mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed
* [ptxdist] [PATCH v2 1/3] kernel: add CAs from the code signing provider to the kernel trust root
@ 2021-07-23 14:29 Roland Hieber
  2021-07-23 14:29 ` [ptxdist] [PATCH v2 2/3] kernel: add support for module signing Roland Hieber
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Roland Hieber @ 2021-07-23 14:29 UTC (permalink / raw)
  To: ptxdist; +Cc: Roland Hieber

Additional trusted CAs can be necessary for certain use cases, see the
snippet in the docs.

Current kernels don't cope well with an empty CONFIG_SYSTEM_TRUSTED_KEYS
variable, so only add it when the singing provider actually supplies a
non-empty list of CA certificates.

The cs_get_* functions print undefined strings when the code signing
provider hasn't been installed into sysroot-host yet, which is usually
the case when kernel.make is parsed at PTXdist startup. Therefore, all
variables that make use of need to be evaluated recursively when they
are used ('=' instead of ':=', except the options for the perf and iio
tools, were this is not needed. All other recipes using KERNEL_*
variables also already take care of this.)

Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
PATCH v2:
 - new in v2, split off from "[PATCH] kernel: add support for kernel
   module signing"
 - split docs into extra sections for trust root and module signing
 - add extra KERNEL_CODE_SIGNING platformconfig option
 - add kernel config options to KERNEL_BASE_OPT instead of using
   KERNEL_SIGN_OPT, and guard it with ifdef PTXCONF_KERNEL_CODE_SIGNING

 doc/daily_work.inc  | 34 ++++++++++++++++++++++++++++++++++
 platforms/kernel.in | 14 ++++++++++++++
 rules/kernel.make   | 16 +++++++++++-----
 3 files changed, 59 insertions(+), 5 deletions(-)

diff --git a/doc/daily_work.inc b/doc/daily_work.inc
index 3b436c21ff28..4562b5ca70b9 100644
--- a/doc/daily_work.inc
+++ b/doc/daily_work.inc
@@ -123,6 +123,40 @@ To rebuild the kernel:
          package. A ``ptxdist clean kernel`` call will only delete the
          symlinks in the build directory, but not clean the kernel compiled files.
 
+Using the Code Signing Infrastructure with the Kernel Recipe
+------------------------------------------------------------
+
+The kernel recipe can make use of the :ref:`code signing infrastructure
+<code_signing>` to supply cryptographic key material for several kernel features.
+They can be enabled in the `Linux kernel` section of ``ptxdist platformconfig``.
+
+.. important::
+
+   When supplying the kernel with key material, you should also make sure that
+   all necessary crypto algorithms are enabled in the kernel.
+   For example, if your module signing key is signed with an SHA256 hash,
+   you must enable ``CONFIG_CRYPTO_SHA256`` so that the signature can be verified.
+   Otherwise, some older kernels throw a stack trace on boot, and will not load
+   the supplied key material.
+
+.. _kernel_trust_root:
+
+Trusted Root CAs
+~~~~~~~~~~~~~~~~
+
+In some setups additional trusted CAs can be necessary;
+for example, when using EVM, the EVM key must be issued by a certificate that
+is trusted by the kernel.
+
+When ``PTXCONF_KERNEL_CODE_SIGNING`` ("depend on code signing infrastructure")
+is enabled in the platformconfig, and if the code signing provider supplies CA
+certificates in the ``kernel-trusted`` role,
+PTXdist adds the option ``CONFIG_SYSTEM_TRUSTED_KEYS`` to the kernel config to
+add those certificates to the kernel trust root.
+(The code signing provider should use :ref:`cs_append_ca_from_der`,
+:ref:`cs_append_ca_from_pem`, or :ref:`cs_append_ca_from_uri` with the
+``kernel-trusted`` role to supply those certificates.)
+
 Discovering Runtime Dependencies
 --------------------------------
 
diff --git a/platforms/kernel.in b/platforms/kernel.in
index c9511729f7f1..8fe47b741fa7 100644
--- a/platforms/kernel.in
+++ b/platforms/kernel.in
@@ -3,6 +3,7 @@
 menuconfig KERNEL
 	bool
 	default y
+	select CODE_SIGNING		if KERNEL_CODE_SIGNING
 	select HOST_U_BOOT_TOOLS	if KERNEL_IMAGE_U || (KERNEL_IMAGE_SIMPLE && ARCH_MICROBLAZE)
 	select HOST_ZSTD		if KERNEL_ZSTD
 	select HOST_XZ			if KERNEL_XZ
@@ -182,6 +183,19 @@ config KERNEL_DTS
 
 endif
 
+config KERNEL_CODE_SIGNING
+	prompt "use code signing infrastructure"
+	select KERNEL_OPENSSL
+	bool
+	help
+	  Enable this option if you want the kernel to make use of the code
+	  signing infrastructure, e.g. to supply trust roots from the
+	  'kernel-trusted' code signing role.
+
+	  See the section "Using the Code Signing Infrastructure with the Kernel
+	  Recipe" in the "Daily Use" chapter in the PTXdist manual for use
+	  cases and more information.
+
 config KERNEL_ZSTD
 	prompt "build zstd hosttool"
 	bool
diff --git a/rules/kernel.make b/rules/kernel.make
index 526bcd9beb3f..ac27450832df 100644
--- a/rules/kernel.make
+++ b/rules/kernel.make
@@ -67,17 +67,23 @@ endef
 KERNEL_MAKEVARS = $(call kernel/deprecated, KERNEL_MAKEVARS)
 
 # like kernel-opts but with different CROSS_COMPILE=
-KERNEL_BASE_OPT		:= \
+KERNEL_BASE_OPT		= \
 	$(call kernel-opts, KERNEL,$(KERNEL_CROSS_COMPILE)) \
 	$(call remove_quotes,$(PTXCONF_KERNEL_EXTRA_MAKEVARS))
 
+ifdef PTXCONF_KERNEL_CODE_SIGNING
+KERNEL_BASE_OPT		+= \
+	$(if $(shell cs_get_ca kernel-trusted), \
+		CONFIG_SYSTEM_TRUSTED_KEYS=$(shell cs_get_ca kernel-trusted))
+endif
+
 # Intermediate option. This will be used by kernel module packages.
-KERNEL_MODULE_OPT	:= \
+KERNEL_MODULE_OPT	= \
 	-C $(KERNEL_DIR) \
 	O=$(KERNEL_BUILD_DIR) \
 	$(KERNEL_BASE_OPT)
 
-KERNEL_SHARED_OPT	:= \
+KERNEL_SHARED_OPT	= \
 	$(KERNEL_MODULE_OPT)
 
 ifndef PTXCONF_KERNEL_GCC_PLUGINS
@@ -92,7 +98,7 @@ KERNEL_MAKE_ENV		:= \
 endif
 
 KERNEL_CONF_TOOL	:= kconfig
-KERNEL_CONF_OPT		:= \
+KERNEL_CONF_OPT		= \
 	$(KERNEL_SHARED_OPT)
 
 ifdef PTXCONF_KERNEL_CONFIG_BASE_VERSION
@@ -244,7 +250,7 @@ endif
 # Install
 # ----------------------------------------------------------------------------
 
-KERNEL_INSTALL_OPT := \
+KERNEL_INSTALL_OPT = \
 	$(KERNEL_BASE_OPT) \
 	modules_install
 
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [ptxdist] [PATCH v2 2/3] kernel: add support for module signing
  2021-07-23 14:29 [ptxdist] [PATCH v2 1/3] kernel: add CAs from the code signing provider to the kernel trust root Roland Hieber
@ 2021-07-23 14:29 ` Roland Hieber
  2021-07-27  6:21   ` [ptxdist] [APPLIED] " Michael Olbrich
  2021-07-23 14:29 ` [ptxdist] [PATCH v2 3/3] host-ptx-code-signing-dev: version bump 0.5 -> 0.6 Roland Hieber
  2021-07-27  6:21 ` [ptxdist] [APPLIED] kernel: add CAs from the code signing provider to the kernel trust root Michael Olbrich
  2 siblings, 1 reply; 6+ messages in thread
From: Roland Hieber @ 2021-07-23 14:29 UTC (permalink / raw)
  To: ptxdist; +Cc: Roland Hieber

Use the code signing role 'kernel-modules' to supply the kernel with the
key for kernel module singing. This only works if kernel module signing
is enabled in the kernel config file, so write a short paragraph for the
"daily use" chapter in the docs what has to be considered when using
module signing in PTXdist.

Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
PATCH v2:
 - rebase to current master
 - split trusted key handling into its own patch (see previous patch)
 - add CONFIG_MODULE_SIG_KEY to KENREL_BASE_OPT instead of
   KERNEL_SIGN_OPT, and only if module signing is enabled in the
   platformconfig
 - fix some typos and adapt documentation

PATCH v1: https://lore.ptxdist.org/ptxdist/20210719183053.3799-1-rhi@pengutronix.de

 doc/daily_work.inc  | 38 ++++++++++++++++++++++++++++++++++++++
 platforms/kernel.in | 15 +++++++++++++++
 rules/kernel.make   |  4 ++++
 3 files changed, 57 insertions(+)

diff --git a/doc/daily_work.inc b/doc/daily_work.inc
index 4562b5ca70b9..37bb9bc48180 100644
--- a/doc/daily_work.inc
+++ b/doc/daily_work.inc
@@ -157,6 +157,44 @@ add those certificates to the kernel trust root.
 :ref:`cs_append_ca_from_pem`, or :ref:`cs_append_ca_from_uri` with the
 ``kernel-trusted`` role to supply those certificates.)
 
+Note that the kernel also always adds the module signing key to the trust root
+(see :ref:`kernel_module_signing` below).
+If the EVM key is signed by the module signing key (or if the two keys are the
+same *and* it is self-signed), no additional trust CA is necessary.
+
+.. _kernel_module_signing:
+
+Kernel Module Signing
+~~~~~~~~~~~~~~~~~~~~~
+
+The kernel's build system can generate cryptographic signatures for all
+kernel modules during the build process.
+This can ensure that all modules loaded on the target at runtime have been
+built by a trustworthy source.
+
+If ``PTXCONF_KERNEL_MODULES_SIGN`` ("sign modules") is enabled in the
+platformconfig, PTXdist augments the kernel config with the following config
+options during the `kernel.compile` and `kernel.install` stages:
+
+* ``CONFIG_MODULE_SIG_KEY`` ("File name or PKCS#11 URI of module signing key"):
+  PTXdist supplies the URI from the ``kernel-modules`` role of the configured
+  code signing provider.
+  (The code signing provider should use :ref:`cs_set_uri` to set the URI.)
+
+However, additional settings must also be enabled in the kernel config:
+
+* ``CONFIG_MODULE_SIG=y`` ("Module signature verification"):
+  Enable this option for module signing, and to get access to its sub-options.
+* ``CONFIG_MODULE_SIG_ALL=y`` ("Automatically sign all modules"):
+  Enable this option so that the kernel's build system signs the modules during
+  PTXdist's `kernel.install` stage.
+* Additionally, ``CONFIG_MODULE_SIG_FORCE`` ("Require modules to be validly
+  signed") can be useful so that the kernel refuses loading modules with
+  invalid, untrusted, or no signature.
+
+For the full overview, refer to the `kernel's module signing documentation
+<https://www.kernel.org/doc/html/latest/admin-guide/module-signing.html>`_.
+
 Discovering Runtime Dependencies
 --------------------------------
 
diff --git a/platforms/kernel.in b/platforms/kernel.in
index 8fe47b741fa7..ff3cc8df4f47 100644
--- a/platforms/kernel.in
+++ b/platforms/kernel.in
@@ -39,6 +39,21 @@ config KERNEL_MODULES_INSTALL
 	prompt "Install modules into /lib/modules"
 	depends on KERNEL_MODULES
 
+config KERNEL_MODULES_SIGN
+	bool
+	depends on KERNEL_MODULES
+	select KERNEL_CODE_SIGNING
+	select KERNEL_MODULES_INSTALL
+	prompt "sign modules"
+	help
+	  If enabled, kernel modules are signed during the install stage with
+	  the key specified by the code signing provider in the "kernel-modules"
+	  role.
+
+	  See the section "Kernel module signing" in the "Daily Work" chapter in
+	  the PTXdist manual for use cases and more infos about what needs to be
+	  enabled in the kernel config file.
+
 config KERNEL_VERSION
 	prompt "kernel version"
 	string
diff --git a/rules/kernel.make b/rules/kernel.make
index ac27450832df..9caff677918e 100644
--- a/rules/kernel.make
+++ b/rules/kernel.make
@@ -76,6 +76,10 @@ KERNEL_BASE_OPT		+= \
 	$(if $(shell cs_get_ca kernel-trusted), \
 		CONFIG_SYSTEM_TRUSTED_KEYS=$(shell cs_get_ca kernel-trusted))
 endif
+ifdef PTXCONF_KERNEL_MODULES_SIGN
+KERNEL_BASE_OPT		+= \
+	CONFIG_MODULE_SIG_KEY='"$(shell cs_get_uri kernel-modules)"'
+endif
 
 # Intermediate option. This will be used by kernel module packages.
 KERNEL_MODULE_OPT	= \
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [ptxdist] [PATCH v2 3/3] host-ptx-code-signing-dev: version bump 0.5 -> 0.6
  2021-07-23 14:29 [ptxdist] [PATCH v2 1/3] kernel: add CAs from the code signing provider to the kernel trust root Roland Hieber
  2021-07-23 14:29 ` [ptxdist] [PATCH v2 2/3] kernel: add support for module signing Roland Hieber
@ 2021-07-23 14:29 ` Roland Hieber
  2021-07-27  6:21   ` [ptxdist] [APPLIED] " Michael Olbrich
  2021-07-27  6:21 ` [ptxdist] [APPLIED] kernel: add CAs from the code signing provider to the kernel trust root Michael Olbrich
  2 siblings, 1 reply; 6+ messages in thread
From: Roland Hieber @ 2021-07-23 14:29 UTC (permalink / raw)
  To: ptxdist; +Cc: Roland Hieber

Version 0.6 sets up keys for the 'kernel-modules' role.

Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
PATCH v2:
 - rebase to current master after commit bd8b3d01cbd0ce3af98f
   ("host-ptx-code-signing-dev: version bump 0.4 -> 0.5") was applied

PATCH v1: https://lore.ptxdist.org/ptxdist/20210720093850.22644-1-rhi@pengutronix.de

 rules/host-ptx-code-signing-dev.make | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/host-ptx-code-signing-dev.make b/rules/host-ptx-code-signing-dev.make
index 2314f88c2d88..b242d65fc1be 100644
--- a/rules/host-ptx-code-signing-dev.make
+++ b/rules/host-ptx-code-signing-dev.make
@@ -14,8 +14,8 @@ HOST_PACKAGES-$(PTXCONF_HOST_PTX_CODE_SIGNING_DEV) += host-ptx-code-signing-dev
 #
 # Paths and names
 #
-HOST_PTX_CODE_SIGNING_DEV_VERSION	:= 0.5
-HOST_PTX_CODE_SIGNING_DEV_MD5		:= ec83c9225c520932b515a7c3b353d149
+HOST_PTX_CODE_SIGNING_DEV_VERSION	:= 0.6
+HOST_PTX_CODE_SIGNING_DEV_MD5		:= 0c8b862d0976296f348358d8403a6a74
 HOST_PTX_CODE_SIGNING_DEV		:= ptx-code-signing-dev-$(HOST_PTX_CODE_SIGNING_DEV_VERSION)
 HOST_PTX_CODE_SIGNING_DEV_SUFFIX	:= tar.gz
 HOST_PTX_CODE_SIGNING_DEV_URL		:= https://git.pengutronix.de/cgit/ptx-code-signing-dev/snapshot/$(HOST_PTX_CODE_SIGNING_DEV).$(HOST_PTX_CODE_SIGNING_DEV_SUFFIX)
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [ptxdist] [APPLIED] kernel: add CAs from the code signing provider to the kernel trust root
  2021-07-23 14:29 [ptxdist] [PATCH v2 1/3] kernel: add CAs from the code signing provider to the kernel trust root Roland Hieber
  2021-07-23 14:29 ` [ptxdist] [PATCH v2 2/3] kernel: add support for module signing Roland Hieber
  2021-07-23 14:29 ` [ptxdist] [PATCH v2 3/3] host-ptx-code-signing-dev: version bump 0.5 -> 0.6 Roland Hieber
@ 2021-07-27  6:21 ` Michael Olbrich
  2 siblings, 0 replies; 6+ messages in thread
From: Michael Olbrich @ 2021-07-27  6:21 UTC (permalink / raw)
  To: ptxdist; +Cc: Roland Hieber

Thanks, applied as 7771a8c434c34cf8276be8f143e0182fac0909b5.

Michael

[sent from post-receive hook]

On Tue, 27 Jul 2021 08:21:46 +0200, Roland Hieber <rhi@pengutronix.de> wrote:
> Additional trusted CAs can be necessary for certain use cases, see the
> snippet in the docs.
> 
> Current kernels don't cope well with an empty CONFIG_SYSTEM_TRUSTED_KEYS
> variable, so only add it when the singing provider actually supplies a
> non-empty list of CA certificates.
> 
> The cs_get_* functions print undefined strings when the code signing
> provider hasn't been installed into sysroot-host yet, which is usually
> the case when kernel.make is parsed at PTXdist startup. Therefore, all
> variables that make use of need to be evaluated recursively when they
> are used ('=' instead of ':=', except the options for the perf and iio
> tools, were this is not needed. All other recipes using KERNEL_*
> variables also already take care of this.)
> 
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> Message-Id: <20210723142956.31879-1-rhi@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/doc/daily_work.inc b/doc/daily_work.inc
> index 3b436c21ff28..4562b5ca70b9 100644
> --- a/doc/daily_work.inc
> +++ b/doc/daily_work.inc
> @@ -123,6 +123,40 @@ To rebuild the kernel:
>           package. A ``ptxdist clean kernel`` call will only delete the
>           symlinks in the build directory, but not clean the kernel compiled files.
>  
> +Using the Code Signing Infrastructure with the Kernel Recipe
> +------------------------------------------------------------
> +
> +The kernel recipe can make use of the :ref:`code signing infrastructure
> +<code_signing>` to supply cryptographic key material for several kernel features.
> +They can be enabled in the `Linux kernel` section of ``ptxdist platformconfig``.
> +
> +.. important::
> +
> +   When supplying the kernel with key material, you should also make sure that
> +   all necessary crypto algorithms are enabled in the kernel.
> +   For example, if your module signing key is signed with an SHA256 hash,
> +   you must enable ``CONFIG_CRYPTO_SHA256`` so that the signature can be verified.
> +   Otherwise, some older kernels throw a stack trace on boot, and will not load
> +   the supplied key material.
> +
> +.. _kernel_trust_root:
> +
> +Trusted Root CAs
> +~~~~~~~~~~~~~~~~
> +
> +In some setups additional trusted CAs can be necessary;
> +for example, when using EVM, the EVM key must be issued by a certificate that
> +is trusted by the kernel.
> +
> +When ``PTXCONF_KERNEL_CODE_SIGNING`` ("depend on code signing infrastructure")
> +is enabled in the platformconfig, and if the code signing provider supplies CA
> +certificates in the ``kernel-trusted`` role,
> +PTXdist adds the option ``CONFIG_SYSTEM_TRUSTED_KEYS`` to the kernel config to
> +add those certificates to the kernel trust root.
> +(The code signing provider should use :ref:`cs_append_ca_from_der`,
> +:ref:`cs_append_ca_from_pem`, or :ref:`cs_append_ca_from_uri` with the
> +``kernel-trusted`` role to supply those certificates.)
> +
>  Discovering Runtime Dependencies
>  --------------------------------
>  
> diff --git a/platforms/kernel.in b/platforms/kernel.in
> index c9511729f7f1..8fe47b741fa7 100644
> --- a/platforms/kernel.in
> +++ b/platforms/kernel.in
> @@ -3,6 +3,7 @@
>  menuconfig KERNEL
>  	bool
>  	default y
> +	select CODE_SIGNING		if KERNEL_CODE_SIGNING
>  	select HOST_U_BOOT_TOOLS	if KERNEL_IMAGE_U || (KERNEL_IMAGE_SIMPLE && ARCH_MICROBLAZE)
>  	select HOST_ZSTD		if KERNEL_ZSTD
>  	select HOST_XZ			if KERNEL_XZ
> @@ -182,6 +183,19 @@ config KERNEL_DTS
>  
>  endif
>  
> +config KERNEL_CODE_SIGNING
> +	prompt "use code signing infrastructure"
> +	select KERNEL_OPENSSL
> +	bool
> +	help
> +	  Enable this option if you want the kernel to make use of the code
> +	  signing infrastructure, e.g. to supply trust roots from the
> +	  'kernel-trusted' code signing role.
> +
> +	  See the section "Using the Code Signing Infrastructure with the Kernel
> +	  Recipe" in the "Daily Use" chapter in the PTXdist manual for use
> +	  cases and more information.
> +
>  config KERNEL_ZSTD
>  	prompt "build zstd hosttool"
>  	bool
> diff --git a/rules/kernel.make b/rules/kernel.make
> index 526bcd9beb3f..ac27450832df 100644
> --- a/rules/kernel.make
> +++ b/rules/kernel.make
> @@ -67,17 +67,23 @@ endef
>  KERNEL_MAKEVARS = $(call kernel/deprecated, KERNEL_MAKEVARS)
>  
>  # like kernel-opts but with different CROSS_COMPILE=
> -KERNEL_BASE_OPT		:= \
> +KERNEL_BASE_OPT		= \
>  	$(call kernel-opts, KERNEL,$(KERNEL_CROSS_COMPILE)) \
>  	$(call remove_quotes,$(PTXCONF_KERNEL_EXTRA_MAKEVARS))
>  
> +ifdef PTXCONF_KERNEL_CODE_SIGNING
> +KERNEL_BASE_OPT		+= \
> +	$(if $(shell cs_get_ca kernel-trusted), \
> +		CONFIG_SYSTEM_TRUSTED_KEYS=$(shell cs_get_ca kernel-trusted))
> +endif
> +
>  # Intermediate option. This will be used by kernel module packages.
> -KERNEL_MODULE_OPT	:= \
> +KERNEL_MODULE_OPT	= \
>  	-C $(KERNEL_DIR) \
>  	O=$(KERNEL_BUILD_DIR) \
>  	$(KERNEL_BASE_OPT)
>  
> -KERNEL_SHARED_OPT	:= \
> +KERNEL_SHARED_OPT	= \
>  	$(KERNEL_MODULE_OPT)
>  
>  ifndef PTXCONF_KERNEL_GCC_PLUGINS
> @@ -92,7 +98,7 @@ KERNEL_MAKE_ENV		:= \
>  endif
>  
>  KERNEL_CONF_TOOL	:= kconfig
> -KERNEL_CONF_OPT		:= \
> +KERNEL_CONF_OPT		= \
>  	$(KERNEL_SHARED_OPT)
>  
>  ifdef PTXCONF_KERNEL_CONFIG_BASE_VERSION
> @@ -244,7 +250,7 @@ endif
>  # Install
>  # ----------------------------------------------------------------------------
>  
> -KERNEL_INSTALL_OPT := \
> +KERNEL_INSTALL_OPT = \
>  	$(KERNEL_BASE_OPT) \
>  	modules_install
>  

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [ptxdist] [APPLIED] kernel: add support for module signing
  2021-07-23 14:29 ` [ptxdist] [PATCH v2 2/3] kernel: add support for module signing Roland Hieber
@ 2021-07-27  6:21   ` Michael Olbrich
  0 siblings, 0 replies; 6+ messages in thread
From: Michael Olbrich @ 2021-07-27  6:21 UTC (permalink / raw)
  To: ptxdist; +Cc: Roland Hieber

Thanks, applied as 3ffb3585dd13de9e20d10b6e3fac142e8c7102b8.

Michael

[sent from post-receive hook]

On Tue, 27 Jul 2021 08:21:48 +0200, Roland Hieber <rhi@pengutronix.de> wrote:
> Use the code signing role 'kernel-modules' to supply the kernel with the
> key for kernel module singing. This only works if kernel module signing
> is enabled in the kernel config file, so write a short paragraph for the
> "daily use" chapter in the docs what has to be considered when using
> module signing in PTXdist.
> 
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> Message-Id: <20210723142956.31879-2-rhi@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/doc/daily_work.inc b/doc/daily_work.inc
> index 4562b5ca70b9..37bb9bc48180 100644
> --- a/doc/daily_work.inc
> +++ b/doc/daily_work.inc
> @@ -157,6 +157,44 @@ add those certificates to the kernel trust root.
>  :ref:`cs_append_ca_from_pem`, or :ref:`cs_append_ca_from_uri` with the
>  ``kernel-trusted`` role to supply those certificates.)
>  
> +Note that the kernel also always adds the module signing key to the trust root
> +(see :ref:`kernel_module_signing` below).
> +If the EVM key is signed by the module signing key (or if the two keys are the
> +same *and* it is self-signed), no additional trust CA is necessary.
> +
> +.. _kernel_module_signing:
> +
> +Kernel Module Signing
> +~~~~~~~~~~~~~~~~~~~~~
> +
> +The kernel's build system can generate cryptographic signatures for all
> +kernel modules during the build process.
> +This can ensure that all modules loaded on the target at runtime have been
> +built by a trustworthy source.
> +
> +If ``PTXCONF_KERNEL_MODULES_SIGN`` ("sign modules") is enabled in the
> +platformconfig, PTXdist augments the kernel config with the following config
> +options during the `kernel.compile` and `kernel.install` stages:
> +
> +* ``CONFIG_MODULE_SIG_KEY`` ("File name or PKCS#11 URI of module signing key"):
> +  PTXdist supplies the URI from the ``kernel-modules`` role of the configured
> +  code signing provider.
> +  (The code signing provider should use :ref:`cs_set_uri` to set the URI.)
> +
> +However, additional settings must also be enabled in the kernel config:
> +
> +* ``CONFIG_MODULE_SIG=y`` ("Module signature verification"):
> +  Enable this option for module signing, and to get access to its sub-options.
> +* ``CONFIG_MODULE_SIG_ALL=y`` ("Automatically sign all modules"):
> +  Enable this option so that the kernel's build system signs the modules during
> +  PTXdist's `kernel.install` stage.
> +* Additionally, ``CONFIG_MODULE_SIG_FORCE`` ("Require modules to be validly
> +  signed") can be useful so that the kernel refuses loading modules with
> +  invalid, untrusted, or no signature.
> +
> +For the full overview, refer to the `kernel's module signing documentation
> +<https://www.kernel.org/doc/html/latest/admin-guide/module-signing.html>`_.
> +
>  Discovering Runtime Dependencies
>  --------------------------------
>  
> diff --git a/platforms/kernel.in b/platforms/kernel.in
> index 8fe47b741fa7..ff3cc8df4f47 100644
> --- a/platforms/kernel.in
> +++ b/platforms/kernel.in
> @@ -39,6 +39,21 @@ config KERNEL_MODULES_INSTALL
>  	prompt "Install modules into /lib/modules"
>  	depends on KERNEL_MODULES
>  
> +config KERNEL_MODULES_SIGN
> +	bool
> +	depends on KERNEL_MODULES
> +	select KERNEL_CODE_SIGNING
> +	select KERNEL_MODULES_INSTALL
> +	prompt "sign modules"
> +	help
> +	  If enabled, kernel modules are signed during the install stage with
> +	  the key specified by the code signing provider in the "kernel-modules"
> +	  role.
> +
> +	  See the section "Kernel module signing" in the "Daily Work" chapter in
> +	  the PTXdist manual for use cases and more infos about what needs to be
> +	  enabled in the kernel config file.
> +
>  config KERNEL_VERSION
>  	prompt "kernel version"
>  	string
> diff --git a/rules/kernel.make b/rules/kernel.make
> index ac27450832df..9caff677918e 100644
> --- a/rules/kernel.make
> +++ b/rules/kernel.make
> @@ -76,6 +76,10 @@ KERNEL_BASE_OPT		+= \
>  	$(if $(shell cs_get_ca kernel-trusted), \
>  		CONFIG_SYSTEM_TRUSTED_KEYS=$(shell cs_get_ca kernel-trusted))
>  endif
> +ifdef PTXCONF_KERNEL_MODULES_SIGN
> +KERNEL_BASE_OPT		+= \
> +	CONFIG_MODULE_SIG_KEY='"$(shell cs_get_uri kernel-modules)"'
> +endif
>  
>  # Intermediate option. This will be used by kernel module packages.
>  KERNEL_MODULE_OPT	= \

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [ptxdist] [APPLIED] host-ptx-code-signing-dev: version bump 0.5 -> 0.6
  2021-07-23 14:29 ` [ptxdist] [PATCH v2 3/3] host-ptx-code-signing-dev: version bump 0.5 -> 0.6 Roland Hieber
@ 2021-07-27  6:21   ` Michael Olbrich
  0 siblings, 0 replies; 6+ messages in thread
From: Michael Olbrich @ 2021-07-27  6:21 UTC (permalink / raw)
  To: ptxdist; +Cc: Roland Hieber

Thanks, applied as d29bad5b9304f17f198df5fdff33265b3e9c8f7d.

Michael

[sent from post-receive hook]

On Tue, 27 Jul 2021 08:21:49 +0200, Roland Hieber <rhi@pengutronix.de> wrote:
> Version 0.6 sets up keys for the 'kernel-modules' role.
> 
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> Message-Id: <20210723142956.31879-3-rhi@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/rules/host-ptx-code-signing-dev.make b/rules/host-ptx-code-signing-dev.make
> index 2314f88c2d88..b242d65fc1be 100644
> --- a/rules/host-ptx-code-signing-dev.make
> +++ b/rules/host-ptx-code-signing-dev.make
> @@ -14,8 +14,8 @@ HOST_PACKAGES-$(PTXCONF_HOST_PTX_CODE_SIGNING_DEV) += host-ptx-code-signing-dev
>  #
>  # Paths and names
>  #
> -HOST_PTX_CODE_SIGNING_DEV_VERSION	:= 0.5
> -HOST_PTX_CODE_SIGNING_DEV_MD5		:= ec83c9225c520932b515a7c3b353d149
> +HOST_PTX_CODE_SIGNING_DEV_VERSION	:= 0.6
> +HOST_PTX_CODE_SIGNING_DEV_MD5		:= 0c8b862d0976296f348358d8403a6a74
>  HOST_PTX_CODE_SIGNING_DEV		:= ptx-code-signing-dev-$(HOST_PTX_CODE_SIGNING_DEV_VERSION)
>  HOST_PTX_CODE_SIGNING_DEV_SUFFIX	:= tar.gz
>  HOST_PTX_CODE_SIGNING_DEV_URL		:= https://git.pengutronix.de/cgit/ptx-code-signing-dev/snapshot/$(HOST_PTX_CODE_SIGNING_DEV).$(HOST_PTX_CODE_SIGNING_DEV_SUFFIX)

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2021-07-27  6:22 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-23 14:29 [ptxdist] [PATCH v2 1/3] kernel: add CAs from the code signing provider to the kernel trust root Roland Hieber
2021-07-23 14:29 ` [ptxdist] [PATCH v2 2/3] kernel: add support for module signing Roland Hieber
2021-07-27  6:21   ` [ptxdist] [APPLIED] " Michael Olbrich
2021-07-23 14:29 ` [ptxdist] [PATCH v2 3/3] host-ptx-code-signing-dev: version bump 0.5 -> 0.6 Roland Hieber
2021-07-27  6:21   ` [ptxdist] [APPLIED] " Michael Olbrich
2021-07-27  6:21 ` [ptxdist] [APPLIED] kernel: add CAs from the code signing provider to the kernel trust root Michael Olbrich

mailarchive of the ptxdist mailing list

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://lore.ptxdist.org/ptxdist/0 ptxdist/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 ptxdist ptxdist/ https://lore.ptxdist.org/ptxdist \
		ptxdist@pengutronix.de
	public-inbox-index ptxdist

Example config snippet for mirrors.


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git