[yocto] [meta-security 3/3] linux: add support for kernel modules signing

Dmitry Eremin-Solenikov dbaryshkov at gmail.com
Sun Jul 28 08:31:50 PDT 2019 

From: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov at mentor.com>

Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov at mentor.com>
---
 meta-integrity/recipes-kernel/linux/linux-%.bbappend  | 3 +++
 meta-integrity/recipes-kernel/linux/linux/modsign.cfg | 5 +++++
 meta-integrity/recipes-kernel/linux/linux/modsign.scc | 4 ++++
 3 files changed, 12 insertions(+)
 create mode 100644 meta-integrity/recipes-kernel/linux/linux/modsign.cfg
 create mode 100644 meta-integrity/recipes-kernel/linux/linux/modsign.scc

diff --git a/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-integrity/recipes-kernel/linux/linux-%.bbappend
index 931854ef8257..ca96c8d1901e 100644
--- a/meta-integrity/recipes-kernel/linux/linux-%.bbappend
+++ b/meta-integrity/recipes-kernel/linux/linux-%.bbappend
@@ -1,3 +1,6 @@
 FILESEXTRAPATHS_prepend := "${THISDIR}/linux:"
 
 SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' file://ima.cfg', '', d)}"
+SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' file://modsign.scc file://modsign.cfg', '', d)}"
+
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)}
diff --git a/meta-integrity/recipes-kernel/linux/linux/modsign.cfg b/meta-integrity/recipes-kernel/linux/linux/modsign.cfg
new file mode 100644
index 000000000000..c0c4ebcf2e7b
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux/modsign.cfg
@@ -0,0 +1,5 @@
+CONFIG_MODULE_SIG=y
+CONFIG_MODULE_SIG_FORCE=y
+CONFIG_MODULE_SIG_SHA256=y
+CONFIG_MODULE_SIG_HASH="sha256"
+CONFIG_MODULE_SIG_KEY="modsign_key.pem"
diff --git a/meta-integrity/recipes-kernel/linux/linux/modsign.scc b/meta-integrity/recipes-kernel/linux/linux/modsign.scc
new file mode 100644
index 000000000000..bce78ae9b145
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux/modsign.scc
@@ -0,0 +1,4 @@
+define KFEATURE_DESCRIPTION "Kernel Module Signing (modsign) enablement"
+define KFEATURE_COMPATIBILITY all
+
+kconf non-hardware modsign.cfg
-- 
2.20.1

More information about the yocto mailing list