[yocto] [meta-security 2/3] kernel-modsign.bbclass: add support for kernel modules signing

Sun Aug 4 08:30:19 PDT 2019

On 7/28/19 8:31 AM, Dmitry Eremin-Solenikov wrote:
> From: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov at mentor.com>
>
> Add bbclass responsible for handling signing of kernel modules.
>
> Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov at mentor.com>
> ---
>  meta-integrity/classes/kernel-modsign.bbclass | 29 +++++++++++++++++++
>  .../data/debug-keys/privkey_modsign.pem       | 28 ++++++++++++++++++
>  .../data/debug-keys/x509_modsign.crt          | 22 ++++++++++++++
>  3 files changed, 79 insertions(+)
>  create mode 100644 meta-integrity/classes/kernel-modsign.bbclass
>  create mode 100644 meta-integrity/data/debug-keys/privkey_modsign.pem
>  create mode 100644 meta-integrity/data/debug-keys/x509_modsign.crt
>
> diff --git a/meta-integrity/classes/kernel-modsign.bbclass b/meta-integrity/classes/kernel-modsign.bbclass
> new file mode 100644
> index 000000000000..1e4d94b79091
> --- /dev/null
> +++ b/meta-integrity/classes/kernel-modsign.bbclass
> @@ -0,0 +1,29 @@
> +# No default! Either this or MODSIGN_PRIVKEY/MODSIGN_X509 have to be
> +# set explicitly in a local.conf before activating kernel-modsign.
> +# To use the insecure (because public) example keys, use
> +# MODSIGN_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
> +MODSIGN_KEY_DIR ?= "MODSIGN_KEY_DIR_NOT_SET"
> +
> +# Private key for modules signing. The default is okay when
> +# using the example key directory.
> +MODSIGN_PRIVKEY ?= "${MODSIGN_KEY_DIR}/privkey_modsign.pem"
> +
> +# Public part of certificates used for modules signing.
> +# The default is okay when using the example key directory.
> +MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt"
> +
> +# If this class is enabled, disable stripping signatures from modules
> +INHIBIT_PACKAGE_STRIP = "1"
> +
> +do_configure_prepend() {

This is being pulled in with every configure task and causing parsing
issues.

I changed it to "kernel_do_configure_prepend" and that fixed the issue I
was seeing.

things appear to be still working, Can you double check.

- armin

> +    if [ -f "${MODSIGN_PRIVKEY}" -a -f "${MODSIGN_X509}" ]; then
> +        cat "${MODSIGN_PRIVKEY}" "${MODSIGN_X509}" \
> +            > "${B}/modsign_key.pem"
> +    else
> +        bberror "Either modsign key or certificate are invalid"
> +    fi
> +}
> +
> +do_shared_workdir_append() {
> +    cp modsign_key.pem $kerneldir/
> +}
> diff --git a/meta-integrity/data/debug-keys/privkey_modsign.pem b/meta-integrity/data/debug-keys/privkey_modsign.pem
> new file mode 100644
> index 000000000000..4cac00ae303a
> --- /dev/null
> +++ b/meta-integrity/data/debug-keys/privkey_modsign.pem
> @@ -0,0 +1,28 @@
> +-----BEGIN PRIVATE KEY-----
> +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDEWsJjB2pA5Ih6
> +EelXvVjwWY1ix1azMciNRNPPQN1AMXF0K/VUkfOYbaPajg1cQYEf9gk3q7OZ5Axk
> +UY/e5piZORaPcsmj0lV0L+NSlRYydR5M/QxtEz26585FgqRGdAe6umStPmVKdqa2
> +d68O4PgQgJJtVuz6ndm+0uNEUDCVLwhkGQSwNB3qBbZAUX9escZ/a8eUiBfMYKaO
> +k8JRyM+2br9dgpTFg4UfBYexgNSQo8g5TIBGc8KgQiKCuFj1fQEhV5z4RusHthjc
> +NYXa3RHmdclxyrGeYr5ZRc47HqE1gd5NDR0WeHn4C4YKcfK1rZZz/2+6hfsIRfGx
> +6cQKk23hAgMBAAECggEAJ0ULiWirPG04SkmYxF5vEiqm1zGMymvTc0VnoxSS60q4
> +KQa9mvtRn5OV6JjuXRwQqga30zV4xvdP7yRMxMSTkllThL7tSuE/C+yj5xlABjlc
> +JQOa35mwh9fibg5xslF0Vkj+55MKCPlv4CBRl4Uwt4QvRMTUwk6dhMeCgmATR1J1
> +2/7AipjtfFYreDx7sLbRVvSzUhmZS0iCbNOhtTWPLNW+9YKHTOffKa04HzNtnAXq
> +OjJ0IRZD/C6LfkBUsnHg2eEiA97QXh/Srsl9nc8DaUK1IXRywEdmYIoNMWMav2Hm
> +RO8kkU30BqKW+/EO2ZbH2GmkxvwWd0ocBnLC3FRWEQKBgQDu4T8CB3YsOcVjqem4
> +iBlaSht/b46YQc7A1SOqZCimehmmXNSxQOkapIG3wlIr5edtXQA+xv09+WrproUB
> +SjAnqaH6pYeCvbNlY5k344gtYs+Kco2rq5GYa+LumAeX2Sam8F7u4LxvEogCecX7
> +e4rnG3lt3AVuuRE7zpCQtaWcJQKBgQDSbUvea9pcYli9pssTl+ijQKkgG9DdaYbA
> +I5w5bY1TPYZ/Ocysljefv/ssaHFh4DPxE1MQ5JHwZgZRo1EICxxYzGsLjyR/fmjz
> +1c/NJlTtalCNtLvWaf7b02ag/abnP8neiSpLL5xqHvGo5ikWwgYQD+9HVKGvL3S1
> +kI7x/ziADQKBgQCqFbkuMa/jh3LTJp0iZc1fa1qu3vhx0pFq3Zeab9w9xLxUps5O
> +MwCGltFBzNuDJBwm00wkZrzTjq6gGkHbjD5DT1XkyE13OqjsLQFgOOKyJiPN2Qik
> +TfHJzC91YMwvQ09xF78QaPXiRBiRYrEkAXACY56PKVS45I6vvcFTN/Ll/QKBgA9m
> +KDMyuVwhZlUaq6nXaBLqXHYZEwPhARd2g6xANCNvUTRmSnAm3hM2vW7WhdWfzq1J
> +uL53u6ZYEQZQaVGpXn2xF/RUmVsrKQsPDpH4yCZHrXVxUH20bA4yPkRxy5EIvgEn
> +EI1IAq5RbWXq0f70W/U49U3HB74GPwg6d/uFreDRAoGAN+v9gMQA6A1vM7LvbYR8
> +5CwwyqS/CfI9zKPLn53QstguXC/ObafIYQzVRqGb9lCQgtlmmKw4jMY0B/lDzpcH
> +zS8rqoyvDj/m7i17NYkqXErJKLRQ0ptXKdLXHlG0u185e7Y5p4O3Z5dk8bACkpHi
> +hp764y+BtU4qIcVaPsPK4uU=
> +-----END PRIVATE KEY-----
> diff --git a/meta-integrity/data/debug-keys/x509_modsign.crt b/meta-integrity/data/debug-keys/x509_modsign.crt
> new file mode 100644
> index 000000000000..5fa2a9062a89
> --- /dev/null
> +++ b/meta-integrity/data/debug-keys/x509_modsign.crt
> @@ -0,0 +1,22 @@
> +-----BEGIN CERTIFICATE-----
> +MIIDnjCCAoagAwIBAgIUUqmBj5Q8edHMMTXsoGVGEEKdwV4wDQYJKoZIhvcNAQEL
> +BQAwZzEqMCgGA1UEAxMhbWV0YS1zZWN1cml0eSBtb2R1bGVzIHNpZ25pbmcga2V5
> +MRQwEgYDVQQKEwtleGFtcGxlLmNvbTEjMCEGCSqGSIb3DQEJARYUam9obi5kb2VA
> +ZXhhbXBsZS5jb20wIBcNMTkwNzI3MjIzOTA3WhgPMjExOTA3MjcyMjM5MTVaMGcx
> +KjAoBgNVBAMTIW1ldGEtc2VjdXJpdHkgbW9kdWxlcyBzaWduaW5nIGtleTEUMBIG
> +A1UEChMLZXhhbXBsZS5jb20xIzAhBgkqhkiG9w0BCQEWFGpvaG4uZG9lQGV4YW1w
> +bGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxFrCYwdqQOSI
> +ehHpV71Y8FmNYsdWszHIjUTTz0DdQDFxdCv1VJHzmG2j2o4NXEGBH/YJN6uzmeQM
> +ZFGP3uaYmTkWj3LJo9JVdC/jUpUWMnUeTP0MbRM9uufORYKkRnQHurpkrT5lSnam
> +tnevDuD4EICSbVbs+p3ZvtLjRFAwlS8IZBkEsDQd6gW2QFF/XrHGf2vHlIgXzGCm
> +jpPCUcjPtm6/XYKUxYOFHwWHsYDUkKPIOUyARnPCoEIigrhY9X0BIVec+EbrB7YY
> +3DWF2t0R5nXJccqxnmK+WUXOOx6hNYHeTQ0dFnh5+AuGCnHyta2Wc/9vuoX7CEXx
> +senECpNt4QIDAQABo0AwPjAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHgAAw
> +HQYDVR0OBBYEFDa35X9LnPlrd76inh/cYgeXh6X4MA0GCSqGSIb3DQEBCwUAA4IB
> +AQBTPTh7zY9BrfZW9Izk9JSZYNigwUDwjrhNBSLr5NKi2A/LmZ0jjdCDkwaCn5io
> +xrAq5oxPCAkwlzKwY2ootcL3+En4Pq2e5U+n9kRrpDpKKiR5/0S0d9vpgg4eZR0R
> +kxqE9APCQ5SFU3PgnJ5H5y2SPXzle3bgUsWxNGD81zXFn5clJj4XHvJDWTQ/jG7C
> +FTQ1o1HXtzda4EmKIzrSU/ayVbpPg5fPEBJjk/hHPT45kfzVZBuxwBLXVbe/YyWi
> +NTFWCbJwjZwVRKrsQ3HFpYMWvugtcsSHo7vGi06FvUHcS2sUZH5sFn7hulcIGICt
> +EztTO8Q+yhZujZbmEyJmxqZv
> +-----END CERTIFICATE-----