[PATCH] kmod: enable openssl support by default


Mikko Rapeli
 

linux-yocto kernel adds openssl-native dependency by default even
when module signing is still optional. kmod should enable
openssl support too. This helps see details of signed kernel
modules and debug issues with module signing. For small systems
this can still be disabled.

modinfo output shows bad signing info when kernel signing is enabled
but openssl support is missing from kmod:

root@qemux86-64:~# dmesg|grep 509
[ 0.750905] ACPI: PCI: Interrupt link LNKG configured for IRQ 11
[ 0.950039] Asymmetric key parser 'x509' registered
[ 1.241727] Loading compiled-in X.509 certificates
[ 1.267863] Loaded X.509 cert 'Build time autogenerated kernel key: 48bcd79439f61aaf8fc19ec0882439d64db73820'
root@qemux86-64:~# lsmod
Module Size Used by
sch_fq_codel 20480 1
root@qemux86-64:~# modinfo sch_fq_codel
filename: /lib/modules/5.19.9-yocto-standard/kernel/net/sched/sch_fq_codel.ko
description: Fair Queue CoDel discipline
license: GPL
author: Eric Dumazet
depends:
retpoline: Y
intree: Y
name: sch_fq_codel
vermagic: 5.19.9-yocto-standard SMP preempt mod_unload
sig_id: PKCS#7
signer:
sig_key:
sig_hashalgo: unknown
signature:

modinfo with openssl enabled in kmod:

root@qemux86-64:~# modinfo sch_fq_codel
filename: /lib/modules/5.19.9-yocto-standard/kernel/net/sched/sch_fq_codel.ko
description: Fair Queue CoDel discipline
license: GPL
author: Eric Dumazet
depends:
retpoline: Y
intree: Y
name: sch_fq_codel
vermagic: 5.19.9-yocto-standard SMP preempt mod_unload
sig_id: PKCS#7
signer: Build time autogenerated kernel key
sig_key: 07:9A:C4:36:96:98:6E:5B:73:CF:C8:40:A6:57:D9:03:5E:27:8D:25
sig_hashalgo: sha512
signature: 21:4D:F0:E2:E0:7C:8E:31:A0:96:12:68:06:0D:FA:0D:E2:17:45:64:
51:94:7E:B0:97:DD:EB:59:89:CA:1A:C3:10:E7:7C:4D:5D:F0:5D:B6:
2A:61:D3:BF:89:7A:0D:CD:A2:39:57:1B:C6:B5:7D:C1:DB:6F:D9:36:
29:7A:07:18:F5:22:9F:9A:33:4D:38:BC:79:C8:51:8B:82:0F:B4:09:
08:37:52:11:98:50:7E:19:28:0F:13:2E:03:A5:E8:F8:D9:E7:DF:61:
18:AC:22:FE:96:BD:D0:55:96:9E:C9:1C:15:C9:0B:9A:5A:FD:D0:C0:
8F:41:12:5B:EA:4B:E5:5D:4D:EA:D5:2E:E5:80:D4:51:CC:63:97:F3:
4B:39:CC:B6:A1:83:F5:EF:2F:A1:22:CD:CA:BC:DB:82:C0:E4:AB:13:
5D:C5:F3:BC:B7:3E:B4:16:BF:87:1D:AC:69:43:1F:78:2A:5F:E2:63:
52:A2:DA:FC:F9:C0:BA:D8:1A:FE:58:4E:6A:D8:DE:BE:F8:F6:C2:59:
CE:F5:0A:A0:15:A3:01:BC:B6:70:36:4E:5F:D6:9B:B0:DE:93:15:3E:
35:37:38:D9:01:2B:72:2F:D3:74:A4:AD:F4:5F:52:74:44:E1:C9:D3:
A9:87:BC:93:58:8A:82:DB:14:6F:E0:4D:AF:8E:B5:3D:92:20:8B:4A:
04:54:6C:21:F1:76:DF:08:A9:0A:A5:D5:D0:17:CA:98:B5:F4:9F:F6:
9C:8F:DA:09:C2:37:FB:36:23:D1:25:27:4C:DB:9B:43:19:EB:55:1C:
DA:32:04:A5:B1:97:F7:A3:3B:82:55:FD:BD:6D:90:BB:61:E6:D3:93:
42:CB:FD:4A:1B:3E:03:43:7D:E3:85:32:91:45:C9:B4:CD:DC:B7:07:
37:58:8A:4A:49:5F:F7:26:41:E1:BB:A1:64:B5:86:00:17:9D:D7:81:
31:BA:DC:BF:04:CC:11:55:B1:C6:24:83:43:33:34:2D:BF:00:74:26:
6A:EC:56:90:C7:1B:C2:78:5C:7F:25:2D:78:BD:C5:D9:7D:69:6A:32:
5D:EF:48:6C:21:64:47:2A:FE:34:3C:58:8D:9E:D7:42:76:BE:89:84:
8D:62:9D:62:DE:7C:88:C4:5F:AA:13:20:6B:90:53:16:4E:06:EE:8A:
DE:F7:EA:F8:92:03:7D:84:B7:0C:9F:A0:52:B7:5E:21:BF:37:6A:C9:
34:6D:69:1E:4A:CC:48:F2:0A:6C:B8:AD:83:C0:8F:76:CC:43:0E:29:
17:A9:22:F3:0B:59:A9:87:24:AD:84:CD:EE:E2:C3:93:F7:A8:11:ED:
9A:CC:DA:7F:9D:73:06:5C:A7:1A:6A:54

Signed-off-by: Mikko Rapeli <mikko.rapeli@...>
---
meta/recipes-kernel/kmod/kmod_30.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-kernel/kmod/kmod_30.bb b/meta/recipes-kernel/kmod/kmod_30.bb
index 8eb83efe6d..ff6e20554b 100644
--- a/meta/recipes-kernel/kmod/kmod_30.bb
+++ b/meta/recipes-kernel/kmod/kmod_30.bb
@@ -26,7 +26,7 @@ S = "${WORKDIR}/git"

EXTRA_OECONF += "--enable-tools"

-PACKAGECONFIG ??= "zlib xz"
+PACKAGECONFIG ??= "zlib xz openssl"
PACKAGECONFIG[debug] = "--enable-debug,--disable-debug"
PACKAGECONFIG[logging] = " --enable-logging,--disable-logging"
PACKAGECONFIG[manpages] = "--enable-manpages, --disable-manpages, libxslt-native xmlto-native"
--
2.35.1


Richard Purdie
 

On Fri, 2022-11-25 at 17:07 +0200, Mikko Rapeli wrote:
linux-yocto kernel adds openssl-native dependency by default even
when module signing is still optional. kmod should enable
openssl support too. This helps see details of signed kernel
modules and debug issues with module signing. For small systems
this can still be disabled.
This seems like an easy enough change at first glance, my concern is
dependency chain creep. openssl is slower to build and for example may
depend on perl-native so adding this here can cause builds to slow down
quite a bit more than you'd expect.

I've been holding off merging until I could look at the dependency
chain and see how much difference it actually makes. I've not managed
that yet though.

One option may be to add a "signed-kernel-modules" level distro feature
or perhaps a distro include file, since I suspect this functionality is
going to need other changes to enable and work properly?

Cheers,

Richard


Mikko Rapeli
 

Hi,

On Sat, Dec 17, 2022 at 11:27:50AM +0000, Richard Purdie wrote:
On Fri, 2022-11-25 at 17:07 +0200, Mikko Rapeli wrote:
linux-yocto kernel adds openssl-native dependency by default even
when module signing is still optional. kmod should enable
openssl support too. This helps see details of signed kernel
modules and debug issues with module signing. For small systems
this can still be disabled.
This seems like an easy enough change at first glance, my concern is
dependency chain creep. openssl is slower to build and for example may
depend on perl-native so adding this here can cause builds to slow down
quite a bit more than you'd expect.
But even default kernel, linux-yocto, already depends on openssl-native. The
dependency is everywhere. Tiny distros with minimal features are another
thing.

I've been holding off merging until I could look at the dependency
chain and see how much difference it actually makes. I've not managed
that yet though.

One option may be to add a "signed-kernel-modules" level distro feature
or perhaps a distro include file, since I suspect this functionality is
going to need other changes to enable and work properly?
Signed kernel modules is purely a kernel internal thing. Since kernel
already depends on openssl for other reasons signing modules doesn't
introduce much new, and all the checks for signatures are done inside
the kernel. kmod support for signed modules is just a convenience thing.

And signing kernels with default built-time generated keys breaks build
reproducibility and sstate caching but that's a separate matter which
maybe can't be resolved in side bitbake.. only static keys build outside
of bitbake seem to help..

Cheers,

-Mikko