From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: Bruce Ashfield <bruce.ashfield@gmail.com>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [PATCH] linux-yocto: enable strict kernel module signing by default
Date: Mon, 28 Nov 2022 16:23:22 +0200 [thread overview]
Message-ID: <Y4TEWpzdVYhbS9Eh@nuoska> (raw)
In-Reply-To: <CADkTA4NBbmwW3smtJb7vvUfHOTcgr4nEHu6WOnBpFDm3J-9QwA@mail.gmail.com>
On Mon, Nov 28, 2022 at 09:03:04AM -0500, Bruce Ashfield wrote:
> On Mon, Nov 28, 2022 at 2:12 AM Mikko Rapeli <mikko.rapeli@linaro.org> wrote:
> >
> > On Sat, Nov 26, 2022 at 10:06:57PM -0500, Bruce Ashfield wrote:
> > > On Fri, Nov 25, 2022 at 10:54 AM Mikko Rapeli <mikko.rapeli@linaro.org> wrote:
> > > >
> > > > It's a good default and used in many Linux distributions.
> > > > Did not test out of tree modules if they do correct things but
> > > > any such failures should be fixed.
> > > >
> > > > One way to verify that kernel module signing also works:
> > > >
> > > > root@qemux86-64:~# dmesg|grep X.509
> > > > [ 1.298936] Loading compiled-in X.509 certificates
> > > > [ 1.328280] Loaded X.509 cert 'Build time autogenerated kernel key: ee1bed6d845358744c764683bf73b4404cc79287'
> > > >
> > > > These logs in dmesg show that signing in kernel is enabled and
> > > > key is found. Then if any kernel modules load, they were
> > > > signed correctly. Additionally modinfo tool from kmod shows kernel module
> > > > signing details:
> > > >
> > > > root@qemux86-64:~# lsmod
> > > > Module Size Used by
> > > > sch_fq_codel 20480 1
> > > > root@qemux86-64:~# modinfo sch_fq_codel
> > > > filename:
> > > > /lib/modules/5.19.9-yocto-standard/kernel/net/sched/sch_fq_codel.ko
> > > > description: Fair Queue CoDel discipline
> > > > license: GPL
> > > > author: Eric Dumazet
> > > > depends:
> > > > retpoline: Y
> > > > intree: Y
> > > > name: sch_fq_codel
> > > > vermagic: 5.19.9-yocto-standard SMP preempt mod_unload
> > > > sig_id: PKCS#7
> > > > signer: Build time autogenerated kernel key
> > > > sig_key: 2B:2A:BE:7D:B5:92:DC:98:A9:F8:D7:00:A6:73:35:20:10:D8:19:EE
> > > > sig_hashalgo: sha512
> > > > signature: 72:6C:E1:78:7C:A7:7B:CC:C4:33:23:6B:95:EC:1B:2A:BD:D9:EC:7A:
> > > > 85:07:05:B2:70:3C:C9:64:F6:78:8A:01:A0:E3:64:C7:47:BB:5D:0E:
> > > > 86:BA:C1:DD:40:05:AE:1F:19:D4:F0:98:49:86:CC:61:14:3C:AB:1E:
> > > > 4A:1C:83:47:1D:FA:6D:E4:83:79:3A:2B:3F:7D:B6:E0:09:AE:B4:01:
> > > > 07:EE:C9:5B:99:70:4F:49:8A:64:E4:7D:84:AA:37:F5:DB:5F:16:5C:
> > > > D4:DC:0C:33:73:5D:D9:8D:7E:71:5B:A1:ED:61:81:5E:1C:ED:A2:D8:
> > > > 76:46:99:B3:78:08:F7:7F:0D:4B:94:26:21:63:47:B0:75:9F:A4:EA:
> > > > 3D:14:D4:09:CC:59:F3:FC:80:AC:BF:56:1E:8C:73:FD:CB:07:27:C6:
> > > > 3D:98:4C:E4:C3:9C:C0:AD:90:53:46:8F:AE:66:FE:10:C8:92:7F:BA:
> > > > 74:C2:B0:E3:6E:47:66:AB:39:25:41:12:66:91:20:27:1A:58:77:75:
> > > > 4F:C0:3F:F1:8E:5F:AB:0A:BD:8B:62:4F:2B:01:5A:5C:4E:5C:31:39:
> > > > FB:F4:14:2E:BF:D8:51:4B:C8:D0:E2:0A:20:80:95:05:80:E3:46:75:
> > > > 43:80:30:63:6F:A4:25:82:59:35:34:E8:6A:DC:FF:93:F8:32:BB:FA:
> > > > 66:2D:B9:08:75:1A:3A:3A:5D:57:F4:63:85:01:B4:EB:96:1B:CE:6F:
> > > > 4D:61:FC:AA:6C:39:7F:D6:37:C9:84:0A:84:17:FB:BE:FC:20:CB:EE:
> > > > 8C:2F:93:92:F6:48:F4:07:50:84:D8:2C:B5:2E:A7:7D:3A:3F:DC:E9:
> > > > B9:17:EF:47:49:EC:BA:62:1C:C4:C6:58:9C:0C:8D:26:41:6E:1F:C1:
> > > > 95:A7:8B:57:5D:1D:4B:B4:04:00:F6:68:24:9E:E2:BF:11:EC:05:6C:
> > > > 83:E8:C6:DB:BB:3D:22:8B:31:BB:99:1A:44:E1:15:71:C3:AA:FA:01:
> > > > 98:BA:6B:20:26:D6:9C:61:5C:6F:81:29:09:B1:EA:C5:28:15:F3:98:
> > > > C0:18:FE:08:8B:40:A5:F3:3C:71:4B:C6:41:CD:38:51:79:EA:5D:C9:
> > > > 13:39:B5:FD:A3:D1:BB:11:94:66:F7:7B:6A:DC:2C:01:5F:AB:73:08:
> > > > 68:24:32:BE:BC:7A:90:E5:FD:97:17:6C:DD:46:D0:0E:2C:03:31:66:
> > > > B3:7C:B2:48:E1:E0:1A:63:20:48:4C:D4:55:56:71:04:3B:5F:3B:28:
> > > > BF:64:6C:52:A9:07:6D:FF:21:E9:06:35:E8:A1:D7:F4:C2:F9:D7:7B:
> > > > 9D:D2:90:16:2F:68:1E:3F:BE:43:ED:64
> > > >
> > > > Failures in signed kernel module loading should show as errors at
> > > > runtime, for example systemd services, or as oeqa parselogs test
> > > > failures which detects signature verification error messages from the
> > > > kernel.
> > > >
> > > > Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
> > > > ---
> > > > meta/recipes-kernel/linux/linux-yocto.inc | 3 +++
> > > > 1 file changed, 3 insertions(+)
> > > >
> > > > diff --git a/meta/recipes-kernel/linux/linux-yocto.inc b/meta/recipes-kernel/linux/linux-yocto.inc
> > > > index 091003ed82..bab1f21479 100644
> > > > --- a/meta/recipes-kernel/linux/linux-yocto.inc
> > > > +++ b/meta/recipes-kernel/linux/linux-yocto.inc
> > > > @@ -37,6 +37,9 @@ KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'cfg/
> > > > KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'numa', 'features/numa/numa.scc', '', d)}"
> > > > KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'vfat', 'cfg/fs/vfat.scc', '', d)}"
> > > >
> > > > +# enable module signing by default
> > > > +KERNEL_FEATURES:append = " features/module-signing/force-signing.scc"
> > > > +
> > >
> > > For the reference kernels, there are a huge amount of use cases, and I
> > > support a really broad set of deployments.
> > >
> > > We can enable this via either a distro or packageconfig, but not like
> > > this, since disabling it is difficult and requires a :remove. It needs
> > > to be opt-in.
> >
> > This signing is purely a kernel internal self protection. Thus I don't see a
> > need for DISTRO_CONFIG, and kernel recipes don't use PACKAGECONFIG for
> > some reason. I know :append is difficult to :remove but it's used with "numa", "vfat",
> > "ptest" etc things too.
>
> And I've complained about those being added at times as well, in fact,
> I have a bug somewhere to clean them up.
>
> Signing impacts the runtime, and can chain throughout the system (as
> with the stripping of the modules), so in this case, it has to be
> opt-in.
Ok, fair enough. This can't be the default then and this patch can be
ignored.
I hope the kmod openssl support can be enable by default though.
linux-yocto too has openssl dependency by default even when signing is
disabled.
Cheers,
-Mikko
prev parent reply other threads:[~2022-11-28 14:23 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-25 15:54 [PATCH] linux-yocto: enable strict kernel module signing by default Mikko Rapeli
2022-11-25 15:57 ` Mikko Rapeli
2022-11-25 16:11 ` [OE-core] " Jack Mitchell
2022-11-26 10:45 ` Mikko Rapeli
2022-11-27 3:34 ` Bruce Ashfield
2022-11-27 18:47 ` Jack Mitchell
2022-11-28 11:12 ` Mikko Rapeli
2022-11-28 12:01 ` Ross Burton
2022-11-27 3:06 ` Bruce Ashfield
2022-11-28 7:12 ` Mikko Rapeli
2022-11-28 14:03 ` Bruce Ashfield
2022-11-28 14:23 ` Mikko Rapeli [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y4TEWpzdVYhbS9Eh@nuoska \
--to=mikko.rapeli@linaro.org \
--cc=bruce.ashfield@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox