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "ptxdist" <ptxdist-bounces@pengutronix.de>
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de
X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false

Thanks, applied as 3ffb3585dd13de9e20d10b6e3fac142e8c7102b8.

Michael

[sent from post-receive hook]

On Tue, 27 Jul 2021 08:21:48 +0200, Roland Hieber <rhi@pengutronix.de> wrote:
> Use the code signing role 'kernel-modules' to supply the kernel with the
> key for kernel module singing. This only works if kernel module signing
> is enabled in the kernel config file, so write a short paragraph for the
> "daily use" chapter in the docs what has to be considered when using
> module signing in PTXdist.
> 
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> Message-Id: <20210723142956.31879-2-rhi@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/doc/daily_work.inc b/doc/daily_work.inc
> index 4562b5ca70b9..37bb9bc48180 100644
> --- a/doc/daily_work.inc
> +++ b/doc/daily_work.inc
> @@ -157,6 +157,44 @@ add those certificates to the kernel trust root.
>  :ref:`cs_append_ca_from_pem`, or :ref:`cs_append_ca_from_uri` with the
>  ``kernel-trusted`` role to supply those certificates.)
>  
> +Note that the kernel also always adds the module signing key to the trust root
> +(see :ref:`kernel_module_signing` below).
> +If the EVM key is signed by the module signing key (or if the two keys are the
> +same *and* it is self-signed), no additional trust CA is necessary.
> +
> +.. _kernel_module_signing:
> +
> +Kernel Module Signing
> +~~~~~~~~~~~~~~~~~~~~~
> +
> +The kernel's build system can generate cryptographic signatures for all
> +kernel modules during the build process.
> +This can ensure that all modules loaded on the target at runtime have been
> +built by a trustworthy source.
> +
> +If ``PTXCONF_KERNEL_MODULES_SIGN`` ("sign modules") is enabled in the
> +platformconfig, PTXdist augments the kernel config with the following config
> +options during the `kernel.compile` and `kernel.install` stages:
> +
> +* ``CONFIG_MODULE_SIG_KEY`` ("File name or PKCS#11 URI of module signing key"):
> +  PTXdist supplies the URI from the ``kernel-modules`` role of the configured
> +  code signing provider.
> +  (The code signing provider should use :ref:`cs_set_uri` to set the URI.)
> +
> +However, additional settings must also be enabled in the kernel config:
> +
> +* ``CONFIG_MODULE_SIG=y`` ("Module signature verification"):
> +  Enable this option for module signing, and to get access to its sub-options.
> +* ``CONFIG_MODULE_SIG_ALL=y`` ("Automatically sign all modules"):
> +  Enable this option so that the kernel's build system signs the modules during
> +  PTXdist's `kernel.install` stage.
> +* Additionally, ``CONFIG_MODULE_SIG_FORCE`` ("Require modules to be validly
> +  signed") can be useful so that the kernel refuses loading modules with
> +  invalid, untrusted, or no signature.
> +
> +For the full overview, refer to the `kernel's module signing documentation
> +<https://www.kernel.org/doc/html/latest/admin-guide/module-signing.html>`_.
> +
>  Discovering Runtime Dependencies
>  --------------------------------
>  
> diff --git a/platforms/kernel.in b/platforms/kernel.in
> index 8fe47b741fa7..ff3cc8df4f47 100644
> --- a/platforms/kernel.in
> +++ b/platforms/kernel.in
> @@ -39,6 +39,21 @@ config KERNEL_MODULES_INSTALL
>  	prompt "Install modules into /lib/modules"
>  	depends on KERNEL_MODULES
>  
> +config KERNEL_MODULES_SIGN
> +	bool
> +	depends on KERNEL_MODULES
> +	select KERNEL_CODE_SIGNING
> +	select KERNEL_MODULES_INSTALL
> +	prompt "sign modules"
> +	help
> +	  If enabled, kernel modules are signed during the install stage with
> +	  the key specified by the code signing provider in the "kernel-modules"
> +	  role.
> +
> +	  See the section "Kernel module signing" in the "Daily Work" chapter in
> +	  the PTXdist manual for use cases and more infos about what needs to be
> +	  enabled in the kernel config file.
> +
>  config KERNEL_VERSION
>  	prompt "kernel version"
>  	string
> diff --git a/rules/kernel.make b/rules/kernel.make
> index ac27450832df..9caff677918e 100644
> --- a/rules/kernel.make
> +++ b/rules/kernel.make
> @@ -76,6 +76,10 @@ KERNEL_BASE_OPT		+= \
>  	$(if $(shell cs_get_ca kernel-trusted), \
>  		CONFIG_SYSTEM_TRUSTED_KEYS=$(shell cs_get_ca kernel-trusted))
>  endif
> +ifdef PTXCONF_KERNEL_MODULES_SIGN
> +KERNEL_BASE_OPT		+= \
> +	CONFIG_MODULE_SIG_KEY='"$(shell cs_get_uri kernel-modules)"'
> +endif
>  
>  # Intermediate option. This will be used by kernel module packages.
>  KERNEL_MODULE_OPT	= \

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de