Comments (11)
Commenting here as this is the result returned by Google for "yocto sign out of tree kernel module": I was able to sign out of tree kernel modules by adding CONFIG_MODULE_SIG_ALL=y
to the kernel configuration (5.4 / dunfell). This adds the signature as part of the existing module_install
target and requires no change to the module code/recipes :)
from meta-secure-core.
When googling for Yocto/OE things, made sure to double-check the version of the results.
The link you provide for the out-of-tree modules guide is from 1.4-daisy, over 4 years ago. I don't know if much has changed in this aspect of OE, but maybe the latest documentation helps?
There has been some discussion on the yocto mailing list about signing, but I think that's mostly to do with u-boot and measured boot.
from meta-secure-core.
@twoerner Thanks for catching that! I was definitely following the latest documentation when creating my out-of-tree module recipe, but just grabbed the wrong link when I googled this documentation without checking the version.
Do you happen to know how the Linux kernel signs modules? Is it part of the make modules
step, or is it a separate stop altogether?
from meta-secure-core.
@robbawebba Currently, the modsign feature available in meta-integrity completely depends on kernel build infrastructure (aka kbuild). meta-integrity provides a signing key, and kbuild will sign kernel module with the signing tool scripts/sign-file during make modules_sign
if CONFIG_MODULE_SIG_ALL=y.
The usage of scripts/sign-file is:
<kern_src>/scripts/sign-file <hash_algo> <private_key_name> \
<x509_name> <module_name> [<dest_name>]
Here is a manual step to sign a kernel module with meta-secure-core build on my box:
$ cd $build/tmp/work/qemux86_64-poky-linux/linux-yocto/*/linux-qemux86_64-*-build/
$ ./scripts/sign-file sha256 modsign_key.pem certs/signing_key.x509 drivers/char/lp.ko lp.ko.signed
Check the signing result:
$ tail -1 lp.ko.signed
You will see a magic string "Module signature appended" if signing succeeds. Note that I don't actually run it.
However, we still need an engineering solution to handle out-of-tree kernel module in SDK and build infrastructure.
from meta-secure-core.
Hi @jiazhang0, Sorry for the delay! I had and idea on how to implement this and would like your feedback.
The overall solution that came to mind is a bbclass called signed-module
, that inherits from the OE module.bbclass
. It borrows everything from that class and adds an extra task right after the do_install (modules_install) task. This new task, let's call it do_sign
for now, will make use of the make modules_sign
target that's available for working with out-of-tree modules. Here's a link to the patch that I'm referencing: https://lore.kernel.org/patchwork/patch/337562/
So the Makefile for the out-of-tree module would need to include this target. Here's an example borrowed from meta-skeleton/recipes-kernel/hello-mod:
obj-m := hello.o
SRC := $(shell pwd)
all:
$(MAKE) -C $(KERNEL_SRC) M=$(SRC)
modules_install:
$(MAKE) -C $(KERNEL_SRC) M=$(SRC) modules_install
# new make target to support a signed-module bbclass
modules_sign:
$(MAKE) -C $(KERNEL_SRC) M=$(SRC) modules_sign
clean:
rm -f *.o *~ core .depend .*.cmd *.ko *.mod.c
rm -f Module.markers Module.symvers modules.order
rm -rf .tmp_versions Modules.symvers
@jiazhang0 Please let me know if you have any thoughts on this approach! I plan on creating an example of this bbclass to test this, so I'll let you know how it works out. If you don't mind, I am pretty interested in adding this enhancement to meta-secure-core. Thanks in advance!
from meta-secure-core.
@robbawebba This sounds good. You can even define a new meta-skeleton for meta-secure-core to do this.
from meta-secure-core.
@jiazhang0 Thanks!
Also, are there any special details I should consider when contributing this change? For example, what branch should be the destination branch of my PR? master, Sumo, or Rocko?
from meta-secure-core.
@robbawebba The master branch is good enough. I will cherry-pick your commit to other stable branches.
from meta-secure-core.
Any luck on this? Using make modules_sign doesn't seem to work as the recipe will run in the kbuild directory, and the key is not there. Trying to find a usable reference to the directory where the key is generated to reference it and use sign-file manually is not obvious to me, still looking for a way to do it.
from meta-secure-core.
Hi @bluca, It's been quite some time since I worked on this issue unfortunately. I took a stab at the make modules_sign
approach I explained above, but I quickly found the same issue that you are identifying. I have not resumed development on this issue because I got busy with other tasks at work. I might take another look this weekend to re-familiarize myself with the issue. I'll let you know if I discover anything, and please keep me updated if you find a solution as well.
from meta-secure-core.
Hi @yadutaf is it working the same with self-generated keys i.e configuring CONFIG_MODULE_SIG_KEY="certs/my_key.pem"
regards
KK
from meta-secure-core.
Related Issues (20)
- add LAYERSERIES_COMPAT for dunfell HOT 1
- Create gatesgarth branch HOT 3
- Fail to build sbsigntool HOT 27
- Grub embeded config does not always reflet the variable GRUB_SIGN_VERIFY_STRICT
- Use grub-efi without SELoader
- Setting GRUB_SIGN_VERIFY fail at deploy HOT 1
- Compilation error while enabling meta-secure-core HOT 1
- Secureboot - which certificate and from where it is used
- secure-core-image failed to build hddimg. (mismatch in grub-efi output name)
- shim_git.bb & efitools.inc Compile Failing
- fails patch of grub 2.04 with dunfell branch HOT 1
- Kirkstone support HOT 1
- efitools with digicert
- Secureboot fails to boot with error "Verification requested but nobody cares"
- tpm2_tss stack is missing TSS FAPI library
- Hosting at yoctoproject.org? HOT 2
- Cross compiling fails when libtss_esys.a is used to build application using ESAPI library
- Query reg. poky dunfell branch and meta-secure-core combination
- building tpm2-tss, tpm2-tools, tpm2-abrmd on x86 platform.
- Reg. build issue 'secure-core-image-initramfs-1.0-r0 do_rootfs: Could not invoke dnf. Command..'
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from meta-secure-core.