On Mon, Nov 28, 2022 at 09:03:04AM -0500, Bruce Ashfield wrote: > On Mon, Nov 28, 2022 at 2:12 AM Mikko Rapeli <[email protected]> wrote: > > > > On Sat, Nov 26, 2022 at 10:06:57PM -0500, Bruce Ashfield wrote: > > > On Fri, Nov 25, 2022 at 10:54 AM Mikko Rapeli <[email protected]> > > > wrote: > > > > > > > > It's a good default and used in many Linux distributions. > > > > Did not test out of tree modules if they do correct things but > > > > any such failures should be fixed. > > > > > > > > One way to verify that kernel module signing also works: > > > > > > > > root@qemux86-64:~# dmesg|grep X.509 > > > > [ 1.298936] Loading compiled-in X.509 certificates > > > > [ 1.328280] Loaded X.509 cert 'Build time autogenerated kernel key: > > > > ee1bed6d845358744c764683bf73b4404cc79287' > > > > > > > > These logs in dmesg show that signing in kernel is enabled and > > > > key is found. Then if any kernel modules load, they were > > > > signed correctly. Additionally modinfo tool from kmod shows kernel > > > > module > > > > signing details: > > > > > > > > root@qemux86-64:~# lsmod > > > > Module Size Used by > > > > sch_fq_codel 20480 1 > > > > root@qemux86-64:~# modinfo sch_fq_codel > > > > filename: > > > > /lib/modules/5.19.9-yocto-standard/kernel/net/sched/sch_fq_codel.ko > > > > description: Fair Queue CoDel discipline > > > > license: GPL > > > > author: Eric Dumazet > > > > depends: > > > > retpoline: Y > > > > intree: Y > > > > name: sch_fq_codel > > > > vermagic: 5.19.9-yocto-standard SMP preempt mod_unload > > > > sig_id: PKCS#7 > > > > signer: Build time autogenerated kernel key > > > > sig_key: > > > > 2B:2A:BE:7D:B5:92:DC:98:A9:F8:D7:00:A6:73:35:20:10:D8:19:EE > > > > sig_hashalgo: sha512 > > > > signature: > > > > 72:6C:E1:78:7C:A7:7B:CC:C4:33:23:6B:95:EC:1B:2A:BD:D9:EC:7A: > > > > > > > > 85:07:05:B2:70:3C:C9:64:F6:78:8A:01:A0:E3:64:C7:47:BB:5D:0E: > > > > > > > > 86:BA:C1:DD:40:05:AE:1F:19:D4:F0:98:49:86:CC:61:14:3C:AB:1E: > > > > > > > > 4A:1C:83:47:1D:FA:6D:E4:83:79:3A:2B:3F:7D:B6:E0:09:AE:B4:01: > > > > > > > > 07:EE:C9:5B:99:70:4F:49:8A:64:E4:7D:84:AA:37:F5:DB:5F:16:5C: > > > > > > > > D4:DC:0C:33:73:5D:D9:8D:7E:71:5B:A1:ED:61:81:5E:1C:ED:A2:D8: > > > > > > > > 76:46:99:B3:78:08:F7:7F:0D:4B:94:26:21:63:47:B0:75:9F:A4:EA: > > > > > > > > 3D:14:D4:09:CC:59:F3:FC:80:AC:BF:56:1E:8C:73:FD:CB:07:27:C6: > > > > > > > > 3D:98:4C:E4:C3:9C:C0:AD:90:53:46:8F:AE:66:FE:10:C8:92:7F:BA: > > > > > > > > 74:C2:B0:E3:6E:47:66:AB:39:25:41:12:66:91:20:27:1A:58:77:75: > > > > > > > > 4F:C0:3F:F1:8E:5F:AB:0A:BD:8B:62:4F:2B:01:5A:5C:4E:5C:31:39: > > > > > > > > FB:F4:14:2E:BF:D8:51:4B:C8:D0:E2:0A:20:80:95:05:80:E3:46:75: > > > > > > > > 43:80:30:63:6F:A4:25:82:59:35:34:E8:6A:DC:FF:93:F8:32:BB:FA: > > > > > > > > 66:2D:B9:08:75:1A:3A:3A:5D:57:F4:63:85:01:B4:EB:96:1B:CE:6F: > > > > > > > > 4D:61:FC:AA:6C:39:7F:D6:37:C9:84:0A:84:17:FB:BE:FC:20:CB:EE: > > > > > > > > 8C:2F:93:92:F6:48:F4:07:50:84:D8:2C:B5:2E:A7:7D:3A:3F:DC:E9: > > > > > > > > B9:17:EF:47:49:EC:BA:62:1C:C4:C6:58:9C:0C:8D:26:41:6E:1F:C1: > > > > > > > > 95:A7:8B:57:5D:1D:4B:B4:04:00:F6:68:24:9E:E2:BF:11:EC:05:6C: > > > > > > > > 83:E8:C6:DB:BB:3D:22:8B:31:BB:99:1A:44:E1:15:71:C3:AA:FA:01: > > > > > > > > 98:BA:6B:20:26:D6:9C:61:5C:6F:81:29:09:B1:EA:C5:28:15:F3:98: > > > > > > > > C0:18:FE:08:8B:40:A5:F3:3C:71:4B:C6:41:CD:38:51:79:EA:5D:C9: > > > > > > > > 13:39:B5:FD:A3:D1:BB:11:94:66:F7:7B:6A:DC:2C:01:5F:AB:73:08: > > > > > > > > 68:24:32:BE:BC:7A:90:E5:FD:97:17:6C:DD:46:D0:0E:2C:03:31:66: > > > > > > > > B3:7C:B2:48:E1:E0:1A:63:20:48:4C:D4:55:56:71:04:3B:5F:3B:28: > > > > > > > > BF:64:6C:52:A9:07:6D:FF:21:E9:06:35:E8:A1:D7:F4:C2:F9:D7:7B: > > > > 9D:D2:90:16:2F:68:1E:3F:BE:43:ED:64 > > > > > > > > Failures in signed kernel module loading should show as errors at > > > > runtime, for example systemd services, or as oeqa parselogs test > > > > failures which detects signature verification error messages from the > > > > kernel. > > > > > > > > Signed-off-by: Mikko Rapeli <[email protected]> > > > > --- > > > > meta/recipes-kernel/linux/linux-yocto.inc | 3 +++ > > > > 1 file changed, 3 insertions(+) > > > > > > > > diff --git a/meta/recipes-kernel/linux/linux-yocto.inc > > > > b/meta/recipes-kernel/linux/linux-yocto.inc > > > > index 091003ed82..bab1f21479 100644 > > > > --- a/meta/recipes-kernel/linux/linux-yocto.inc > > > > +++ b/meta/recipes-kernel/linux/linux-yocto.inc > > > > @@ -37,6 +37,9 @@ KERNEL_FEATURES:append = " > > > > ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'cfg/ > > > > KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', > > > > 'numa', 'features/numa/numa.scc', '', d)}" > > > > KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', > > > > 'vfat', 'cfg/fs/vfat.scc', '', d)}" > > > > > > > > +# enable module signing by default > > > > +KERNEL_FEATURES:append = " features/module-signing/force-signing.scc" > > > > + > > > > > > For the reference kernels, there are a huge amount of use cases, and I > > > support a really broad set of deployments. > > > > > > We can enable this via either a distro or packageconfig, but not like > > > this, since disabling it is difficult and requires a :remove. It needs > > > to be opt-in. > > > > This signing is purely a kernel internal self protection. Thus I don't see a > > need for DISTRO_CONFIG, and kernel recipes don't use PACKAGECONFIG for > > some reason. I know :append is difficult to :remove but it's used with > > "numa", "vfat", > > "ptest" etc things too. > > And I've complained about those being added at times as well, in fact, > I have a bug somewhere to clean them up. > > Signing impacts the runtime, and can chain throughout the system (as > with the stripping of the modules), so in this case, it has to be > opt-in.
Ok, fair enough. This can't be the default then and this patch can be ignored. I hope the kmod openssl support can be enable by default though. linux-yocto too has openssl dependency by default even when signing is disabled. Cheers, -Mikko
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#173919): https://lists.openembedded.org/g/openembedded-core/message/173919 Mute This Topic: https://lists.openembedded.org/mt/95256076/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
