[yocto] [meta-security 2/3] kernel-modsign.bbclass: add support for kernel modules signing
Dmitry Eremin-Solenikov
dbaryshkov at gmail.com
Sun Aug 4 13:24:53 PDT 2019
вс, 4 авг. 2019 г. в 18:30, akuster808 <akuster808 at gmail.com>:
> On 7/28/19 8:31 AM, Dmitry Eremin-Solenikov wrote:
> > From: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov at mentor.com>
> >
> > Add bbclass responsible for handling signing of kernel modules.
> >
> > Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov at mentor.com>
> > ---
> > meta-integrity/classes/kernel-modsign.bbclass | 29 +++++++++++++++++++
> > .../data/debug-keys/privkey_modsign.pem | 28 ++++++++++++++++++
> > .../data/debug-keys/x509_modsign.crt | 22 ++++++++++++++
> > 3 files changed, 79 insertions(+)
> > create mode 100644 meta-integrity/classes/kernel-modsign.bbclass
> > create mode 100644 meta-integrity/data/debug-keys/privkey_modsign.pem
> > create mode 100644 meta-integrity/data/debug-keys/x509_modsign.crt
> >
> > diff --git a/meta-integrity/classes/kernel-modsign.bbclass b/meta-integrity/classes/kernel-modsign.bbclass
> > new file mode 100644
> > index 000000000000..1e4d94b79091
> > --- /dev/null
> > +++ b/meta-integrity/classes/kernel-modsign.bbclass
> > @@ -0,0 +1,29 @@
> > +# No default! Either this or MODSIGN_PRIVKEY/MODSIGN_X509 have to be
> > +# set explicitly in a local.conf before activating kernel-modsign.
> > +# To use the insecure (because public) example keys, use
> > +# MODSIGN_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
> > +MODSIGN_KEY_DIR ?= "MODSIGN_KEY_DIR_NOT_SET"
> > +
> > +# Private key for modules signing. The default is okay when
> > +# using the example key directory.
> > +MODSIGN_PRIVKEY ?= "${MODSIGN_KEY_DIR}/privkey_modsign.pem"
> > +
> > +# Public part of certificates used for modules signing.
> > +# The default is okay when using the example key directory.
> > +MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt"
> > +
> > +# If this class is enabled, disable stripping signatures from modules
> > +INHIBIT_PACKAGE_STRIP = "1"
> > +
> > +do_configure_prepend() {
>
> This is being pulled in with every configure task and causing parsing
> issues.
>
> I changed it to "kernel_do_configure_prepend" and that fixed the issue I
> was seeing.
Interesting. I haven't seen this issue. Could you please share any details?
Changed bbclass appears to work for me, so either of them is fine from my
point of view.
> things appear to be still working, Can you double check.
--
With best wishes
Dmitry
More information about the yocto
mailing list