Re: [OE-core] [PATCH] linux-yocto: enable strict kernel module signing by default

Mikko Rapeli Fri, 25 Nov 2022 07:57:53 -0800

Hi,

On Fri, Nov 25, 2022 at 05:54:12PM +0200, Mikko Rapeli wrote:
> It's a good default and used in many Linux distributions.
> Did not test out of tree modules if they do correct things but
> any such failures should be fixed.


When testing this I saw some odd results and cert verification
failures at runtime. I suspect it was just me and I did not take
into account how kernel and rootfs get deployed while rebuilding
the changes and can't reproduce any errors with this now.

But if this exposes any issues, then those would need to be fixed too.

I think this is a good default.

Cheers,

-Mikko

> One way to verify that kernel module signing also works:
> 
> root@qemux86-64:~# dmesg|grep X.509
> [    1.298936] Loading compiled-in X.509 certificates
> [    1.328280] Loaded X.509 cert 'Build time autogenerated kernel key: 
> ee1bed6d845358744c764683bf73b4404cc79287'
> 
> These logs in dmesg show that signing in kernel is enabled and
> key is found. Then if any kernel modules load, they were
> signed correctly. Additionally modinfo tool from kmod shows kernel module
> signing details:
> 
> root@qemux86-64:~# lsmod
> Module                  Size  Used by
> sch_fq_codel           20480  1
> root@qemux86-64:~# modinfo sch_fq_codel
> filename:
> /lib/modules/5.19.9-yocto-standard/kernel/net/sched/sch_fq_codel.ko
> description:    Fair Queue CoDel discipline
> license:        GPL
> author:         Eric Dumazet
> depends:
> retpoline:      Y
> intree:         Y
> name:           sch_fq_codel
> vermagic:       5.19.9-yocto-standard SMP preempt mod_unload
> sig_id:         PKCS#7
> signer:         Build time autogenerated kernel key
> sig_key:        2B:2A:BE:7D:B5:92:DC:98:A9:F8:D7:00:A6:73:35:20:10:D8:19:EE
> sig_hashalgo:   sha512
> signature:      72:6C:E1:78:7C:A7:7B:CC:C4:33:23:6B:95:EC:1B:2A:BD:D9:EC:7A:
>                 85:07:05:B2:70:3C:C9:64:F6:78:8A:01:A0:E3:64:C7:47:BB:5D:0E:
>                 86:BA:C1:DD:40:05:AE:1F:19:D4:F0:98:49:86:CC:61:14:3C:AB:1E:
>                 4A:1C:83:47:1D:FA:6D:E4:83:79:3A:2B:3F:7D:B6:E0:09:AE:B4:01:
>                 07:EE:C9:5B:99:70:4F:49:8A:64:E4:7D:84:AA:37:F5:DB:5F:16:5C:
>                 D4:DC:0C:33:73:5D:D9:8D:7E:71:5B:A1:ED:61:81:5E:1C:ED:A2:D8:
>                 76:46:99:B3:78:08:F7:7F:0D:4B:94:26:21:63:47:B0:75:9F:A4:EA:
>                 3D:14:D4:09:CC:59:F3:FC:80:AC:BF:56:1E:8C:73:FD:CB:07:27:C6:
>                 3D:98:4C:E4:C3:9C:C0:AD:90:53:46:8F:AE:66:FE:10:C8:92:7F:BA:
>                 74:C2:B0:E3:6E:47:66:AB:39:25:41:12:66:91:20:27:1A:58:77:75:
>                 4F:C0:3F:F1:8E:5F:AB:0A:BD:8B:62:4F:2B:01:5A:5C:4E:5C:31:39:
>                 FB:F4:14:2E:BF:D8:51:4B:C8:D0:E2:0A:20:80:95:05:80:E3:46:75:
>                 43:80:30:63:6F:A4:25:82:59:35:34:E8:6A:DC:FF:93:F8:32:BB:FA:
>                 66:2D:B9:08:75:1A:3A:3A:5D:57:F4:63:85:01:B4:EB:96:1B:CE:6F:
>                 4D:61:FC:AA:6C:39:7F:D6:37:C9:84:0A:84:17:FB:BE:FC:20:CB:EE:
>                 8C:2F:93:92:F6:48:F4:07:50:84:D8:2C:B5:2E:A7:7D:3A:3F:DC:E9:
>                 B9:17:EF:47:49:EC:BA:62:1C:C4:C6:58:9C:0C:8D:26:41:6E:1F:C1:
>                 95:A7:8B:57:5D:1D:4B:B4:04:00:F6:68:24:9E:E2:BF:11:EC:05:6C:
>                 83:E8:C6:DB:BB:3D:22:8B:31:BB:99:1A:44:E1:15:71:C3:AA:FA:01:
>                 98:BA:6B:20:26:D6:9C:61:5C:6F:81:29:09:B1:EA:C5:28:15:F3:98:
>                 C0:18:FE:08:8B:40:A5:F3:3C:71:4B:C6:41:CD:38:51:79:EA:5D:C9:
>                 13:39:B5:FD:A3:D1:BB:11:94:66:F7:7B:6A:DC:2C:01:5F:AB:73:08:
>                 68:24:32:BE:BC:7A:90:E5:FD:97:17:6C:DD:46:D0:0E:2C:03:31:66:
>                 B3:7C:B2:48:E1:E0:1A:63:20:48:4C:D4:55:56:71:04:3B:5F:3B:28:
>                 BF:64:6C:52:A9:07:6D:FF:21:E9:06:35:E8:A1:D7:F4:C2:F9:D7:7B:
>                 9D:D2:90:16:2F:68:1E:3F:BE:43:ED:64
> 
> Failures in signed kernel module loading should show as errors at
> runtime, for example systemd services, or as oeqa parselogs test
> failures which detects signature verification error messages from the
> kernel.
> 
> Signed-off-by: Mikko Rapeli <[email protected]>
> ---
>  meta/recipes-kernel/linux/linux-yocto.inc | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/meta/recipes-kernel/linux/linux-yocto.inc 
> b/meta/recipes-kernel/linux/linux-yocto.inc
> index 091003ed82..bab1f21479 100644
> --- a/meta/recipes-kernel/linux/linux-yocto.inc
> +++ b/meta/recipes-kernel/linux/linux-yocto.inc
> @@ -37,6 +37,9 @@ KERNEL_FEATURES:append = " 
> ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'cfg/
>  KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'numa', 
> 'features/numa/numa.scc', '', d)}"
>  KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'vfat', 
> 'cfg/fs/vfat.scc', '', d)}"
>  
> +# enable module signing by default
> +KERNEL_FEATURES:append = " features/module-signing/force-signing.scc"
> +
>  # A KMACHINE is the mapping of a yocto $MACHINE to what is built
>  # by the kernel. This is typically the branch that should be built,
>  # and it can be specific to the machine or shared
> -- 
> 2.35.1
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#173775): 
https://lists.openembedded.org/g/openembedded-core/message/173775
Mute This Topic: https://lists.openembedded.org/mt/95256076/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] linux-yocto: enable strict kernel module signing by default

Reply via email to