It's a good default and used in many Linux distributions.
Did not test out of tree modules if they do correct things but
any such failures should be fixed.

One way to verify that kernel module signing also works:

root@qemux86-64:~# dmesg|grep X.509
[ 1.298936] Loading compiled-in X.509 certificates
[ 1.328280] Loaded X.509 cert 'Build time autogenerated kernel key: ee1bed6d845358744c764683bf73b4404cc79287'

These logs in dmesg show that signing in kernel is enabled and
key is found. Then if any kernel modules load, they were
signed correctly. Additionally modinfo tool from kmod shows kernel module
signing details:

root@qemux86-64:~# lsmod
Module Size Used by
sch_fq_codel 20480 1
root@qemux86-64:~# modinfo sch_fq_codel
filename:
/lib/modules/5.19.9-yocto-standard/kernel/net/sched/sch_fq_codel.ko
description: Fair Queue CoDel discipline
license: GPL
author: Eric Dumazet
depends:
retpoline: Y
intree: Y
name: sch_fq_codel
vermagic: 5.19.9-yocto-standard SMP preempt mod_unload
sig_id: PKCS#7
signer: Build time autogenerated kernel key
sig_key: 2B:2A:BE:7D:B5:92:DC:98:A9:F8:D7:00:A6:73:35:20:10:D8:19:EE
sig_hashalgo: sha512
signature: 72:6C:E1:78:7C:A7:7B:CC:C4:33:23:6B:95:EC:1B:2A:BD:D9:EC:7A:
85:07:05:B2:70:3C:C9:64:F6:78:8A:01:A0:E3:64:C7:47:BB:5D:0E:
86:BA:C1:DD:40:05:AE:1F:19:D4:F0:98:49:86:CC:61:14:3C:AB:1E:
4A:1C:83:47:1D:FA:6D:E4:83:79:3A:2B:3F:7D:B6:E0:09:AE:B4:01:
07:EE:C9:5B:99:70:4F:49:8A:64:E4:7D:84:AA:37:F5:DB:5F:16:5C:
D4:DC:0C:33:73:5D:D9:8D:7E:71:5B:A1:ED:61:81:5E:1C:ED:A2:D8:
76:46:99:B3:78:08:F7:7F:0D:4B:94:26:21:63:47:B0:75:9F:A4:EA:
3D:14:D4:09:CC:59:F3:FC:80:AC:BF:56:1E:8C:73:FD:CB:07:27:C6:
3D:98:4C:E4:C3:9C:C0:AD:90:53:46:8F:AE:66:FE:10:C8:92:7F:BA:
74:C2:B0:E3:6E:47:66:AB:39:25:41:12:66:91:20:27:1A:58:77:75:
4F:C0:3F:F1:8E:5F:AB:0A:BD:8B:62:4F:2B:01:5A:5C:4E:5C:31:39:
FB:F4:14:2E:BF:D8:51:4B:C8:D0:E2:0A:20:80:95:05:80:E3:46:75:
43:80:30:63:6F:A4:25:82:59:35:34:E8:6A:DC:FF:93:F8:32:BB:FA:
66:2D:B9:08:75:1A:3A:3A:5D:57:F4:63:85:01:B4:EB:96:1B:CE:6F:
4D:61:FC:AA:6C:39:7F:D6:37:C9:84:0A:84:17:FB:BE:FC:20:CB:EE:
8C:2F:93:92:F6:48:F4:07:50:84:D8:2C:B5:2E:A7:7D:3A:3F:DC:E9:
B9:17:EF:47:49:EC:BA:62:1C:C4:C6:58:9C:0C:8D:26:41:6E:1F:C1:
95:A7:8B:57:5D:1D:4B:B4:04:00:F6:68:24:9E:E2:BF:11:EC:05:6C:
83:E8:C6:DB:BB:3D:22:8B:31:BB:99:1A:44:E1:15:71:C3:AA:FA:01:
98:BA:6B:20:26:D6:9C:61:5C:6F:81:29:09:B1:EA:C5:28:15:F3:98:
C0:18:FE:08:8B:40:A5:F3:3C:71:4B:C6:41:CD:38:51:79:EA:5D:C9:
13:39:B5:FD:A3:D1:BB:11:94:66:F7:7B:6A:DC:2C:01:5F:AB:73:08:
68:24:32:BE:BC:7A:90:E5:FD:97:17:6C:DD:46:D0:0E:2C:03:31:66:
B3:7C:B2:48:E1:E0:1A:63:20:48:4C:D4:55:56:71:04:3B:5F:3B:28:
BF:64:6C:52:A9:07:6D:FF:21:E9:06:35:E8:A1:D7:F4:C2:F9:D7:7B:
9D:D2:90:16:2F:68:1E:3F:BE:43:ED:64

Failures in signed kernel module loading should show as errors at
runtime, for example systemd services, or as oeqa parselogs test
failures which detects signature verification error messages from the
kernel.

Signed-off-by: Mikko Rapeli <mikko.rapeli@...>
---
meta/recipes-kernel/linux/linux-yocto.inc | 3 +++
1 file changed, 3 insertions(+)

diff --git a/meta/recipes-kernel/linux/linux-yocto.inc b/meta/recipes-kernel/linux/linux-yocto.inc
index 091003ed82..bab1f21479 100644
--- a/meta/recipes-kernel/linux/linux-yocto.inc
+++ b/meta/recipes-kernel/linux/linux-yocto.inc
@@ -37,6 +37,9 @@ KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'cfg/
KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'numa', 'features/numa/numa.scc', '', d)}"
KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'vfat', 'cfg/fs/vfat.scc', '', d)}"

+# enable module signing by default
+KERNEL_FEATURES:append = " features/module-signing/force-signing.scc"
+
# A KMACHINE is the mapping of a yocto $MACHINE to what is built
# by the kernel. This is typically the branch that should be built,
# and it can be specific to the machine or shared
--
2.35.1

Hi,

On Fri, Nov 25, 2022 at 05:54:12PM +0200, Mikko Rapeli wrote:

It's a good default and used in many Linux distributions.
Did not test out of tree modules if they do correct things but
any such failures should be fixed.

When testing this I saw some odd results and cert verification
failures at runtime. I suspect it was just me and I did not take
into account how kernel and rootfs get deployed while rebuilding
the changes and can't reproduce any errors with this now.

But if this exposes any issues, then those would need to be fixed too.

I think this is a good default.

Cheers,

-Mikko

One way to verify that kernel module signing also works:

root@qemux86-64:~# dmesg|grep X.509
[ 1.298936] Loading compiled-in X.509 certificates
[ 1.328280] Loaded X.509 cert 'Build time autogenerated kernel key: ee1bed6d845358744c764683bf73b4404cc79287'

These logs in dmesg show that signing in kernel is enabled and
key is found. Then if any kernel modules load, they were
signed correctly. Additionally modinfo tool from kmod shows kernel module
signing details:

root@qemux86-64:~# lsmod
Module Size Used by
sch_fq_codel 20480 1
root@qemux86-64:~# modinfo sch_fq_codel
filename:
/lib/modules/5.19.9-yocto-standard/kernel/net/sched/sch_fq_codel.ko
description: Fair Queue CoDel discipline
license: GPL
author: Eric Dumazet
depends:
retpoline: Y
intree: Y
name: sch_fq_codel
vermagic: 5.19.9-yocto-standard SMP preempt mod_unload
sig_id: PKCS#7
signer: Build time autogenerated kernel key
sig_key: 2B:2A:BE:7D:B5:92:DC:98:A9:F8:D7:00:A6:73:35:20:10:D8:19:EE
sig_hashalgo: sha512
signature: 72:6C:E1:78:7C:A7:7B:CC:C4:33:23:6B:95:EC:1B:2A:BD:D9:EC:7A:
85:07:05:B2:70:3C:C9:64:F6:78:8A:01:A0:E3:64:C7:47:BB:5D:0E:
86:BA:C1:DD:40:05:AE:1F:19:D4:F0:98:49:86:CC:61:14:3C:AB:1E:
4A:1C:83:47:1D:FA:6D:E4:83:79:3A:2B:3F:7D:B6:E0:09:AE:B4:01:
07:EE:C9:5B:99:70:4F:49:8A:64:E4:7D:84:AA:37:F5:DB:5F:16:5C:
D4:DC:0C:33:73:5D:D9:8D:7E:71:5B:A1:ED:61:81:5E:1C:ED:A2:D8:
76:46:99:B3:78:08:F7:7F:0D:4B:94:26:21:63:47:B0:75:9F:A4:EA:
3D:14:D4:09:CC:59:F3:FC:80:AC:BF:56:1E:8C:73:FD:CB:07:27:C6:
3D:98:4C:E4:C3:9C:C0:AD:90:53:46:8F:AE:66:FE:10:C8:92:7F:BA:
74:C2:B0:E3:6E:47:66:AB:39:25:41:12:66:91:20:27:1A:58:77:75:
4F:C0:3F:F1:8E:5F:AB:0A:BD:8B:62:4F:2B:01:5A:5C:4E:5C:31:39:
FB:F4:14:2E:BF:D8:51:4B:C8:D0:E2:0A:20:80:95:05:80:E3:46:75:
43:80:30:63:6F:A4:25:82:59:35:34:E8:6A:DC:FF:93:F8:32:BB:FA:
66:2D:B9:08:75:1A:3A:3A:5D:57:F4:63:85:01:B4:EB:96:1B:CE:6F:
4D:61:FC:AA:6C:39:7F:D6:37:C9:84:0A:84:17:FB:BE:FC:20:CB:EE:
8C:2F:93:92:F6:48:F4:07:50:84:D8:2C:B5:2E:A7:7D:3A:3F:DC:E9:
B9:17:EF:47:49:EC:BA:62:1C:C4:C6:58:9C:0C:8D:26:41:6E:1F:C1:
95:A7:8B:57:5D:1D:4B:B4:04:00:F6:68:24:9E:E2:BF:11:EC:05:6C:
83:E8:C6:DB:BB:3D:22:8B:31:BB:99:1A:44:E1:15:71:C3:AA:FA:01:
98:BA:6B:20:26:D6:9C:61:5C:6F:81:29:09:B1:EA:C5:28:15:F3:98:
C0:18:FE:08:8B:40:A5:F3:3C:71:4B:C6:41:CD:38:51:79:EA:5D:C9:
13:39:B5:FD:A3:D1:BB:11:94:66:F7:7B:6A:DC:2C:01:5F:AB:73:08:
68:24:32:BE:BC:7A:90:E5:FD:97:17:6C:DD:46:D0:0E:2C:03:31:66:
B3:7C:B2:48:E1:E0:1A:63:20:48:4C:D4:55:56:71:04:3B:5F:3B:28:
BF:64:6C:52:A9:07:6D:FF:21:E9:06:35:E8:A1:D7:F4:C2:F9:D7:7B:
9D:D2:90:16:2F:68:1E:3F:BE:43:ED:64

Failures in signed kernel module loading should show as errors at
runtime, for example systemd services, or as oeqa parselogs test
failures which detects signature verification error messages from the
kernel.

Signed-off-by: Mikko Rapeli <mikko.rapeli@...>
---
meta/recipes-kernel/linux/linux-yocto.inc | 3 +++
1 file changed, 3 insertions(+)

diff --git a/meta/recipes-kernel/linux/linux-yocto.inc b/meta/recipes-kernel/linux/linux-yocto.inc
index 091003ed82..bab1f21479 100644
--- a/meta/recipes-kernel/linux/linux-yocto.inc
+++ b/meta/recipes-kernel/linux/linux-yocto.inc
@@ -37,6 +37,9 @@ KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'cfg/
KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'numa', 'features/numa/numa.scc', '', d)}"
KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'vfat', 'cfg/fs/vfat.scc', '', d)}"

+# enable module signing by default
+KERNEL_FEATURES:append = " features/module-signing/force-signing.scc"
+
# A KMACHINE is the mapping of a yocto $MACHINE to what is built
# by the kernel. This is typically the branch that should be built,
# and it can be specific to the machine or shared
--
2.35.1

On 25/11/2022 15:54, Mikko Rapeli wrote:

It's a good default and used in many Linux distributions.
Did not test out of tree modules if they do correct things but
any such failures should be fixed.

One way to verify that kernel module signing also works:

root@qemux86-64:~# dmesg|grep X.509
[ 1.298936] Loading compiled-in X.509 certificates
[ 1.328280] Loaded X.509 cert 'Build time autogenerated kernel key: ee1bed6d845358744c764683bf73b4404cc79287'

These logs in dmesg show that signing in kernel is enabled and
key is found. Then if any kernel modules load, they were
signed correctly. Additionally modinfo tool from kmod shows kernel module
signing details:

Hi Mikko,

Do the kernel modules get properly stripped, last time I was looking at
this it was skipped when signed and as such root filesystem sizes
ballooned with signed modules.

Regards,
Jack.

root@qemux86-64:~# lsmod
Module Size Used by
sch_fq_codel 20480 1
root@qemux86-64:~# modinfo sch_fq_codel
filename:
/lib/modules/5.19.9-yocto-standard/kernel/net/sched/sch_fq_codel.ko
description: Fair Queue CoDel discipline
license: GPL
author: Eric Dumazet
depends:
retpoline: Y
intree: Y
name: sch_fq_codel
vermagic: 5.19.9-yocto-standard SMP preempt mod_unload
sig_id: PKCS#7
signer: Build time autogenerated kernel key
sig_key: 2B:2A:BE:7D:B5:92:DC:98:A9:F8:D7:00:A6:73:35:20:10:D8:19:EE
sig_hashalgo: sha512
signature: 72:6C:E1:78:7C:A7:7B:CC:C4:33:23:6B:95:EC:1B:2A:BD:D9:EC:7A:
85:07:05:B2:70:3C:C9:64:F6:78:8A:01:A0:E3:64:C7:47:BB:5D:0E:
86:BA:C1:DD:40:05:AE:1F:19:D4:F0:98:49:86:CC:61:14:3C:AB:1E:
4A:1C:83:47:1D:FA:6D:E4:83:79:3A:2B:3F:7D:B6:E0:09:AE:B4:01:
07:EE:C9:5B:99:70:4F:49:8A:64:E4:7D:84:AA:37:F5:DB:5F:16:5C:
D4:DC:0C:33:73:5D:D9:8D:7E:71:5B:A1:ED:61:81:5E:1C:ED:A2:D8:
76:46:99:B3:78:08:F7:7F:0D:4B:94:26:21:63:47:B0:75:9F:A4:EA:
3D:14:D4:09:CC:59:F3:FC:80:AC:BF:56:1E:8C:73:FD:CB:07:27:C6:
3D:98:4C:E4:C3:9C:C0:AD:90:53:46:8F:AE:66:FE:10:C8:92:7F:BA:
74:C2:B0:E3:6E:47:66:AB:39:25:41:12:66:91:20:27:1A:58:77:75:
4F:C0:3F:F1:8E:5F:AB:0A:BD:8B:62:4F:2B:01:5A:5C:4E:5C:31:39:
FB:F4:14:2E:BF:D8:51:4B:C8:D0:E2:0A:20:80:95:05:80:E3:46:75:
43:80:30:63:6F:A4:25:82:59:35:34:E8:6A:DC:FF:93:F8:32:BB:FA:
66:2D:B9:08:75:1A:3A:3A:5D:57:F4:63:85:01:B4:EB:96:1B:CE:6F:
4D:61:FC:AA:6C:39:7F:D6:37:C9:84:0A:84:17:FB:BE:FC:20:CB:EE:
8C:2F:93:92:F6:48:F4:07:50:84:D8:2C:B5:2E:A7:7D:3A:3F:DC:E9:
B9:17:EF:47:49:EC:BA:62:1C:C4:C6:58:9C:0C:8D:26:41:6E:1F:C1:
95:A7:8B:57:5D:1D:4B:B4:04:00:F6:68:24:9E:E2:BF:11:EC:05:6C:
83:E8:C6:DB:BB:3D:22:8B:31:BB:99:1A:44:E1:15:71:C3:AA:FA:01:
98:BA:6B:20:26:D6:9C:61:5C:6F:81:29:09:B1:EA:C5:28:15:F3:98:
C0:18:FE:08:8B:40:A5:F3:3C:71:4B:C6:41:CD:38:51:79:EA:5D:C9:
13:39:B5:FD:A3:D1:BB:11:94:66:F7:7B:6A:DC:2C:01:5F:AB:73:08:
68:24:32:BE:BC:7A:90:E5:FD:97:17:6C:DD:46:D0:0E:2C:03:31:66:
B3:7C:B2:48:E1:E0:1A:63:20:48:4C:D4:55:56:71:04:3B:5F:3B:28:
BF:64:6C:52:A9:07:6D:FF:21:E9:06:35:E8:A1:D7:F4:C2:F9:D7:7B:
9D:D2:90:16:2F:68:1E:3F:BE:43:ED:64

Failures in signed kernel module loading should show as errors at
runtime, for example systemd services, or as oeqa parselogs test
failures which detects signature verification error messages from the
kernel.

Signed-off-by: Mikko Rapeli <mikko.rapeli@...>
---
meta/recipes-kernel/linux/linux-yocto.inc | 3 +++
1 file changed, 3 insertions(+)

diff --git a/meta/recipes-kernel/linux/linux-yocto.inc b/meta/recipes-kernel/linux/linux-yocto.inc
index 091003ed82..bab1f21479 100644
--- a/meta/recipes-kernel/linux/linux-yocto.inc
+++ b/meta/recipes-kernel/linux/linux-yocto.inc
@@ -37,6 +37,9 @@ KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'cfg/
KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'numa', 'features/numa/numa.scc', '', d)}"
KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'vfat', 'cfg/fs/vfat.scc', '', d)}"

+# enable module signing by default
+KERNEL_FEATURES:append = " features/module-signing/force-signing.scc"
+
# A KMACHINE is the mapping of a yocto $MACHINE to what is built
# by the kernel. This is typically the branch that should be built,
# and it can be specific to the machine or shared

--
Jack Mitchell, Consultant
https://www.tuxable.co.uk

Hi,

On Fri, Nov 25, 2022 at 04:11:40PM +0000, Jack Mitchell wrote:

On 25/11/2022 15:54, Mikko Rapeli wrote:

It's a good default and used in many Linux distributions.
Did not test out of tree modules if they do correct things but
any such failures should be fixed.

One way to verify that kernel module signing also works:

root@qemux86-64:~# dmesg|grep X.509
[ 1.298936] Loading compiled-in X.509 certificates
[ 1.328280] Loaded X.509 cert 'Build time autogenerated kernel key: ee1bed6d845358744c764683bf73b4404cc79287'

These logs in dmesg show that signing in kernel is enabled and
key is found. Then if any kernel modules load, they were
signed correctly. Additionally modinfo tool from kmod shows kernel module
signing details:

Hi Mikko,

Do the kernel modules get properly stripped, last time I was looking at
this it was skipped when signed and as such root filesystem sizes
ballooned with signed modules.

Yes, possibly. Linux kernel build scripts can also do this stripping
though, and they do it correctly for kernel modules wile keeping signing
and other data intact.

We could provide EXTRA_OEMAKE += "INSTALL_MOD_STRIP=1" for kernel and
module builds to strip debug info.

$ cat linux/scripts/Makefile.modinst
...
# Strip
#
# INSTALL_MOD_STRIP, if defined, will cause modules to be stripped after
# they
# are installed. If INSTALL_MOD_STRIP is '1', then the default option
# --strip-debug will be used. Otherwise, INSTALL_MOD_STRIP value will be
# used
# as the options to the strip command.
ifdef INSTALL_MOD_STRIP

ifeq ($(INSTALL_MOD_STRIP),1)
strip-option := --strip-debug
else
strip-option := $(INSTALL_MOD_STRIP)
endif
...

Cheers,

-Mikko

On Fri, Nov 25, 2022 at 10:54 AM Mikko Rapeli <mikko.rapeli@...> wrote:

It's a good default and used in many Linux distributions.
Did not test out of tree modules if they do correct things but
any such failures should be fixed.

One way to verify that kernel module signing also works:

root@qemux86-64:~# dmesg|grep X.509
[ 1.298936] Loading compiled-in X.509 certificates
[ 1.328280] Loaded X.509 cert 'Build time autogenerated kernel key: ee1bed6d845358744c764683bf73b4404cc79287'

These logs in dmesg show that signing in kernel is enabled and
key is found. Then if any kernel modules load, they were
signed correctly. Additionally modinfo tool from kmod shows kernel module
signing details:

root@qemux86-64:~# lsmod
Module Size Used by
sch_fq_codel 20480 1
root@qemux86-64:~# modinfo sch_fq_codel
filename:
/lib/modules/5.19.9-yocto-standard/kernel/net/sched/sch_fq_codel.ko
description: Fair Queue CoDel discipline
license: GPL
author: Eric Dumazet
depends:
retpoline: Y
intree: Y
name: sch_fq_codel
vermagic: 5.19.9-yocto-standard SMP preempt mod_unload
sig_id: PKCS#7
signer: Build time autogenerated kernel key
sig_key: 2B:2A:BE:7D:B5:92:DC:98:A9:F8:D7:00:A6:73:35:20:10:D8:19:EE
sig_hashalgo: sha512
signature: 72:6C:E1:78:7C:A7:7B:CC:C4:33:23:6B:95:EC:1B:2A:BD:D9:EC:7A:
85:07:05:B2:70:3C:C9:64:F6:78:8A:01:A0:E3:64:C7:47:BB:5D:0E:
86:BA:C1:DD:40:05:AE:1F:19:D4:F0:98:49:86:CC:61:14:3C:AB:1E:
4A:1C:83:47:1D:FA:6D:E4:83:79:3A:2B:3F:7D:B6:E0:09:AE:B4:01:
07:EE:C9:5B:99:70:4F:49:8A:64:E4:7D:84:AA:37:F5:DB:5F:16:5C:
D4:DC:0C:33:73:5D:D9:8D:7E:71:5B:A1:ED:61:81:5E:1C:ED:A2:D8:
76:46:99:B3:78:08:F7:7F:0D:4B:94:26:21:63:47:B0:75:9F:A4:EA:
3D:14:D4:09:CC:59:F3:FC:80:AC:BF:56:1E:8C:73:FD:CB:07:27:C6:
3D:98:4C:E4:C3:9C:C0:AD:90:53:46:8F:AE:66:FE:10:C8:92:7F:BA:
74:C2:B0:E3:6E:47:66:AB:39:25:41:12:66:91:20:27:1A:58:77:75:
4F:C0:3F:F1:8E:5F:AB:0A:BD:8B:62:4F:2B:01:5A:5C:4E:5C:31:39:
FB:F4:14:2E:BF:D8:51:4B:C8:D0:E2:0A:20:80:95:05:80:E3:46:75:
43:80:30:63:6F:A4:25:82:59:35:34:E8:6A:DC:FF:93:F8:32:BB:FA:
66:2D:B9:08:75:1A:3A:3A:5D:57:F4:63:85:01:B4:EB:96:1B:CE:6F:
4D:61:FC:AA:6C:39:7F:D6:37:C9:84:0A:84:17:FB:BE:FC:20:CB:EE:
8C:2F:93:92:F6:48:F4:07:50:84:D8:2C:B5:2E:A7:7D:3A:3F:DC:E9:
B9:17:EF:47:49:EC:BA:62:1C:C4:C6:58:9C:0C:8D:26:41:6E:1F:C1:
95:A7:8B:57:5D:1D:4B:B4:04:00:F6:68:24:9E:E2:BF:11:EC:05:6C:
83:E8:C6:DB:BB:3D:22:8B:31:BB:99:1A:44:E1:15:71:C3:AA:FA:01:
98:BA:6B:20:26:D6:9C:61:5C:6F:81:29:09:B1:EA:C5:28:15:F3:98:
C0:18:FE:08:8B:40:A5:F3:3C:71:4B:C6:41:CD:38:51:79:EA:5D:C9:
13:39:B5:FD:A3:D1:BB:11:94:66:F7:7B:6A:DC:2C:01:5F:AB:73:08:
68:24:32:BE:BC:7A:90:E5:FD:97:17:6C:DD:46:D0:0E:2C:03:31:66:
B3:7C:B2:48:E1:E0:1A:63:20:48:4C:D4:55:56:71:04:3B:5F:3B:28:
BF:64:6C:52:A9:07:6D:FF:21:E9:06:35:E8:A1:D7:F4:C2:F9:D7:7B:
9D:D2:90:16:2F:68:1E:3F:BE:43:ED:64

Failures in signed kernel module loading should show as errors at
runtime, for example systemd services, or as oeqa parselogs test
failures which detects signature verification error messages from the
kernel.

Signed-off-by: Mikko Rapeli <mikko.rapeli@...>
---
meta/recipes-kernel/linux/linux-yocto.inc | 3 +++
1 file changed, 3 insertions(+)

diff --git a/meta/recipes-kernel/linux/linux-yocto.inc b/meta/recipes-kernel/linux/linux-yocto.inc
index 091003ed82..bab1f21479 100644
--- a/meta/recipes-kernel/linux/linux-yocto.inc
+++ b/meta/recipes-kernel/linux/linux-yocto.inc
@@ -37,6 +37,9 @@ KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'cfg/
KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'numa', 'features/numa/numa.scc', '', d)}"
KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'vfat', 'cfg/fs/vfat.scc', '', d)}"

+# enable module signing by default
+KERNEL_FEATURES:append = " features/module-signing/force-signing.scc"
+

For the reference kernels, there are a huge amount of use cases, and I
support a really broad set of deployments.

We can enable this via either a distro or packageconfig, but not like
this, since disabling it is difficult and requires a :remove. It needs
to be opt-in.

Bruce

# A KMACHINE is the mapping of a yocto $MACHINE to what is built
# by the kernel. This is typically the branch that should be built,
# and it can be specific to the machine or shared
--
2.35.1

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

On Fri, Nov 25, 2022 at 11:11 AM Jack Mitchell <ml@...> wrote:

On 25/11/2022 15:54, Mikko Rapeli wrote:

It's a good default and used in many Linux distributions.
Did not test out of tree modules if they do correct things but
any such failures should be fixed.

One way to verify that kernel module signing also works:

root@qemux86-64:~# dmesg|grep X.509
[ 1.298936] Loading compiled-in X.509 certificates
[ 1.328280] Loaded X.509 cert 'Build time autogenerated kernel key: ee1bed6d845358744c764683bf73b4404cc79287'

These logs in dmesg show that signing in kernel is enabled and
key is found. Then if any kernel modules load, they were
signed correctly. Additionally modinfo tool from kmod shows kernel module
signing details:

Hi Mikko,

Do the kernel modules get properly stripped, last time I was looking at
this it was skipped when signed and as such root filesystem sizes
ballooned with signed modules.

oe package.py still does skip stripping for signed modules.

I'm sure it is fixable, but we need someone to step up and have a closer look.

Richard can probably comment better than I can, but there's a variety
of use cases (from SDKs, to debug, to SBOM, etc) that all need to deal
with whether binaries are stripped and be able to find the
non-stripped executables in order to work properly.

So to answer the follow up suggestion of using the kernel's module
strip directly .. it also might be feasible, but we need to make sure
that all the other uses cases still work. My preference is to do the
work in package.py, so that we don't have to worry about the kernel
provider and any additional features have code in the same place as a
baseline.

Bruce

Regards,
Jack.

root@qemux86-64:~# lsmod
Module Size Used by
sch_fq_codel 20480 1
root@qemux86-64:~# modinfo sch_fq_codel
filename:
/lib/modules/5.19.9-yocto-standard/kernel/net/sched/sch_fq_codel.ko
description: Fair Queue CoDel discipline
license: GPL
author: Eric Dumazet
depends:
retpoline: Y
intree: Y
name: sch_fq_codel
vermagic: 5.19.9-yocto-standard SMP preempt mod_unload
sig_id: PKCS#7
signer: Build time autogenerated kernel key
sig_key: 2B:2A:BE:7D:B5:92:DC:98:A9:F8:D7:00:A6:73:35:20:10:D8:19:EE
sig_hashalgo: sha512
signature: 72:6C:E1:78:7C:A7:7B:CC:C4:33:23:6B:95:EC:1B:2A:BD:D9:EC:7A:
85:07:05:B2:70:3C:C9:64:F6:78:8A:01:A0:E3:64:C7:47:BB:5D:0E:
86:BA:C1:DD:40:05:AE:1F:19:D4:F0:98:49:86:CC:61:14:3C:AB:1E:
4A:1C:83:47:1D:FA:6D:E4:83:79:3A:2B:3F:7D:B6:E0:09:AE:B4:01:
07:EE:C9:5B:99:70:4F:49:8A:64:E4:7D:84:AA:37:F5:DB:5F:16:5C:
D4:DC:0C:33:73:5D:D9:8D:7E:71:5B:A1:ED:61:81:5E:1C:ED:A2:D8:
76:46:99:B3:78:08:F7:7F:0D:4B:94:26:21:63:47:B0:75:9F:A4:EA:
3D:14:D4:09:CC:59:F3:FC:80:AC:BF:56:1E:8C:73:FD:CB:07:27:C6:
3D:98:4C:E4:C3:9C:C0:AD:90:53:46:8F:AE:66:FE:10:C8:92:7F:BA:
74:C2:B0:E3:6E:47:66:AB:39:25:41:12:66:91:20:27:1A:58:77:75:
4F:C0:3F:F1:8E:5F:AB:0A:BD:8B:62:4F:2B:01:5A:5C:4E:5C:31:39:
FB:F4:14:2E:BF:D8:51:4B:C8:D0:E2:0A:20:80:95:05:80:E3:46:75:
43:80:30:63:6F:A4:25:82:59:35:34:E8:6A:DC:FF:93:F8:32:BB:FA:
66:2D:B9:08:75:1A:3A:3A:5D:57:F4:63:85:01:B4:EB:96:1B:CE:6F:
4D:61:FC:AA:6C:39:7F:D6:37:C9:84:0A:84:17:FB:BE:FC:20:CB:EE:
8C:2F:93:92:F6:48:F4:07:50:84:D8:2C:B5:2E:A7:7D:3A:3F:DC:E9:
B9:17:EF:47:49:EC:BA:62:1C:C4:C6:58:9C:0C:8D:26:41:6E:1F:C1:
95:A7:8B:57:5D:1D:4B:B4:04:00:F6:68:24:9E:E2:BF:11:EC:05:6C:
83:E8:C6:DB:BB:3D:22:8B:31:BB:99:1A:44:E1:15:71:C3:AA:FA:01:
98:BA:6B:20:26:D6:9C:61:5C:6F:81:29:09:B1:EA:C5:28:15:F3:98:
C0:18:FE:08:8B:40:A5:F3:3C:71:4B:C6:41:CD:38:51:79:EA:5D:C9:
13:39:B5:FD:A3:D1:BB:11:94:66:F7:7B:6A:DC:2C:01:5F:AB:73:08:
68:24:32:BE:BC:7A:90:E5:FD:97:17:6C:DD:46:D0:0E:2C:03:31:66:
B3:7C:B2:48:E1:E0:1A:63:20:48:4C:D4:55:56:71:04:3B:5F:3B:28:
BF:64:6C:52:A9:07:6D:FF:21:E9:06:35:E8:A1:D7:F4:C2:F9:D7:7B:
9D:D2:90:16:2F:68:1E:3F:BE:43:ED:64

Failures in signed kernel module loading should show as errors at
runtime, for example systemd services, or as oeqa parselogs test
failures which detects signature verification error messages from the
kernel.

Signed-off-by: Mikko Rapeli <mikko.rapeli@...>
---
meta/recipes-kernel/linux/linux-yocto.inc | 3 +++
1 file changed, 3 insertions(+)

diff --git a/meta/recipes-kernel/linux/linux-yocto.inc b/meta/recipes-kernel/linux/linux-yocto.inc
index 091003ed82..bab1f21479 100644
--- a/meta/recipes-kernel/linux/linux-yocto.inc
+++ b/meta/recipes-kernel/linux/linux-yocto.inc
@@ -37,6 +37,9 @@ KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'cfg/
KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'numa', 'features/numa/numa.scc', '', d)}"
KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'vfat', 'cfg/fs/vfat.scc', '', d)}"

+# enable module signing by default
+KERNEL_FEATURES:append = " features/module-signing/force-signing.scc"
+
# A KMACHINE is the mapping of a yocto $MACHINE to what is built
# by the kernel. This is typically the branch that should be built,
# and it can be specific to the machine or shared

--
Jack Mitchell, Consultant
https://www.tuxable.co.uk

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

On 27/11/2022 03:34, Bruce Ashfield wrote:

On Fri, Nov 25, 2022 at 11:11 AM Jack Mitchell <ml@...> wrote:

On 25/11/2022 15:54, Mikko Rapeli wrote:

It's a good default and used in many Linux distributions.
Did not test out of tree modules if they do correct things but
any such failures should be fixed.

One way to verify that kernel module signing also works:

root@qemux86-64:~# dmesg|grep X.509
[ 1.298936] Loading compiled-in X.509 certificates
[ 1.328280] Loaded X.509 cert 'Build time autogenerated kernel key: ee1bed6d845358744c764683bf73b4404cc79287'

These logs in dmesg show that signing in kernel is enabled and
key is found. Then if any kernel modules load, they were
signed correctly. Additionally modinfo tool from kmod shows kernel module
signing details:

Hi Mikko,

Do the kernel modules get properly stripped, last time I was looking at
this it was skipped when signed and as such root filesystem sizes
ballooned with signed modules.

oe package.py still does skip stripping for signed modules.
I'm sure it is fixable, but we need someone to step up and have a closer look.
Richard can probably comment better than I can, but there's a variety
of use cases (from SDKs, to debug, to SBOM, etc) that all need to deal
with whether binaries are stripped and be able to find the
non-stripped executables in order to work properly.
So to answer the follow up suggestion of using the kernel's module
strip directly .. it also might be feasible, but we need to make sure
that all the other uses cases still work. My preference is to do the
work in package.py, so that we don't have to worry about the kernel
provider and any additional features have code in the same place as a
baseline.

I agree, if the kernel has the right arguments available for properly stripping the modules without stripping the signed portion then we can set those args manually rather than skipping the strip all together I believe.

I also had the same thought with having the kernel do it as I don't know where the stripped information goes and how that would then make it into debug packages.

Bruce

Regards,
Jack.

root@qemux86-64:~# lsmod
Module Size Used by
sch_fq_codel 20480 1
root@qemux86-64:~# modinfo sch_fq_codel
filename:
/lib/modules/5.19.9-yocto-standard/kernel/net/sched/sch_fq_codel.ko
description: Fair Queue CoDel discipline
license: GPL
author: Eric Dumazet
depends:
retpoline: Y
intree: Y
name: sch_fq_codel
vermagic: 5.19.9-yocto-standard SMP preempt mod_unload
sig_id: PKCS#7
signer: Build time autogenerated kernel key
sig_key: 2B:2A:BE:7D:B5:92:DC:98:A9:F8:D7:00:A6:73:35:20:10:D8:19:EE
sig_hashalgo: sha512
signature: 72:6C:E1:78:7C:A7:7B:CC:C4:33:23:6B:95:EC:1B:2A:BD:D9:EC:7A:
85:07:05:B2:70:3C:C9:64:F6:78:8A:01:A0:E3:64:C7:47:BB:5D:0E:
86:BA:C1:DD:40:05:AE:1F:19:D4:F0:98:49:86:CC:61:14:3C:AB:1E:
4A:1C:83:47:1D:FA:6D:E4:83:79:3A:2B:3F:7D:B6:E0:09:AE:B4:01:
07:EE:C9:5B:99:70:4F:49:8A:64:E4:7D:84:AA:37:F5:DB:5F:16:5C:
D4:DC:0C:33:73:5D:D9:8D:7E:71:5B:A1:ED:61:81:5E:1C:ED:A2:D8:
76:46:99:B3:78:08:F7:7F:0D:4B:94:26:21:63:47:B0:75:9F:A4:EA:
3D:14:D4:09:CC:59:F3:FC:80:AC:BF:56:1E:8C:73:FD:CB:07:27:C6:
3D:98:4C:E4:C3:9C:C0:AD:90:53:46:8F:AE:66:FE:10:C8:92:7F:BA:
74:C2:B0:E3:6E:47:66:AB:39:25:41:12:66:91:20:27:1A:58:77:75:
4F:C0:3F:F1:8E:5F:AB:0A:BD:8B:62:4F:2B:01:5A:5C:4E:5C:31:39:
FB:F4:14:2E:BF:D8:51:4B:C8:D0:E2:0A:20:80:95:05:80:E3:46:75:
43:80:30:63:6F:A4:25:82:59:35:34:E8:6A:DC:FF:93:F8:32:BB:FA:
66:2D:B9:08:75:1A:3A:3A:5D:57:F4:63:85:01:B4:EB:96:1B:CE:6F:
4D:61:FC:AA:6C:39:7F:D6:37:C9:84:0A:84:17:FB:BE:FC:20:CB:EE:
8C:2F:93:92:F6:48:F4:07:50:84:D8:2C:B5:2E:A7:7D:3A:3F:DC:E9:
B9:17:EF:47:49:EC:BA:62:1C:C4:C6:58:9C:0C:8D:26:41:6E:1F:C1:
95:A7:8B:57:5D:1D:4B:B4:04:00:F6:68:24:9E:E2:BF:11:EC:05:6C:
83:E8:C6:DB:BB:3D:22:8B:31:BB:99:1A:44:E1:15:71:C3:AA:FA:01:
98:BA:6B:20:26:D6:9C:61:5C:6F:81:29:09:B1:EA:C5:28:15:F3:98:
C0:18:FE:08:8B:40:A5:F3:3C:71:4B:C6:41:CD:38:51:79:EA:5D:C9:
13:39:B5:FD:A3:D1:BB:11:94:66:F7:7B:6A:DC:2C:01:5F:AB:73:08:
68:24:32:BE:BC:7A:90:E5:FD:97:17:6C:DD:46:D0:0E:2C:03:31:66:
B3:7C:B2:48:E1:E0:1A:63:20:48:4C:D4:55:56:71:04:3B:5F:3B:28:
BF:64:6C:52:A9:07:6D:FF:21:E9:06:35:E8:A1:D7:F4:C2:F9:D7:7B:
9D:D2:90:16:2F:68:1E:3F:BE:43:ED:64

Failures in signed kernel module loading should show as errors at
runtime, for example systemd services, or as oeqa parselogs test
failures which detects signature verification error messages from the
kernel.

Signed-off-by: Mikko Rapeli <mikko.rapeli@...>
---
meta/recipes-kernel/linux/linux-yocto.inc | 3 +++
1 file changed, 3 insertions(+)

diff --git a/meta/recipes-kernel/linux/linux-yocto.inc b/meta/recipes-kernel/linux/linux-yocto.inc
index 091003ed82..bab1f21479 100644
--- a/meta/recipes-kernel/linux/linux-yocto.inc
+++ b/meta/recipes-kernel/linux/linux-yocto.inc
@@ -37,6 +37,9 @@ KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'cfg/
KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'numa', 'features/numa/numa.scc', '', d)}"
KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'vfat', 'cfg/fs/vfat.scc', '', d)}"

+# enable module signing by default
+KERNEL_FEATURES:append = " features/module-signing/force-signing.scc"
+
# A KMACHINE is the mapping of a yocto $MACHINE to what is built
# by the kernel. This is typically the branch that should be built,
# and it can be specific to the machine or shared

--
Jack Mitchell, Consultant
https://www.tuxable.co.uk

On Sat, Nov 26, 2022 at 10:06:57PM -0500, Bruce Ashfield wrote:

On Fri, Nov 25, 2022 at 10:54 AM Mikko Rapeli <mikko.rapeli@...> wrote:

It's a good default and used in many Linux distributions.
Did not test out of tree modules if they do correct things but
any such failures should be fixed.

One way to verify that kernel module signing also works:

root@qemux86-64:~# dmesg|grep X.509
[ 1.298936] Loading compiled-in X.509 certificates
[ 1.328280] Loaded X.509 cert 'Build time autogenerated kernel key: ee1bed6d845358744c764683bf73b4404cc79287'

These logs in dmesg show that signing in kernel is enabled and
key is found. Then if any kernel modules load, they were
signed correctly. Additionally modinfo tool from kmod shows kernel module
signing details:

root@qemux86-64:~# lsmod
Module Size Used by
sch_fq_codel 20480 1
root@qemux86-64:~# modinfo sch_fq_codel
filename:
/lib/modules/5.19.9-yocto-standard/kernel/net/sched/sch_fq_codel.ko
description: Fair Queue CoDel discipline
license: GPL
author: Eric Dumazet
depends:
retpoline: Y
intree: Y
name: sch_fq_codel
vermagic: 5.19.9-yocto-standard SMP preempt mod_unload
sig_id: PKCS#7
signer: Build time autogenerated kernel key
sig_key: 2B:2A:BE:7D:B5:92:DC:98:A9:F8:D7:00:A6:73:35:20:10:D8:19:EE
sig_hashalgo: sha512
signature: 72:6C:E1:78:7C:A7:7B:CC:C4:33:23:6B:95:EC:1B:2A:BD:D9:EC:7A:
85:07:05:B2:70:3C:C9:64:F6:78:8A:01:A0:E3:64:C7:47:BB:5D:0E:
86:BA:C1:DD:40:05:AE:1F:19:D4:F0:98:49:86:CC:61:14:3C:AB:1E:
4A:1C:83:47:1D:FA:6D:E4:83:79:3A:2B:3F:7D:B6:E0:09:AE:B4:01:
07:EE:C9:5B:99:70:4F:49:8A:64:E4:7D:84:AA:37:F5:DB:5F:16:5C:
D4:DC:0C:33:73:5D:D9:8D:7E:71:5B:A1:ED:61:81:5E:1C:ED:A2:D8:
76:46:99:B3:78:08:F7:7F:0D:4B:94:26:21:63:47:B0:75:9F:A4:EA:
3D:14:D4:09:CC:59:F3:FC:80:AC:BF:56:1E:8C:73:FD:CB:07:27:C6:
3D:98:4C:E4:C3:9C:C0:AD:90:53:46:8F:AE:66:FE:10:C8:92:7F:BA:
74:C2:B0:E3:6E:47:66:AB:39:25:41:12:66:91:20:27:1A:58:77:75:
4F:C0:3F:F1:8E:5F:AB:0A:BD:8B:62:4F:2B:01:5A:5C:4E:5C:31:39:
FB:F4:14:2E:BF:D8:51:4B:C8:D0:E2:0A:20:80:95:05:80:E3:46:75:
43:80:30:63:6F:A4:25:82:59:35:34:E8:6A:DC:FF:93:F8:32:BB:FA:
66:2D:B9:08:75:1A:3A:3A:5D:57:F4:63:85:01:B4:EB:96:1B:CE:6F:
4D:61:FC:AA:6C:39:7F:D6:37:C9:84:0A:84:17:FB:BE:FC:20:CB:EE:
8C:2F:93:92:F6:48:F4:07:50:84:D8:2C:B5:2E:A7:7D:3A:3F:DC:E9:
B9:17:EF:47:49:EC:BA:62:1C:C4:C6:58:9C:0C:8D:26:41:6E:1F:C1:
95:A7:8B:57:5D:1D:4B:B4:04:00:F6:68:24:9E:E2:BF:11:EC:05:6C:
83:E8:C6:DB:BB:3D:22:8B:31:BB:99:1A:44:E1:15:71:C3:AA:FA:01:
98:BA:6B:20:26:D6:9C:61:5C:6F:81:29:09:B1:EA:C5:28:15:F3:98:
C0:18:FE:08:8B:40:A5:F3:3C:71:4B:C6:41:CD:38:51:79:EA:5D:C9:
13:39:B5:FD:A3:D1:BB:11:94:66:F7:7B:6A:DC:2C:01:5F:AB:73:08:
68:24:32:BE:BC:7A:90:E5:FD:97:17:6C:DD:46:D0:0E:2C:03:31:66:
B3:7C:B2:48:E1:E0:1A:63:20:48:4C:D4:55:56:71:04:3B:5F:3B:28:
BF:64:6C:52:A9:07:6D:FF:21:E9:06:35:E8:A1:D7:F4:C2:F9:D7:7B:
9D:D2:90:16:2F:68:1E:3F:BE:43:ED:64

Failures in signed kernel module loading should show as errors at
runtime, for example systemd services, or as oeqa parselogs test
failures which detects signature verification error messages from the
kernel.

Signed-off-by: Mikko Rapeli <mikko.rapeli@...>
---
meta/recipes-kernel/linux/linux-yocto.inc | 3 +++
1 file changed, 3 insertions(+)

diff --git a/meta/recipes-kernel/linux/linux-yocto.inc b/meta/recipes-kernel/linux/linux-yocto.inc
index 091003ed82..bab1f21479 100644
--- a/meta/recipes-kernel/linux/linux-yocto.inc
+++ b/meta/recipes-kernel/linux/linux-yocto.inc
@@ -37,6 +37,9 @@ KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'cfg/
KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'numa', 'features/numa/numa.scc', '', d)}"
KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'vfat', 'cfg/fs/vfat.scc', '', d)}"

+# enable module signing by default
+KERNEL_FEATURES:append = " features/module-signing/force-signing.scc"
+

For the reference kernels, there are a huge amount of use cases, and I
support a really broad set of deployments.

We can enable this via either a distro or packageconfig, but not like
this, since disabling it is difficult and requires a :remove. It needs
to be opt-in.

This signing is purely a kernel internal self protection. Thus I don't see a
need for DISTRO_CONFIG, and kernel recipes don't use PACKAGECONFIG for
some reason. I know :append is difficult to :remove but it's used with "numa", "vfat",
"ptest" etc things too.

-Mikko

Hi,

On Sun, Nov 27, 2022 at 06:47:30PM +0000, Jack Mitchell wrote:

On 27/11/2022 03:34, Bruce Ashfield wrote:

On Fri, Nov 25, 2022 at 11:11 AM Jack Mitchell <ml@...> wrote:

On 25/11/2022 15:54, Mikko Rapeli wrote:

It's a good default and used in many Linux distributions.
Did not test out of tree modules if they do correct things but
any such failures should be fixed.

One way to verify that kernel module signing also works:

root@qemux86-64:~# dmesg|grep X.509
[ 1.298936] Loading compiled-in X.509 certificates
[ 1.328280] Loaded X.509 cert 'Build time autogenerated kernel key: ee1bed6d845358744c764683bf73b4404cc79287'

These logs in dmesg show that signing in kernel is enabled and
key is found. Then if any kernel modules load, they were
signed correctly. Additionally modinfo tool from kmod shows kernel module
signing details:

Hi Mikko,

Do the kernel modules get properly stripped, last time I was looking at
this it was skipped when signed and as such root filesystem sizes
ballooned with signed modules.

oe package.py still does skip stripping for signed modules.

I'm sure it is fixable, but we need someone to step up and have a closer look.

Richard can probably comment better than I can, but there's a variety
of use cases (from SDKs, to debug, to SBOM, etc) that all need to deal
with whether binaries are stripped and be able to find the
non-stripped executables in order to work properly.

So to answer the follow up suggestion of using the kernel's module
strip directly .. it also might be feasible, but we need to make sure
that all the other uses cases still work. My preference is to do the
work in package.py, so that we don't have to worry about the kernel
provider and any additional features have code in the same place as a
baseline.

I agree, if the kernel has the right arguments available for properly
stripping the modules without stripping the signed portion then we can set
those args manually rather than skipping the strip all together I believe.

I also had the same thought with having the kernel do it as I don't know
where the stripped information goes and how that would then make it into
debug packages.

https://www.kernel.org/doc/html/latest/admin-guide/module-signing.html#signed-modules-and-stripping

"Signed modules are BRITTLE as the signature is outside of the defined
ELF container. Thus they MAY NOT be stripped once the signature is
computed and attached. Note the entire module is the signed payload,
including any and all debug information present at the time of signing."

linux/scripts/Makefile.modinst does in "make modules_install":

...
$(dst)/%.ko: $(extmod_prefix)%.ko FORCE
$(call cmd,install)
$(call cmd,strip)
$(call cmd,sign)
...

Thus I don't think signed kernel modules can ever be stripped by
package.py or package.bbclass. It sounds like only option is to install
modules without stripping and signing to debug packages and then install
them stripped with and signed to real binary packages.

Cheers,

-Mikko

On 28 Nov 2022, at 11:12, Mikko Rapeli via lists.openembedded.org <mikko.rapeli=linaro.org@...> wrote:

Thus I don't think signed kernel modules can ever be stripped by
package.py or package.bbclass. It sounds like only option is to install
modules without stripping and signing to debug packages and then install
them stripped with and signed to real binary packages.

Which should be doable with a do_package function that runs after the stripping.

Ross

On Mon, Nov 28, 2022 at 2:12 AM Mikko Rapeli <mikko.rapeli@...> wrote:

On Sat, Nov 26, 2022 at 10:06:57PM -0500, Bruce Ashfield wrote:

On Fri, Nov 25, 2022 at 10:54 AM Mikko Rapeli <mikko.rapeli@...> wrote:

It's a good default and used in many Linux distributions.
Did not test out of tree modules if they do correct things but
any such failures should be fixed.

One way to verify that kernel module signing also works:

root@qemux86-64:~# dmesg|grep X.509
[ 1.298936] Loading compiled-in X.509 certificates
[ 1.328280] Loaded X.509 cert 'Build time autogenerated kernel key: ee1bed6d845358744c764683bf73b4404cc79287'

These logs in dmesg show that signing in kernel is enabled and
key is found. Then if any kernel modules load, they were
signed correctly. Additionally modinfo tool from kmod shows kernel module
signing details:

root@qemux86-64:~# lsmod
Module Size Used by
sch_fq_codel 20480 1
root@qemux86-64:~# modinfo sch_fq_codel
filename:
/lib/modules/5.19.9-yocto-standard/kernel/net/sched/sch_fq_codel.ko
description: Fair Queue CoDel discipline
license: GPL
author: Eric Dumazet
depends:
retpoline: Y
intree: Y
name: sch_fq_codel
vermagic: 5.19.9-yocto-standard SMP preempt mod_unload
sig_id: PKCS#7
signer: Build time autogenerated kernel key
sig_key: 2B:2A:BE:7D:B5:92:DC:98:A9:F8:D7:00:A6:73:35:20:10:D8:19:EE
sig_hashalgo: sha512
signature: 72:6C:E1:78:7C:A7:7B:CC:C4:33:23:6B:95:EC:1B:2A:BD:D9:EC:7A:
85:07:05:B2:70:3C:C9:64:F6:78:8A:01:A0:E3:64:C7:47:BB:5D:0E:
86:BA:C1:DD:40:05:AE:1F:19:D4:F0:98:49:86:CC:61:14:3C:AB:1E:
4A:1C:83:47:1D:FA:6D:E4:83:79:3A:2B:3F:7D:B6:E0:09:AE:B4:01:
07:EE:C9:5B:99:70:4F:49:8A:64:E4:7D:84:AA:37:F5:DB:5F:16:5C:
D4:DC:0C:33:73:5D:D9:8D:7E:71:5B:A1:ED:61:81:5E:1C:ED:A2:D8:
76:46:99:B3:78:08:F7:7F:0D:4B:94:26:21:63:47:B0:75:9F:A4:EA:
3D:14:D4:09:CC:59:F3:FC:80:AC:BF:56:1E:8C:73:FD:CB:07:27:C6:
3D:98:4C:E4:C3:9C:C0:AD:90:53:46:8F:AE:66:FE:10:C8:92:7F:BA:
74:C2:B0:E3:6E:47:66:AB:39:25:41:12:66:91:20:27:1A:58:77:75:
4F:C0:3F:F1:8E:5F:AB:0A:BD:8B:62:4F:2B:01:5A:5C:4E:5C:31:39:
FB:F4:14:2E:BF:D8:51:4B:C8:D0:E2:0A:20:80:95:05:80:E3:46:75:
43:80:30:63:6F:A4:25:82:59:35:34:E8:6A:DC:FF:93:F8:32:BB:FA:
66:2D:B9:08:75:1A:3A:3A:5D:57:F4:63:85:01:B4:EB:96:1B:CE:6F:
4D:61:FC:AA:6C:39:7F:D6:37:C9:84:0A:84:17:FB:BE:FC:20:CB:EE:
8C:2F:93:92:F6:48:F4:07:50:84:D8:2C:B5:2E:A7:7D:3A:3F:DC:E9:
B9:17:EF:47:49:EC:BA:62:1C:C4:C6:58:9C:0C:8D:26:41:6E:1F:C1:
95:A7:8B:57:5D:1D:4B:B4:04:00:F6:68:24:9E:E2:BF:11:EC:05:6C:
83:E8:C6:DB:BB:3D:22:8B:31:BB:99:1A:44:E1:15:71:C3:AA:FA:01:
98:BA:6B:20:26:D6:9C:61:5C:6F:81:29:09:B1:EA:C5:28:15:F3:98:
C0:18:FE:08:8B:40:A5:F3:3C:71:4B:C6:41:CD:38:51:79:EA:5D:C9:
13:39:B5:FD:A3:D1:BB:11:94:66:F7:7B:6A:DC:2C:01:5F:AB:73:08:
68:24:32:BE:BC:7A:90:E5:FD:97:17:6C:DD:46:D0:0E:2C:03:31:66:
B3:7C:B2:48:E1:E0:1A:63:20:48:4C:D4:55:56:71:04:3B:5F:3B:28:
BF:64:6C:52:A9:07:6D:FF:21:E9:06:35:E8:A1:D7:F4:C2:F9:D7:7B:
9D:D2:90:16:2F:68:1E:3F:BE:43:ED:64

Failures in signed kernel module loading should show as errors at
runtime, for example systemd services, or as oeqa parselogs test
failures which detects signature verification error messages from the
kernel.

Signed-off-by: Mikko Rapeli <mikko.rapeli@...>
---
meta/recipes-kernel/linux/linux-yocto.inc | 3 +++
1 file changed, 3 insertions(+)

diff --git a/meta/recipes-kernel/linux/linux-yocto.inc b/meta/recipes-kernel/linux/linux-yocto.inc
index 091003ed82..bab1f21479 100644
--- a/meta/recipes-kernel/linux/linux-yocto.inc
+++ b/meta/recipes-kernel/linux/linux-yocto.inc
@@ -37,6 +37,9 @@ KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'cfg/
KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'numa', 'features/numa/numa.scc', '', d)}"
KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'vfat', 'cfg/fs/vfat.scc', '', d)}"

+# enable module signing by default
+KERNEL_FEATURES:append = " features/module-signing/force-signing.scc"
+

For the reference kernels, there are a huge amount of use cases, and I
support a really broad set of deployments.

We can enable this via either a distro or packageconfig, but not like
this, since disabling it is difficult and requires a :remove. It needs
to be opt-in.

This signing is purely a kernel internal self protection. Thus I don't see a
need for DISTRO_CONFIG, and kernel recipes don't use PACKAGECONFIG for
some reason. I know :append is difficult to :remove but it's used with "numa", "vfat",
"ptest" etc things too.

And I've complained about those being added at times as well, in fact,
I have a bug somewhere to clean them up.

Signing impacts the runtime, and can chain throughout the system (as
with the stripping of the modules), so in this case, it has to be
opt-in.

Bruce

-Mikko

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

On Mon, Nov 28, 2022 at 09:03:04AM -0500, Bruce Ashfield wrote:

On Mon, Nov 28, 2022 at 2:12 AM Mikko Rapeli <mikko.rapeli@...> wrote:

On Sat, Nov 26, 2022 at 10:06:57PM -0500, Bruce Ashfield wrote:

On Fri, Nov 25, 2022 at 10:54 AM Mikko Rapeli <mikko.rapeli@...> wrote:

It's a good default and used in many Linux distributions.
Did not test out of tree modules if they do correct things but
any such failures should be fixed.

One way to verify that kernel module signing also works:

root@qemux86-64:~# dmesg|grep X.509
[ 1.298936] Loading compiled-in X.509 certificates
[ 1.328280] Loaded X.509 cert 'Build time autogenerated kernel key: ee1bed6d845358744c764683bf73b4404cc79287'

These logs in dmesg show that signing in kernel is enabled and
key is found. Then if any kernel modules load, they were
signed correctly. Additionally modinfo tool from kmod shows kernel module
signing details:

root@qemux86-64:~# lsmod
Module Size Used by
sch_fq_codel 20480 1
root@qemux86-64:~# modinfo sch_fq_codel
filename:
/lib/modules/5.19.9-yocto-standard/kernel/net/sched/sch_fq_codel.ko
description: Fair Queue CoDel discipline
license: GPL
author: Eric Dumazet
depends:
retpoline: Y
intree: Y
name: sch_fq_codel
vermagic: 5.19.9-yocto-standard SMP preempt mod_unload
sig_id: PKCS#7
signer: Build time autogenerated kernel key
sig_key: 2B:2A:BE:7D:B5:92:DC:98:A9:F8:D7:00:A6:73:35:20:10:D8:19:EE
sig_hashalgo: sha512
signature: 72:6C:E1:78:7C:A7:7B:CC:C4:33:23:6B:95:EC:1B:2A:BD:D9:EC:7A:
85:07:05:B2:70:3C:C9:64:F6:78:8A:01:A0:E3:64:C7:47:BB:5D:0E:
86:BA:C1:DD:40:05:AE:1F:19:D4:F0:98:49:86:CC:61:14:3C:AB:1E:
4A:1C:83:47:1D:FA:6D:E4:83:79:3A:2B:3F:7D:B6:E0:09:AE:B4:01:
07:EE:C9:5B:99:70:4F:49:8A:64:E4:7D:84:AA:37:F5:DB:5F:16:5C:
D4:DC:0C:33:73:5D:D9:8D:7E:71:5B:A1:ED:61:81:5E:1C:ED:A2:D8:
76:46:99:B3:78:08:F7:7F:0D:4B:94:26:21:63:47:B0:75:9F:A4:EA:
3D:14:D4:09:CC:59:F3:FC:80:AC:BF:56:1E:8C:73:FD:CB:07:27:C6:
3D:98:4C:E4:C3:9C:C0:AD:90:53:46:8F:AE:66:FE:10:C8:92:7F:BA:
74:C2:B0:E3:6E:47:66:AB:39:25:41:12:66:91:20:27:1A:58:77:75:
4F:C0:3F:F1:8E:5F:AB:0A:BD:8B:62:4F:2B:01:5A:5C:4E:5C:31:39:
FB:F4:14:2E:BF:D8:51:4B:C8:D0:E2:0A:20:80:95:05:80:E3:46:75:
43:80:30:63:6F:A4:25:82:59:35:34:E8:6A:DC:FF:93:F8:32:BB:FA:
66:2D:B9:08:75:1A:3A:3A:5D:57:F4:63:85:01:B4:EB:96:1B:CE:6F:
4D:61:FC:AA:6C:39:7F:D6:37:C9:84:0A:84:17:FB:BE:FC:20:CB:EE:
8C:2F:93:92:F6:48:F4:07:50:84:D8:2C:B5:2E:A7:7D:3A:3F:DC:E9:
B9:17:EF:47:49:EC:BA:62:1C:C4:C6:58:9C:0C:8D:26:41:6E:1F:C1:
95:A7:8B:57:5D:1D:4B:B4:04:00:F6:68:24:9E:E2:BF:11:EC:05:6C:
83:E8:C6:DB:BB:3D:22:8B:31:BB:99:1A:44:E1:15:71:C3:AA:FA:01:
98:BA:6B:20:26:D6:9C:61:5C:6F:81:29:09:B1:EA:C5:28:15:F3:98:
C0:18:FE:08:8B:40:A5:F3:3C:71:4B:C6:41:CD:38:51:79:EA:5D:C9:
13:39:B5:FD:A3:D1:BB:11:94:66:F7:7B:6A:DC:2C:01:5F:AB:73:08:
68:24:32:BE:BC:7A:90:E5:FD:97:17:6C:DD:46:D0:0E:2C:03:31:66:
B3:7C:B2:48:E1:E0:1A:63:20:48:4C:D4:55:56:71:04:3B:5F:3B:28:
BF:64:6C:52:A9:07:6D:FF:21:E9:06:35:E8:A1:D7:F4:C2:F9:D7:7B:
9D:D2:90:16:2F:68:1E:3F:BE:43:ED:64

Failures in signed kernel module loading should show as errors at
runtime, for example systemd services, or as oeqa parselogs test
failures which detects signature verification error messages from the
kernel.

Signed-off-by: Mikko Rapeli <mikko.rapeli@...>
---
meta/recipes-kernel/linux/linux-yocto.inc | 3 +++
1 file changed, 3 insertions(+)

diff --git a/meta/recipes-kernel/linux/linux-yocto.inc b/meta/recipes-kernel/linux/linux-yocto.inc
index 091003ed82..bab1f21479 100644
--- a/meta/recipes-kernel/linux/linux-yocto.inc
+++ b/meta/recipes-kernel/linux/linux-yocto.inc
@@ -37,6 +37,9 @@ KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'cfg/
KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'numa', 'features/numa/numa.scc', '', d)}"
KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'vfat', 'cfg/fs/vfat.scc', '', d)}"

+# enable module signing by default
+KERNEL_FEATURES:append = " features/module-signing/force-signing.scc"
+

For the reference kernels, there are a huge amount of use cases, and I
support a really broad set of deployments.

We can enable this via either a distro or packageconfig, but not like
this, since disabling it is difficult and requires a :remove. It needs
to be opt-in.

This signing is purely a kernel internal self protection. Thus I don't see a
need for DISTRO_CONFIG, and kernel recipes don't use PACKAGECONFIG for
some reason. I know :append is difficult to :remove but it's used with "numa", "vfat",
"ptest" etc things too.

And I've complained about those being added at times as well, in fact,
I have a bug somewhere to clean them up.

Signing impacts the runtime, and can chain throughout the system (as
with the stripping of the modules), so in this case, it has to be
opt-in.

Ok, fair enough. This can't be the default then and this patch can be
ignored.

I hope the kmod openssl support can be enable by default though.
linux-yocto too has openssl dependency by default even when signing is
disabled.

Cheers,

-Mikko