diff mbox series

linux-yocto: enable strict kernel module signing by default

Message ID 20221125155412.1119701-1-mikko.rapeli@linaro.org
State New
Headers show
Series linux-yocto: enable strict kernel module signing by default | expand

Commit Message

Mikko Rapeli Nov. 25, 2022, 3:54 p.m. UTC 
It's a good default and used in many Linux distributions.
Did not test out of tree modules if they do correct things but
any such failures should be fixed.

One way to verify that kernel module signing also works:

root@qemux86-64:~# dmesg|grep X.509
[    1.298936] Loading compiled-in X.509 certificates
[    1.328280] Loaded X.509 cert 'Build time autogenerated kernel key: ee1bed6d845358744c764683bf73b4404cc79287'

These logs in dmesg show that signing in kernel is enabled and
key is found. Then if any kernel modules load, they were
signed correctly. Additionally modinfo tool from kmod shows kernel module
signing details:

root@qemux86-64:~# lsmod
Module                  Size  Used by
sch_fq_codel           20480  1
root@qemux86-64:~# modinfo sch_fq_codel
filename:
/lib/modules/5.19.9-yocto-standard/kernel/net/sched/sch_fq_codel.ko
description:    Fair Queue CoDel discipline
license:        GPL
author:         Eric Dumazet
depends:
retpoline:      Y
intree:         Y
name:           sch_fq_codel
vermagic:       5.19.9-yocto-standard SMP preempt mod_unload
sig_id:         PKCS#7
signer:         Build time autogenerated kernel key
sig_key:        2B:2A:BE:7D:B5:92:DC:98:A9:F8:D7:00:A6:73:35:20:10:D8:19:EE
sig_hashalgo:   sha512
signature:      72:6C:E1:78:7C:A7:7B:CC:C4:33:23:6B:95:EC:1B:2A:BD:D9:EC:7A:
                85:07:05:B2:70:3C:C9:64:F6:78:8A:01:A0:E3:64:C7:47:BB:5D:0E:
                86:BA:C1:DD:40:05:AE:1F:19:D4:F0:98:49:86:CC:61:14:3C:AB:1E:
                4A:1C:83:47:1D:FA:6D:E4:83:79:3A:2B:3F:7D:B6:E0:09:AE:B4:01:
                07:EE:C9:5B:99:70:4F:49:8A:64:E4:7D:84:AA:37:F5:DB:5F:16:5C:
                D4:DC:0C:33:73:5D:D9:8D:7E:71:5B:A1:ED:61:81:5E:1C:ED:A2:D8:
                76:46:99:B3:78:08:F7:7F:0D:4B:94:26:21:63:47:B0:75:9F:A4:EA:
                3D:14:D4:09:CC:59:F3:FC:80:AC:BF:56:1E:8C:73:FD:CB:07:27:C6:
                3D:98:4C:E4:C3:9C:C0:AD:90:53:46:8F:AE:66:FE:10:C8:92:7F:BA:
                74:C2:B0:E3:6E:47:66:AB:39:25:41:12:66:91:20:27:1A:58:77:75:
                4F:C0:3F:F1:8E:5F:AB:0A:BD:8B:62:4F:2B:01:5A:5C:4E:5C:31:39:
                FB:F4:14:2E:BF:D8:51:4B:C8:D0:E2:0A:20:80:95:05:80:E3:46:75:
                43:80:30:63:6F:A4:25:82:59:35:34:E8:6A:DC:FF:93:F8:32:BB:FA:
                66:2D:B9:08:75:1A:3A:3A:5D:57:F4:63:85:01:B4:EB:96:1B:CE:6F:
                4D:61:FC:AA:6C:39:7F:D6:37:C9:84:0A:84:17:FB:BE:FC:20:CB:EE:
                8C:2F:93:92:F6:48:F4:07:50:84:D8:2C:B5:2E:A7:7D:3A:3F:DC:E9:
                B9:17:EF:47:49:EC:BA:62:1C:C4:C6:58:9C:0C:8D:26:41:6E:1F:C1:
                95:A7:8B:57:5D:1D:4B:B4:04:00:F6:68:24:9E:E2:BF:11:EC:05:6C:
                83:E8:C6:DB:BB:3D:22:8B:31:BB:99:1A:44:E1:15:71:C3:AA:FA:01:
                98:BA:6B:20:26:D6:9C:61:5C:6F:81:29:09:B1:EA:C5:28:15:F3:98:
                C0:18:FE:08:8B:40:A5:F3:3C:71:4B:C6:41:CD:38:51:79:EA:5D:C9:
                13:39:B5:FD:A3:D1:BB:11:94:66:F7:7B:6A:DC:2C:01:5F:AB:73:08:
                68:24:32:BE:BC:7A:90:E5:FD:97:17:6C:DD:46:D0:0E:2C:03:31:66:
                B3:7C:B2:48:E1:E0:1A:63:20:48:4C:D4:55:56:71:04:3B:5F:3B:28:
                BF:64:6C:52:A9:07:6D:FF:21:E9:06:35:E8:A1:D7:F4:C2:F9:D7:7B:
                9D:D2:90:16:2F:68:1E:3F:BE:43:ED:64

Failures in signed kernel module loading should show as errors at
runtime, for example systemd services, or as oeqa parselogs test
failures which detects signature verification error messages from the
kernel.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 meta/recipes-kernel/linux/linux-yocto.inc | 3 +++
 1 file changed, 3 insertions(+)

Comments

Mikko Rapeli Nov. 25, 2022, 3:57 p.m. UTC | #1 
Hi,

On Fri, Nov 25, 2022 at 05:54:12PM +0200, Mikko Rapeli wrote:
> It's a good default and used in many Linux distributions.
> Did not test out of tree modules if they do correct things but
> any such failures should be fixed.

When testing this I saw some odd results and cert verification
failures at runtime. I suspect it was just me and I did not take
into account how kernel and rootfs get deployed while rebuilding
the changes and can't reproduce any errors with this now.

But if this exposes any issues, then those would need to be fixed too.

I think this is a good default.

Cheers,

-Mikko

> One way to verify that kernel module signing also works:
> 
> root@qemux86-64:~# dmesg|grep X.509
> [    1.298936] Loading compiled-in X.509 certificates
> [    1.328280] Loaded X.509 cert 'Build time autogenerated kernel key: ee1bed6d845358744c764683bf73b4404cc79287'
> 
> These logs in dmesg show that signing in kernel is enabled and
> key is found. Then if any kernel modules load, they were
> signed correctly. Additionally modinfo tool from kmod shows kernel module
> signing details:
> 
> root@qemux86-64:~# lsmod
> Module                  Size  Used by
> sch_fq_codel           20480  1
> root@qemux86-64:~# modinfo sch_fq_codel
> filename:
> /lib/modules/5.19.9-yocto-standard/kernel/net/sched/sch_fq_codel.ko
> description:    Fair Queue CoDel discipline
> license:        GPL
> author:         Eric Dumazet
> depends:
> retpoline:      Y
> intree:         Y
> name:           sch_fq_codel
> vermagic:       5.19.9-yocto-standard SMP preempt mod_unload
> sig_id:         PKCS#7
> signer:         Build time autogenerated kernel key
> sig_key:        2B:2A:BE:7D:B5:92:DC:98:A9:F8:D7:00:A6:73:35:20:10:D8:19:EE
> sig_hashalgo:   sha512
> signature:      72:6C:E1:78:7C:A7:7B:CC:C4:33:23:6B:95:EC:1B:2A:BD:D9:EC:7A:
>                 85:07:05:B2:70:3C:C9:64:F6:78:8A:01:A0:E3:64:C7:47:BB:5D:0E:
>                 86:BA:C1:DD:40:05:AE:1F:19:D4:F0:98:49:86:CC:61:14:3C:AB:1E:
>                 4A:1C:83:47:1D:FA:6D:E4:83:79:3A:2B:3F:7D:B6:E0:09:AE:B4:01:
>                 07:EE:C9:5B:99:70:4F:49:8A:64:E4:7D:84:AA:37:F5:DB:5F:16:5C:
>                 D4:DC:0C:33:73:5D:D9:8D:7E:71:5B:A1:ED:61:81:5E:1C:ED:A2:D8:
>                 76:46:99:B3:78:08:F7:7F:0D:4B:94:26:21:63:47:B0:75:9F:A4:EA:
>                 3D:14:D4:09:CC:59:F3:FC:80:AC:BF:56:1E:8C:73:FD:CB:07:27:C6:
>                 3D:98:4C:E4:C3:9C:C0:AD:90:53:46:8F:AE:66:FE:10:C8:92:7F:BA:
>                 74:C2:B0:E3:6E:47:66:AB:39:25:41:12:66:91:20:27:1A:58:77:75:
>                 4F:C0:3F:F1:8E:5F:AB:0A:BD:8B:62:4F:2B:01:5A:5C:4E:5C:31:39:
>                 FB:F4:14:2E:BF:D8:51:4B:C8:D0:E2:0A:20:80:95:05:80:E3:46:75:
>                 43:80:30:63:6F:A4:25:82:59:35:34:E8:6A:DC:FF:93:F8:32:BB:FA:
>                 66:2D:B9:08:75:1A:3A:3A:5D:57:F4:63:85:01:B4:EB:96:1B:CE:6F:
>                 4D:61:FC:AA:6C:39:7F:D6:37:C9:84:0A:84:17:FB:BE:FC:20:CB:EE:
>                 8C:2F:93:92:F6:48:F4:07:50:84:D8:2C:B5:2E:A7:7D:3A:3F:DC:E9:
>                 B9:17:EF:47:49:EC:BA:62:1C:C4:C6:58:9C:0C:8D:26:41:6E:1F:C1:
>                 95:A7:8B:57:5D:1D:4B:B4:04:00:F6:68:24:9E:E2:BF:11:EC:05:6C:
>                 83:E8:C6:DB:BB:3D:22:8B:31:BB:99:1A:44:E1:15:71:C3:AA:FA:01:
>                 98:BA:6B:20:26:D6:9C:61:5C:6F:81:29:09:B1:EA:C5:28:15:F3:98:
>                 C0:18:FE:08:8B:40:A5:F3:3C:71:4B:C6:41:CD:38:51:79:EA:5D:C9:
>                 13:39:B5:FD:A3:D1:BB:11:94:66:F7:7B:6A:DC:2C:01:5F:AB:73:08:
>                 68:24:32:BE:BC:7A:90:E5:FD:97:17:6C:DD:46:D0:0E:2C:03:31:66:
>                 B3:7C:B2:48:E1:E0:1A:63:20:48:4C:D4:55:56:71:04:3B:5F:3B:28:
>                 BF:64:6C:52:A9:07:6D:FF:21:E9:06:35:E8:A1:D7:F4:C2:F9:D7:7B:
>                 9D:D2:90:16:2F:68:1E:3F:BE:43:ED:64
> 
> Failures in signed kernel module loading should show as errors at
> runtime, for example systemd services, or as oeqa parselogs test
> failures which detects signature verification error messages from the
> kernel.
> 
> Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
> ---
>  meta/recipes-kernel/linux/linux-yocto.inc | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/meta/recipes-kernel/linux/linux-yocto.inc b/meta/recipes-kernel/linux/linux-yocto.inc
> index 091003ed82..bab1f21479 100644
> --- a/meta/recipes-kernel/linux/linux-yocto.inc
> +++ b/meta/recipes-kernel/linux/linux-yocto.inc
> @@ -37,6 +37,9 @@ KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'cfg/
>  KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'numa', 'features/numa/numa.scc', '', d)}"
>  KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'vfat', 'cfg/fs/vfat.scc', '', d)}"
>  
> +# enable module signing by default
> +KERNEL_FEATURES:append = " features/module-signing/force-signing.scc"
> +
>  # A KMACHINE is the mapping of a yocto $MACHINE to what is built
>  # by the kernel. This is typically the branch that should be built,
>  # and it can be specific to the machine or shared
> -- 
> 2.35.1
>
Jack Mitchell Nov. 25, 2022, 4:11 p.m. UTC | #2 
On 25/11/2022 15:54, Mikko Rapeli wrote:
> It's a good default and used in many Linux distributions.
> Did not test out of tree modules if they do correct things but
> any such failures should be fixed.
> 
> One way to verify that kernel module signing also works:
> 
> root@qemux86-64:~# dmesg|grep X.509
> [    1.298936] Loading compiled-in X.509 certificates
> [    1.328280] Loaded X.509 cert 'Build time autogenerated kernel key: ee1bed6d845358744c764683bf73b4404cc79287'
> 
> These logs in dmesg show that signing in kernel is enabled and
> key is found. Then if any kernel modules load, they were
> signed correctly. Additionally modinfo tool from kmod shows kernel module
> signing details:

Hi Mikko,

Do the kernel modules get properly stripped, last time I was looking at
this it was skipped when signed and as such root filesystem sizes
ballooned with signed modules.

Regards,
Jack.

> 
> root@qemux86-64:~# lsmod
> Module                  Size  Used by
> sch_fq_codel           20480  1
> root@qemux86-64:~# modinfo sch_fq_codel
> filename:
> /lib/modules/5.19.9-yocto-standard/kernel/net/sched/sch_fq_codel.ko
> description:    Fair Queue CoDel discipline
> license:        GPL
> author:         Eric Dumazet
> depends:
> retpoline:      Y
> intree:         Y
> name:           sch_fq_codel
> vermagic:       5.19.9-yocto-standard SMP preempt mod_unload
> sig_id:         PKCS#7
> signer:         Build time autogenerated kernel key
> sig_key:        2B:2A:BE:7D:B5:92:DC:98:A9:F8:D7:00:A6:73:35:20:10:D8:19:EE
> sig_hashalgo:   sha512
> signature:      72:6C:E1:78:7C:A7:7B:CC:C4:33:23:6B:95:EC:1B:2A:BD:D9:EC:7A:
>                 85:07:05:B2:70:3C:C9:64:F6:78:8A:01:A0:E3:64:C7:47:BB:5D:0E:
>                 86:BA:C1:DD:40:05:AE:1F:19:D4:F0:98:49:86:CC:61:14:3C:AB:1E:
>                 4A:1C:83:47:1D:FA:6D:E4:83:79:3A:2B:3F:7D:B6:E0:09:AE:B4:01:
>                 07:EE:C9:5B:99:70:4F:49:8A:64:E4:7D:84:AA:37:F5:DB:5F:16:5C:
>                 D4:DC:0C:33:73:5D:D9:8D:7E:71:5B:A1:ED:61:81:5E:1C:ED:A2:D8:
>                 76:46:99:B3:78:08:F7:7F:0D:4B:94:26:21:63:47:B0:75:9F:A4:EA:
>                 3D:14:D4:09:CC:59:F3:FC:80:AC:BF:56:1E:8C:73:FD:CB:07:27:C6:
>                 3D:98:4C:E4:C3:9C:C0:AD:90:53:46:8F:AE:66:FE:10:C8:92:7F:BA:
>                 74:C2:B0:E3:6E:47:66:AB:39:25:41:12:66:91:20:27:1A:58:77:75:
>                 4F:C0:3F:F1:8E:5F:AB:0A:BD:8B:62:4F:2B:01:5A:5C:4E:5C:31:39:
>                 FB:F4:14:2E:BF:D8:51:4B:C8:D0:E2:0A:20:80:95:05:80:E3:46:75:
>                 43:80:30:63:6F:A4:25:82:59:35:34:E8:6A:DC:FF:93:F8:32:BB:FA:
>                 66:2D:B9:08:75:1A:3A:3A:5D:57:F4:63:85:01:B4:EB:96:1B:CE:6F:
>                 4D:61:FC:AA:6C:39:7F:D6:37:C9:84:0A:84:17:FB:BE:FC:20:CB:EE:
>                 8C:2F:93:92:F6:48:F4:07:50:84:D8:2C:B5:2E:A7:7D:3A:3F:DC:E9:
>                 B9:17:EF:47:49:EC:BA:62:1C:C4:C6:58:9C:0C:8D:26:41:6E:1F:C1:
>                 95:A7:8B:57:5D:1D:4B:B4:04:00:F6:68:24:9E:E2:BF:11:EC:05:6C:
>                 83:E8:C6:DB:BB:3D:22:8B:31:BB:99:1A:44:E1:15:71:C3:AA:FA:01:
>                 98:BA:6B:20:26:D6:9C:61:5C:6F:81:29:09:B1:EA:C5:28:15:F3:98:
>                 C0:18:FE:08:8B:40:A5:F3:3C:71:4B:C6:41:CD:38:51:79:EA:5D:C9:
>                 13:39:B5:FD:A3:D1:BB:11:94:66:F7:7B:6A:DC:2C:01:5F:AB:73:08:
>                 68:24:32:BE:BC:7A:90:E5:FD:97:17:6C:DD:46:D0:0E:2C:03:31:66:
>                 B3:7C:B2:48:E1:E0:1A:63:20:48:4C:D4:55:56:71:04:3B:5F:3B:28:
>                 BF:64:6C:52:A9:07:6D:FF:21:E9:06:35:E8:A1:D7:F4:C2:F9:D7:7B:
>                 9D:D2:90:16:2F:68:1E:3F:BE:43:ED:64
> 
> Failures in signed kernel module loading should show as errors at
> runtime, for example systemd services, or as oeqa parselogs test
> failures which detects signature verification error messages from the
> kernel.
> 
> Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
> ---
>  meta/recipes-kernel/linux/linux-yocto.inc | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/meta/recipes-kernel/linux/linux-yocto.inc b/meta/recipes-kernel/linux/linux-yocto.inc
> index 091003ed82..bab1f21479 100644
> --- a/meta/recipes-kernel/linux/linux-yocto.inc
> +++ b/meta/recipes-kernel/linux/linux-yocto.inc
> @@ -37,6 +37,9 @@ KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'cfg/
>  KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'numa', 'features/numa/numa.scc', '', d)}"
>  KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'vfat', 'cfg/fs/vfat.scc', '', d)}"
>  
> +# enable module signing by default
> +KERNEL_FEATURES:append = " features/module-signing/force-signing.scc"
> +
>  # A KMACHINE is the mapping of a yocto $MACHINE to what is built
>  # by the kernel. This is typically the branch that should be built,
>  # and it can be specific to the machine or shared
> 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#173774): https://lists.openembedded.org/g/openembedded-core/message/173774
> Mute This Topic: https://lists.openembedded.org/mt/95256076/3618454
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ml@embed.me.uk]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Mikko Rapeli Nov. 26, 2022, 10:45 a.m. UTC | #3 
Hi,

On Fri, Nov 25, 2022 at 04:11:40PM +0000, Jack Mitchell wrote:
> On 25/11/2022 15:54, Mikko Rapeli wrote:
> > It's a good default and used in many Linux distributions.
> > Did not test out of tree modules if they do correct things but
> > any such failures should be fixed.
> > 
> > One way to verify that kernel module signing also works:
> > 
> > root@qemux86-64:~# dmesg|grep X.509
> > [    1.298936] Loading compiled-in X.509 certificates
> > [    1.328280] Loaded X.509 cert 'Build time autogenerated kernel key: ee1bed6d845358744c764683bf73b4404cc79287'
> > 
> > These logs in dmesg show that signing in kernel is enabled and
> > key is found. Then if any kernel modules load, they were
> > signed correctly. Additionally modinfo tool from kmod shows kernel module
> > signing details:
> 
> Hi Mikko,
> 
> Do the kernel modules get properly stripped, last time I was looking at
> this it was skipped when signed and as such root filesystem sizes
> ballooned with signed modules.

Yes, possibly. Linux kernel build scripts can also do this stripping
though, and they do it correctly for kernel modules wile keeping signing
and other data intact.

We could provide EXTRA_OEMAKE += "INSTALL_MOD_STRIP=1" for kernel and
module builds to strip debug info.

$ cat linux/scripts/Makefile.modinst
...
# Strip
#
# INSTALL_MOD_STRIP, if defined, will cause modules to be stripped after
# they
# are installed. If INSTALL_MOD_STRIP is '1', then the default option
# --strip-debug will be used. Otherwise, INSTALL_MOD_STRIP value will be
# used
# as the options to the strip command.
ifdef INSTALL_MOD_STRIP

ifeq ($(INSTALL_MOD_STRIP),1)
strip-option := --strip-debug
else
strip-option := $(INSTALL_MOD_STRIP)
endif
...

Cheers,

-Mikko
Bruce Ashfield Nov. 27, 2022, 3:06 a.m. UTC | #4 
On Fri, Nov 25, 2022 at 10:54 AM Mikko Rapeli <mikko.rapeli@linaro.org> wrote:
>
> It's a good default and used in many Linux distributions.
> Did not test out of tree modules if they do correct things but
> any such failures should be fixed.
>
> One way to verify that kernel module signing also works:
>
> root@qemux86-64:~# dmesg|grep X.509
> [    1.298936] Loading compiled-in X.509 certificates
> [    1.328280] Loaded X.509 cert 'Build time autogenerated kernel key: ee1bed6d845358744c764683bf73b4404cc79287'
>
> These logs in dmesg show that signing in kernel is enabled and
> key is found. Then if any kernel modules load, they were
> signed correctly. Additionally modinfo tool from kmod shows kernel module
> signing details:
>
> root@qemux86-64:~# lsmod
> Module                  Size  Used by
> sch_fq_codel           20480  1
> root@qemux86-64:~# modinfo sch_fq_codel
> filename:
> /lib/modules/5.19.9-yocto-standard/kernel/net/sched/sch_fq_codel.ko
> description:    Fair Queue CoDel discipline
> license:        GPL
> author:         Eric Dumazet
> depends:
> retpoline:      Y
> intree:         Y
> name:           sch_fq_codel
> vermagic:       5.19.9-yocto-standard SMP preempt mod_unload
> sig_id:         PKCS#7
> signer:         Build time autogenerated kernel key
> sig_key:        2B:2A:BE:7D:B5:92:DC:98:A9:F8:D7:00:A6:73:35:20:10:D8:19:EE
> sig_hashalgo:   sha512
> signature:      72:6C:E1:78:7C:A7:7B:CC:C4:33:23:6B:95:EC:1B:2A:BD:D9:EC:7A:
>                 85:07:05:B2:70:3C:C9:64:F6:78:8A:01:A0:E3:64:C7:47:BB:5D:0E:
>                 86:BA:C1:DD:40:05:AE:1F:19:D4:F0:98:49:86:CC:61:14:3C:AB:1E:
>                 4A:1C:83:47:1D:FA:6D:E4:83:79:3A:2B:3F:7D:B6:E0:09:AE:B4:01:
>                 07:EE:C9:5B:99:70:4F:49:8A:64:E4:7D:84:AA:37:F5:DB:5F:16:5C:
>                 D4:DC:0C:33:73:5D:D9:8D:7E:71:5B:A1:ED:61:81:5E:1C:ED:A2:D8:
>                 76:46:99:B3:78:08:F7:7F:0D:4B:94:26:21:63:47:B0:75:9F:A4:EA:
>                 3D:14:D4:09:CC:59:F3:FC:80:AC:BF:56:1E:8C:73:FD:CB:07:27:C6:
>                 3D:98:4C:E4:C3:9C:C0:AD:90:53:46:8F:AE:66:FE:10:C8:92:7F:BA:
>                 74:C2:B0:E3:6E:47:66:AB:39:25:41:12:66:91:20:27:1A:58:77:75:
>                 4F:C0:3F:F1:8E:5F:AB:0A:BD:8B:62:4F:2B:01:5A:5C:4E:5C:31:39:
>                 FB:F4:14:2E:BF:D8:51:4B:C8:D0:E2:0A:20:80:95:05:80:E3:46:75:
>                 43:80:30:63:6F:A4:25:82:59:35:34:E8:6A:DC:FF:93:F8:32:BB:FA:
>                 66:2D:B9:08:75:1A:3A:3A:5D:57:F4:63:85:01:B4:EB:96:1B:CE:6F:
>                 4D:61:FC:AA:6C:39:7F:D6:37:C9:84:0A:84:17:FB:BE:FC:20:CB:EE:
>                 8C:2F:93:92:F6:48:F4:07:50:84:D8:2C:B5:2E:A7:7D:3A:3F:DC:E9:
>                 B9:17:EF:47:49:EC:BA:62:1C:C4:C6:58:9C:0C:8D:26:41:6E:1F:C1:
>                 95:A7:8B:57:5D:1D:4B:B4:04:00:F6:68:24:9E:E2:BF:11:EC:05:6C:
>                 83:E8:C6:DB:BB:3D:22:8B:31:BB:99:1A:44:E1:15:71:C3:AA:FA:01:
>                 98:BA:6B:20:26:D6:9C:61:5C:6F:81:29:09:B1:EA:C5:28:15:F3:98:
>                 C0:18:FE:08:8B:40:A5:F3:3C:71:4B:C6:41:CD:38:51:79:EA:5D:C9:
>                 13:39:B5:FD:A3:D1:BB:11:94:66:F7:7B:6A:DC:2C:01:5F:AB:73:08:
>                 68:24:32:BE:BC:7A:90:E5:FD:97:17:6C:DD:46:D0:0E:2C:03:31:66:
>                 B3:7C:B2:48:E1:E0:1A:63:20:48:4C:D4:55:56:71:04:3B:5F:3B:28:
>                 BF:64:6C:52:A9:07:6D:FF:21:E9:06:35:E8:A1:D7:F4:C2:F9:D7:7B:
>                 9D:D2:90:16:2F:68:1E:3F:BE:43:ED:64
>
> Failures in signed kernel module loading should show as errors at
> runtime, for example systemd services, or as oeqa parselogs test
> failures which detects signature verification error messages from the
> kernel.
>
> Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
> ---
>  meta/recipes-kernel/linux/linux-yocto.inc | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/meta/recipes-kernel/linux/linux-yocto.inc b/meta/recipes-kernel/linux/linux-yocto.inc
> index 091003ed82..bab1f21479 100644
> --- a/meta/recipes-kernel/linux/linux-yocto.inc
> +++ b/meta/recipes-kernel/linux/linux-yocto.inc
> @@ -37,6 +37,9 @@ KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'cfg/
>  KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'numa', 'features/numa/numa.scc', '', d)}"
>  KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'vfat', 'cfg/fs/vfat.scc', '', d)}"
>
> +# enable module signing by default
> +KERNEL_FEATURES:append = " features/module-signing/force-signing.scc"
> +

For the reference kernels, there are a huge amount of use cases, and I
support a really broad set of deployments.

We can enable this via either a distro or packageconfig, but not like
this, since disabling it is difficult and requires a :remove. It needs
to be opt-in.

Bruce

>  # A KMACHINE is the mapping of a yocto $MACHINE to what is built
>  # by the kernel. This is typically the branch that should be built,
>  # and it can be specific to the machine or shared
> --
> 2.35.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#173774): https://lists.openembedded.org/g/openembedded-core/message/173774
> Mute This Topic: https://lists.openembedded.org/mt/95256076/1050810
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Bruce Ashfield Nov. 27, 2022, 3:34 a.m. UTC | #5 
On Fri, Nov 25, 2022 at 11:11 AM Jack Mitchell <ml@embed.me.uk> wrote:
>
> On 25/11/2022 15:54, Mikko Rapeli wrote:
> > It's a good default and used in many Linux distributions.
> > Did not test out of tree modules if they do correct things but
> > any such failures should be fixed.
> >
> > One way to verify that kernel module signing also works:
> >
> > root@qemux86-64:~# dmesg|grep X.509
> > [    1.298936] Loading compiled-in X.509 certificates
> > [    1.328280] Loaded X.509 cert 'Build time autogenerated kernel key: ee1bed6d845358744c764683bf73b4404cc79287'
> >
> > These logs in dmesg show that signing in kernel is enabled and
> > key is found. Then if any kernel modules load, they were
> > signed correctly. Additionally modinfo tool from kmod shows kernel module
> > signing details:
>
> Hi Mikko,
>
> Do the kernel modules get properly stripped, last time I was looking at
> this it was skipped when signed and as such root filesystem sizes
> ballooned with signed modules.

oe package.py still does skip stripping for signed modules.

I'm sure it is fixable, but we need someone to step up and have a closer look.

Richard can probably comment better than I can, but there's a variety
of use cases (from SDKs, to debug, to SBOM, etc) that all need to deal
with whether binaries are stripped and be able to find the
non-stripped executables in order to work properly.

So to answer the follow up suggestion of using the kernel's module
strip directly .. it also might be feasible, but we need to make sure
that all the other uses cases still work. My preference is to do the
work in package.py, so that we don't have to worry about the kernel
provider and any additional features have code in the same place as a
baseline.

Bruce

>
> Regards,
> Jack.
>
> >
> > root@qemux86-64:~# lsmod
> > Module                  Size  Used by
> > sch_fq_codel           20480  1
> > root@qemux86-64:~# modinfo sch_fq_codel
> > filename:
> > /lib/modules/5.19.9-yocto-standard/kernel/net/sched/sch_fq_codel.ko
> > description:    Fair Queue CoDel discipline
> > license:        GPL
> > author:         Eric Dumazet
> > depends:
> > retpoline:      Y
> > intree:         Y
> > name:           sch_fq_codel
> > vermagic:       5.19.9-yocto-standard SMP preempt mod_unload
> > sig_id:         PKCS#7
> > signer:         Build time autogenerated kernel key
> > sig_key:        2B:2A:BE:7D:B5:92:DC:98:A9:F8:D7:00:A6:73:35:20:10:D8:19:EE
> > sig_hashalgo:   sha512
> > signature:      72:6C:E1:78:7C:A7:7B:CC:C4:33:23:6B:95:EC:1B:2A:BD:D9:EC:7A:
> >                 85:07:05:B2:70:3C:C9:64:F6:78:8A:01:A0:E3:64:C7:47:BB:5D:0E:
> >                 86:BA:C1:DD:40:05:AE:1F:19:D4:F0:98:49:86:CC:61:14:3C:AB:1E:
> >                 4A:1C:83:47:1D:FA:6D:E4:83:79:3A:2B:3F:7D:B6:E0:09:AE:B4:01:
> >                 07:EE:C9:5B:99:70:4F:49:8A:64:E4:7D:84:AA:37:F5:DB:5F:16:5C:
> >                 D4:DC:0C:33:73:5D:D9:8D:7E:71:5B:A1:ED:61:81:5E:1C:ED:A2:D8:
> >                 76:46:99:B3:78:08:F7:7F:0D:4B:94:26:21:63:47:B0:75:9F:A4:EA:
> >                 3D:14:D4:09:CC:59:F3:FC:80:AC:BF:56:1E:8C:73:FD:CB:07:27:C6:
> >                 3D:98:4C:E4:C3:9C:C0:AD:90:53:46:8F:AE:66:FE:10:C8:92:7F:BA:
> >                 74:C2:B0:E3:6E:47:66:AB:39:25:41:12:66:91:20:27:1A:58:77:75:
> >                 4F:C0:3F:F1:8E:5F:AB:0A:BD:8B:62:4F:2B:01:5A:5C:4E:5C:31:39:
> >                 FB:F4:14:2E:BF:D8:51:4B:C8:D0:E2:0A:20:80:95:05:80:E3:46:75:
> >                 43:80:30:63:6F:A4:25:82:59:35:34:E8:6A:DC:FF:93:F8:32:BB:FA:
> >                 66:2D:B9:08:75:1A:3A:3A:5D:57:F4:63:85:01:B4:EB:96:1B:CE:6F:
> >                 4D:61:FC:AA:6C:39:7F:D6:37:C9:84:0A:84:17:FB:BE:FC:20:CB:EE:
> >                 8C:2F:93:92:F6:48:F4:07:50:84:D8:2C:B5:2E:A7:7D:3A:3F:DC:E9:
> >                 B9:17:EF:47:49:EC:BA:62:1C:C4:C6:58:9C:0C:8D:26:41:6E:1F:C1:
> >                 95:A7:8B:57:5D:1D:4B:B4:04:00:F6:68:24:9E:E2:BF:11:EC:05:6C:
> >                 83:E8:C6:DB:BB:3D:22:8B:31:BB:99:1A:44:E1:15:71:C3:AA:FA:01:
> >                 98:BA:6B:20:26:D6:9C:61:5C:6F:81:29:09:B1:EA:C5:28:15:F3:98:
> >                 C0:18:FE:08:8B:40:A5:F3:3C:71:4B:C6:41:CD:38:51:79:EA:5D:C9:
> >                 13:39:B5:FD:A3:D1:BB:11:94:66:F7:7B:6A:DC:2C:01:5F:AB:73:08:
> >                 68:24:32:BE:BC:7A:90:E5:FD:97:17:6C:DD:46:D0:0E:2C:03:31:66:
> >                 B3:7C:B2:48:E1:E0:1A:63:20:48:4C:D4:55:56:71:04:3B:5F:3B:28:
> >                 BF:64:6C:52:A9:07:6D:FF:21:E9:06:35:E8:A1:D7:F4:C2:F9:D7:7B:
> >                 9D:D2:90:16:2F:68:1E:3F:BE:43:ED:64
> >
> > Failures in signed kernel module loading should show as errors at
> > runtime, for example systemd services, or as oeqa parselogs test
> > failures which detects signature verification error messages from the
> > kernel.
> >
> > Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
> > ---
> >  meta/recipes-kernel/linux/linux-yocto.inc | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/meta/recipes-kernel/linux/linux-yocto.inc b/meta/recipes-kernel/linux/linux-yocto.inc
> > index 091003ed82..bab1f21479 100644
> > --- a/meta/recipes-kernel/linux/linux-yocto.inc
> > +++ b/meta/recipes-kernel/linux/linux-yocto.inc
> > @@ -37,6 +37,9 @@ KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'cfg/
> >  KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'numa', 'features/numa/numa.scc', '', d)}"
> >  KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'vfat', 'cfg/fs/vfat.scc', '', d)}"
> >
> > +# enable module signing by default
> > +KERNEL_FEATURES:append = " features/module-signing/force-signing.scc"
> > +
> >  # A KMACHINE is the mapping of a yocto $MACHINE to what is built
> >  # by the kernel. This is typically the branch that should be built,
> >  # and it can be specific to the machine or shared
> >
> >
> >
> >
> >
>
> --
> Jack Mitchell, Consultant
> https://www.tuxable.co.uk
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#173776): https://lists.openembedded.org/g/openembedded-core/message/173776
> Mute This Topic: https://lists.openembedded.org/mt/95256076/1050810
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Jack Mitchell Nov. 27, 2022, 6:47 p.m. UTC | #6 
On 27/11/2022 03:34, Bruce Ashfield wrote:
> On Fri, Nov 25, 2022 at 11:11 AM Jack Mitchell <ml@embed.me.uk> wrote:
>>
>> On 25/11/2022 15:54, Mikko Rapeli wrote:
>>> It's a good default and used in many Linux distributions.
>>> Did not test out of tree modules if they do correct things but
>>> any such failures should be fixed.
>>>
>>> One way to verify that kernel module signing also works:
>>>
>>> root@qemux86-64:~# dmesg|grep X.509
>>> [    1.298936] Loading compiled-in X.509 certificates
>>> [    1.328280] Loaded X.509 cert 'Build time autogenerated kernel key: ee1bed6d845358744c764683bf73b4404cc79287'
>>>
>>> These logs in dmesg show that signing in kernel is enabled and
>>> key is found. Then if any kernel modules load, they were
>>> signed correctly. Additionally modinfo tool from kmod shows kernel module
>>> signing details:
>>
>> Hi Mikko,
>>
>> Do the kernel modules get properly stripped, last time I was looking at
>> this it was skipped when signed and as such root filesystem sizes
>> ballooned with signed modules.
> 
> oe package.py still does skip stripping for signed modules.
> 
> I'm sure it is fixable, but we need someone to step up and have a closer look.
> 
> Richard can probably comment better than I can, but there's a variety
> of use cases (from SDKs, to debug, to SBOM, etc) that all need to deal
> with whether binaries are stripped and be able to find the
> non-stripped executables in order to work properly.
> 
> So to answer the follow up suggestion of using the kernel's module
> strip directly .. it also might be feasible, but we need to make sure
> that all the other uses cases still work. My preference is to do the
> work in package.py, so that we don't have to worry about the kernel
> provider and any additional features have code in the same place as a
> baseline.
> 

I agree, if the kernel has the right arguments available for properly 
stripping the modules without stripping the signed portion then we can 
set those args manually rather than skipping the strip all together I 
believe.

I also had the same thought with having the kernel do it as I don't know 
where the stripped information goes and how that would then make it into 
debug packages.

> Bruce
> 
>>
>> Regards,
>> Jack.
>>
>>>
>>> root@qemux86-64:~# lsmod
>>> Module                  Size  Used by
>>> sch_fq_codel           20480  1
>>> root@qemux86-64:~# modinfo sch_fq_codel
>>> filename:
>>> /lib/modules/5.19.9-yocto-standard/kernel/net/sched/sch_fq_codel.ko
>>> description:    Fair Queue CoDel discipline
>>> license:        GPL
>>> author:         Eric Dumazet
>>> depends:
>>> retpoline:      Y
>>> intree:         Y
>>> name:           sch_fq_codel
>>> vermagic:       5.19.9-yocto-standard SMP preempt mod_unload
>>> sig_id:         PKCS#7
>>> signer:         Build time autogenerated kernel key
>>> sig_key:        2B:2A:BE:7D:B5:92:DC:98:A9:F8:D7:00:A6:73:35:20:10:D8:19:EE
>>> sig_hashalgo:   sha512
>>> signature:      72:6C:E1:78:7C:A7:7B:CC:C4:33:23:6B:95:EC:1B:2A:BD:D9:EC:7A:
>>>                  85:07:05:B2:70:3C:C9:64:F6:78:8A:01:A0:E3:64:C7:47:BB:5D:0E:
>>>                  86:BA:C1:DD:40:05:AE:1F:19:D4:F0:98:49:86:CC:61:14:3C:AB:1E:
>>>                  4A:1C:83:47:1D:FA:6D:E4:83:79:3A:2B:3F:7D:B6:E0:09:AE:B4:01:
>>>                  07:EE:C9:5B:99:70:4F:49:8A:64:E4:7D:84:AA:37:F5:DB:5F:16:5C:
>>>                  D4:DC:0C:33:73:5D:D9:8D:7E:71:5B:A1:ED:61:81:5E:1C:ED:A2:D8:
>>>                  76:46:99:B3:78:08:F7:7F:0D:4B:94:26:21:63:47:B0:75:9F:A4:EA:
>>>                  3D:14:D4:09:CC:59:F3:FC:80:AC:BF:56:1E:8C:73:FD:CB:07:27:C6:
>>>                  3D:98:4C:E4:C3:9C:C0:AD:90:53:46:8F:AE:66:FE:10:C8:92:7F:BA:
>>>                  74:C2:B0:E3:6E:47:66:AB:39:25:41:12:66:91:20:27:1A:58:77:75:
>>>                  4F:C0:3F:F1:8E:5F:AB:0A:BD:8B:62:4F:2B:01:5A:5C:4E:5C:31:39:
>>>                  FB:F4:14:2E:BF:D8:51:4B:C8:D0:E2:0A:20:80:95:05:80:E3:46:75:
>>>                  43:80:30:63:6F:A4:25:82:59:35:34:E8:6A:DC:FF:93:F8:32:BB:FA:
>>>                  66:2D:B9:08:75:1A:3A:3A:5D:57:F4:63:85:01:B4:EB:96:1B:CE:6F:
>>>                  4D:61:FC:AA:6C:39:7F:D6:37:C9:84:0A:84:17:FB:BE:FC:20:CB:EE:
>>>                  8C:2F:93:92:F6:48:F4:07:50:84:D8:2C:B5:2E:A7:7D:3A:3F:DC:E9:
>>>                  B9:17:EF:47:49:EC:BA:62:1C:C4:C6:58:9C:0C:8D:26:41:6E:1F:C1:
>>>                  95:A7:8B:57:5D:1D:4B:B4:04:00:F6:68:24:9E:E2:BF:11:EC:05:6C:
>>>                  83:E8:C6:DB:BB:3D:22:8B:31:BB:99:1A:44:E1:15:71:C3:AA:FA:01:
>>>                  98:BA:6B:20:26:D6:9C:61:5C:6F:81:29:09:B1:EA:C5:28:15:F3:98:
>>>                  C0:18:FE:08:8B:40:A5:F3:3C:71:4B:C6:41:CD:38:51:79:EA:5D:C9:
>>>                  13:39:B5:FD:A3:D1:BB:11:94:66:F7:7B:6A:DC:2C:01:5F:AB:73:08:
>>>                  68:24:32:BE:BC:7A:90:E5:FD:97:17:6C:DD:46:D0:0E:2C:03:31:66:
>>>                  B3:7C:B2:48:E1:E0:1A:63:20:48:4C:D4:55:56:71:04:3B:5F:3B:28:
>>>                  BF:64:6C:52:A9:07:6D:FF:21:E9:06:35:E8:A1:D7:F4:C2:F9:D7:7B:
>>>                  9D:D2:90:16:2F:68:1E:3F:BE:43:ED:64
>>>
>>> Failures in signed kernel module loading should show as errors at
>>> runtime, for example systemd services, or as oeqa parselogs test
>>> failures which detects signature verification error messages from the
>>> kernel.
>>>
>>> Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
>>> ---
>>>   meta/recipes-kernel/linux/linux-yocto.inc | 3 +++
>>>   1 file changed, 3 insertions(+)
>>>
>>> diff --git a/meta/recipes-kernel/linux/linux-yocto.inc b/meta/recipes-kernel/linux/linux-yocto.inc
>>> index 091003ed82..bab1f21479 100644
>>> --- a/meta/recipes-kernel/linux/linux-yocto.inc
>>> +++ b/meta/recipes-kernel/linux/linux-yocto.inc
>>> @@ -37,6 +37,9 @@ KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'cfg/
>>>   KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'numa', 'features/numa/numa.scc', '', d)}"
>>>   KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'vfat', 'cfg/fs/vfat.scc', '', d)}"
>>>
>>> +# enable module signing by default
>>> +KERNEL_FEATURES:append = " features/module-signing/force-signing.scc"
>>> +
>>>   # A KMACHINE is the mapping of a yocto $MACHINE to what is built
>>>   # by the kernel. This is typically the branch that should be built,
>>>   # and it can be specific to the machine or shared
>>>
>>>
>>>
>>>
>>>
>>
>> --
>> Jack Mitchell, Consultant
>> https://www.tuxable.co.uk
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#173776): https://lists.openembedded.org/g/openembedded-core/message/173776
>> Mute This Topic: https://lists.openembedded.org/mt/95256076/1050810
>> Group Owner: openembedded-core+owner@lists.openembedded.org
>> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [bruce.ashfield@gmail.com]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>
> 
>
Mikko Rapeli Nov. 28, 2022, 7:12 a.m. UTC | #7 
On Sat, Nov 26, 2022 at 10:06:57PM -0500, Bruce Ashfield wrote:
> On Fri, Nov 25, 2022 at 10:54 AM Mikko Rapeli <mikko.rapeli@linaro.org> wrote:
> >
> > It's a good default and used in many Linux distributions.
> > Did not test out of tree modules if they do correct things but
> > any such failures should be fixed.
> >
> > One way to verify that kernel module signing also works:
> >
> > root@qemux86-64:~# dmesg|grep X.509
> > [    1.298936] Loading compiled-in X.509 certificates
> > [    1.328280] Loaded X.509 cert 'Build time autogenerated kernel key: ee1bed6d845358744c764683bf73b4404cc79287'
> >
> > These logs in dmesg show that signing in kernel is enabled and
> > key is found. Then if any kernel modules load, they were
> > signed correctly. Additionally modinfo tool from kmod shows kernel module
> > signing details:
> >
> > root@qemux86-64:~# lsmod
> > Module                  Size  Used by
> > sch_fq_codel           20480  1
> > root@qemux86-64:~# modinfo sch_fq_codel
> > filename:
> > /lib/modules/5.19.9-yocto-standard/kernel/net/sched/sch_fq_codel.ko
> > description:    Fair Queue CoDel discipline
> > license:        GPL
> > author:         Eric Dumazet
> > depends:
> > retpoline:      Y
> > intree:         Y
> > name:           sch_fq_codel
> > vermagic:       5.19.9-yocto-standard SMP preempt mod_unload
> > sig_id:         PKCS#7
> > signer:         Build time autogenerated kernel key
> > sig_key:        2B:2A:BE:7D:B5:92:DC:98:A9:F8:D7:00:A6:73:35:20:10:D8:19:EE
> > sig_hashalgo:   sha512
> > signature:      72:6C:E1:78:7C:A7:7B:CC:C4:33:23:6B:95:EC:1B:2A:BD:D9:EC:7A:
> >                 85:07:05:B2:70:3C:C9:64:F6:78:8A:01:A0:E3:64:C7:47:BB:5D:0E:
> >                 86:BA:C1:DD:40:05:AE:1F:19:D4:F0:98:49:86:CC:61:14:3C:AB:1E:
> >                 4A:1C:83:47:1D:FA:6D:E4:83:79:3A:2B:3F:7D:B6:E0:09:AE:B4:01:
> >                 07:EE:C9:5B:99:70:4F:49:8A:64:E4:7D:84:AA:37:F5:DB:5F:16:5C:
> >                 D4:DC:0C:33:73:5D:D9:8D:7E:71:5B:A1:ED:61:81:5E:1C:ED:A2:D8:
> >                 76:46:99:B3:78:08:F7:7F:0D:4B:94:26:21:63:47:B0:75:9F:A4:EA:
> >                 3D:14:D4:09:CC:59:F3:FC:80:AC:BF:56:1E:8C:73:FD:CB:07:27:C6:
> >                 3D:98:4C:E4:C3:9C:C0:AD:90:53:46:8F:AE:66:FE:10:C8:92:7F:BA:
> >                 74:C2:B0:E3:6E:47:66:AB:39:25:41:12:66:91:20:27:1A:58:77:75:
> >                 4F:C0:3F:F1:8E:5F:AB:0A:BD:8B:62:4F:2B:01:5A:5C:4E:5C:31:39:
> >                 FB:F4:14:2E:BF:D8:51:4B:C8:D0:E2:0A:20:80:95:05:80:E3:46:75:
> >                 43:80:30:63:6F:A4:25:82:59:35:34:E8:6A:DC:FF:93:F8:32:BB:FA:
> >                 66:2D:B9:08:75:1A:3A:3A:5D:57:F4:63:85:01:B4:EB:96:1B:CE:6F:
> >                 4D:61:FC:AA:6C:39:7F:D6:37:C9:84:0A:84:17:FB:BE:FC:20:CB:EE:
> >                 8C:2F:93:92:F6:48:F4:07:50:84:D8:2C:B5:2E:A7:7D:3A:3F:DC:E9:
> >                 B9:17:EF:47:49:EC:BA:62:1C:C4:C6:58:9C:0C:8D:26:41:6E:1F:C1:
> >                 95:A7:8B:57:5D:1D:4B:B4:04:00:F6:68:24:9E:E2:BF:11:EC:05:6C:
> >                 83:E8:C6:DB:BB:3D:22:8B:31:BB:99:1A:44:E1:15:71:C3:AA:FA:01:
> >                 98:BA:6B:20:26:D6:9C:61:5C:6F:81:29:09:B1:EA:C5:28:15:F3:98:
> >                 C0:18:FE:08:8B:40:A5:F3:3C:71:4B:C6:41:CD:38:51:79:EA:5D:C9:
> >                 13:39:B5:FD:A3:D1:BB:11:94:66:F7:7B:6A:DC:2C:01:5F:AB:73:08:
> >                 68:24:32:BE:BC:7A:90:E5:FD:97:17:6C:DD:46:D0:0E:2C:03:31:66:
> >                 B3:7C:B2:48:E1:E0:1A:63:20:48:4C:D4:55:56:71:04:3B:5F:3B:28:
> >                 BF:64:6C:52:A9:07:6D:FF:21:E9:06:35:E8:A1:D7:F4:C2:F9:D7:7B:
> >                 9D:D2:90:16:2F:68:1E:3F:BE:43:ED:64
> >
> > Failures in signed kernel module loading should show as errors at
> > runtime, for example systemd services, or as oeqa parselogs test
> > failures which detects signature verification error messages from the
> > kernel.
> >
> > Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
> > ---
> >  meta/recipes-kernel/linux/linux-yocto.inc | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/meta/recipes-kernel/linux/linux-yocto.inc b/meta/recipes-kernel/linux/linux-yocto.inc
> > index 091003ed82..bab1f21479 100644
> > --- a/meta/recipes-kernel/linux/linux-yocto.inc
> > +++ b/meta/recipes-kernel/linux/linux-yocto.inc
> > @@ -37,6 +37,9 @@ KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'cfg/
> >  KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'numa', 'features/numa/numa.scc', '', d)}"
> >  KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'vfat', 'cfg/fs/vfat.scc', '', d)}"
> >
> > +# enable module signing by default
> > +KERNEL_FEATURES:append = " features/module-signing/force-signing.scc"
> > +
> 
> For the reference kernels, there are a huge amount of use cases, and I
> support a really broad set of deployments.
> 
> We can enable this via either a distro or packageconfig, but not like
> this, since disabling it is difficult and requires a :remove. It needs
> to be opt-in.

This signing is purely a kernel internal self protection. Thus I don't see a
need for DISTRO_CONFIG, and kernel recipes don't use PACKAGECONFIG for
some reason. I know :append is difficult to :remove but it's used with "numa", "vfat",
"ptest" etc things too.

-Mikko
Mikko Rapeli Nov. 28, 2022, 11:12 a.m. UTC | #8 
Hi,

On Sun, Nov 27, 2022 at 06:47:30PM +0000, Jack Mitchell wrote:
> On 27/11/2022 03:34, Bruce Ashfield wrote:
> > On Fri, Nov 25, 2022 at 11:11 AM Jack Mitchell <ml@embed.me.uk> wrote:
> > > 
> > > On 25/11/2022 15:54, Mikko Rapeli wrote:
> > > > It's a good default and used in many Linux distributions.
> > > > Did not test out of tree modules if they do correct things but
> > > > any such failures should be fixed.
> > > > 
> > > > One way to verify that kernel module signing also works:
> > > > 
> > > > root@qemux86-64:~# dmesg|grep X.509
> > > > [    1.298936] Loading compiled-in X.509 certificates
> > > > [    1.328280] Loaded X.509 cert 'Build time autogenerated kernel key: ee1bed6d845358744c764683bf73b4404cc79287'
> > > > 
> > > > These logs in dmesg show that signing in kernel is enabled and
> > > > key is found. Then if any kernel modules load, they were
> > > > signed correctly. Additionally modinfo tool from kmod shows kernel module
> > > > signing details:
> > > 
> > > Hi Mikko,
> > > 
> > > Do the kernel modules get properly stripped, last time I was looking at
> > > this it was skipped when signed and as such root filesystem sizes
> > > ballooned with signed modules.
> > 
> > oe package.py still does skip stripping for signed modules.
> > 
> > I'm sure it is fixable, but we need someone to step up and have a closer look.
> > 
> > Richard can probably comment better than I can, but there's a variety
> > of use cases (from SDKs, to debug, to SBOM, etc) that all need to deal
> > with whether binaries are stripped and be able to find the
> > non-stripped executables in order to work properly.
> > 
> > So to answer the follow up suggestion of using the kernel's module
> > strip directly .. it also might be feasible, but we need to make sure
> > that all the other uses cases still work. My preference is to do the
> > work in package.py, so that we don't have to worry about the kernel
> > provider and any additional features have code in the same place as a
> > baseline.
> > 
> 
> I agree, if the kernel has the right arguments available for properly
> stripping the modules without stripping the signed portion then we can set
> those args manually rather than skipping the strip all together I believe.
> 
> I also had the same thought with having the kernel do it as I don't know
> where the stripped information goes and how that would then make it into
> debug packages.

https://www.kernel.org/doc/html/latest/admin-guide/module-signing.html#signed-modules-and-stripping

"Signed modules are BRITTLE as the signature is outside of the defined
ELF container. Thus they MAY NOT be stripped once the signature is
computed and attached. Note the entire module is the signed payload,
including any and all debug information present at the time of signing."

linux/scripts/Makefile.modinst does in "make modules_install":

...
$(dst)/%.ko: $(extmod_prefix)%.ko FORCE
        $(call cmd,install)
        $(call cmd,strip)
        $(call cmd,sign)
...

Thus I don't think signed kernel modules can ever be stripped by
package.py or package.bbclass. It sounds like only option is to install
modules without stripping and signing to debug packages and then install
them stripped with and signed to real binary packages.

Cheers,

-Mikko
Ross Burton Nov. 28, 2022, 12:01 p.m. UTC | #9 
On 28 Nov 2022, at 11:12, Mikko Rapeli via lists.openembedded.org <mikko.rapeli=linaro.org@lists.openembedded.org> wrote:
> 
> Thus I don't think signed kernel modules can ever be stripped by
> package.py or package.bbclass. It sounds like only option is to install
> modules without stripping and signing to debug packages and then install
> them stripped with and signed to real binary packages.

Which should be doable with a do_package function that runs after the stripping.

Ross
Bruce Ashfield Nov. 28, 2022, 2:03 p.m. UTC | #10 
On Mon, Nov 28, 2022 at 2:12 AM Mikko Rapeli <mikko.rapeli@linaro.org> wrote:
>
> On Sat, Nov 26, 2022 at 10:06:57PM -0500, Bruce Ashfield wrote:
> > On Fri, Nov 25, 2022 at 10:54 AM Mikko Rapeli <mikko.rapeli@linaro.org> wrote:
> > >
> > > It's a good default and used in many Linux distributions.
> > > Did not test out of tree modules if they do correct things but
> > > any such failures should be fixed.
> > >
> > > One way to verify that kernel module signing also works:
> > >
> > > root@qemux86-64:~# dmesg|grep X.509
> > > [    1.298936] Loading compiled-in X.509 certificates
> > > [    1.328280] Loaded X.509 cert 'Build time autogenerated kernel key: ee1bed6d845358744c764683bf73b4404cc79287'
> > >
> > > These logs in dmesg show that signing in kernel is enabled and
> > > key is found. Then if any kernel modules load, they were
> > > signed correctly. Additionally modinfo tool from kmod shows kernel module
> > > signing details:
> > >
> > > root@qemux86-64:~# lsmod
> > > Module                  Size  Used by
> > > sch_fq_codel           20480  1
> > > root@qemux86-64:~# modinfo sch_fq_codel
> > > filename:
> > > /lib/modules/5.19.9-yocto-standard/kernel/net/sched/sch_fq_codel.ko
> > > description:    Fair Queue CoDel discipline
> > > license:        GPL
> > > author:         Eric Dumazet
> > > depends:
> > > retpoline:      Y
> > > intree:         Y
> > > name:           sch_fq_codel
> > > vermagic:       5.19.9-yocto-standard SMP preempt mod_unload
> > > sig_id:         PKCS#7
> > > signer:         Build time autogenerated kernel key
> > > sig_key:        2B:2A:BE:7D:B5:92:DC:98:A9:F8:D7:00:A6:73:35:20:10:D8:19:EE
> > > sig_hashalgo:   sha512
> > > signature:      72:6C:E1:78:7C:A7:7B:CC:C4:33:23:6B:95:EC:1B:2A:BD:D9:EC:7A:
> > >                 85:07:05:B2:70:3C:C9:64:F6:78:8A:01:A0:E3:64:C7:47:BB:5D:0E:
> > >                 86:BA:C1:DD:40:05:AE:1F:19:D4:F0:98:49:86:CC:61:14:3C:AB:1E:
> > >                 4A:1C:83:47:1D:FA:6D:E4:83:79:3A:2B:3F:7D:B6:E0:09:AE:B4:01:
> > >                 07:EE:C9:5B:99:70:4F:49:8A:64:E4:7D:84:AA:37:F5:DB:5F:16:5C:
> > >                 D4:DC:0C:33:73:5D:D9:8D:7E:71:5B:A1:ED:61:81:5E:1C:ED:A2:D8:
> > >                 76:46:99:B3:78:08:F7:7F:0D:4B:94:26:21:63:47:B0:75:9F:A4:EA:
> > >                 3D:14:D4:09:CC:59:F3:FC:80:AC:BF:56:1E:8C:73:FD:CB:07:27:C6:
> > >                 3D:98:4C:E4:C3:9C:C0:AD:90:53:46:8F:AE:66:FE:10:C8:92:7F:BA:
> > >                 74:C2:B0:E3:6E:47:66:AB:39:25:41:12:66:91:20:27:1A:58:77:75:
> > >                 4F:C0:3F:F1:8E:5F:AB:0A:BD:8B:62:4F:2B:01:5A:5C:4E:5C:31:39:
> > >                 FB:F4:14:2E:BF:D8:51:4B:C8:D0:E2:0A:20:80:95:05:80:E3:46:75:
> > >                 43:80:30:63:6F:A4:25:82:59:35:34:E8:6A:DC:FF:93:F8:32:BB:FA:
> > >                 66:2D:B9:08:75:1A:3A:3A:5D:57:F4:63:85:01:B4:EB:96:1B:CE:6F:
> > >                 4D:61:FC:AA:6C:39:7F:D6:37:C9:84:0A:84:17:FB:BE:FC:20:CB:EE:
> > >                 8C:2F:93:92:F6:48:F4:07:50:84:D8:2C:B5:2E:A7:7D:3A:3F:DC:E9:
> > >                 B9:17:EF:47:49:EC:BA:62:1C:C4:C6:58:9C:0C:8D:26:41:6E:1F:C1:
> > >                 95:A7:8B:57:5D:1D:4B:B4:04:00:F6:68:24:9E:E2:BF:11:EC:05:6C:
> > >                 83:E8:C6:DB:BB:3D:22:8B:31:BB:99:1A:44:E1:15:71:C3:AA:FA:01:
> > >                 98:BA:6B:20:26:D6:9C:61:5C:6F:81:29:09:B1:EA:C5:28:15:F3:98:
> > >                 C0:18:FE:08:8B:40:A5:F3:3C:71:4B:C6:41:CD:38:51:79:EA:5D:C9:
> > >                 13:39:B5:FD:A3:D1:BB:11:94:66:F7:7B:6A:DC:2C:01:5F:AB:73:08:
> > >                 68:24:32:BE:BC:7A:90:E5:FD:97:17:6C:DD:46:D0:0E:2C:03:31:66:
> > >                 B3:7C:B2:48:E1:E0:1A:63:20:48:4C:D4:55:56:71:04:3B:5F:3B:28:
> > >                 BF:64:6C:52:A9:07:6D:FF:21:E9:06:35:E8:A1:D7:F4:C2:F9:D7:7B:
> > >                 9D:D2:90:16:2F:68:1E:3F:BE:43:ED:64
> > >
> > > Failures in signed kernel module loading should show as errors at
> > > runtime, for example systemd services, or as oeqa parselogs test
> > > failures which detects signature verification error messages from the
> > > kernel.
> > >
> > > Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
> > > ---
> > >  meta/recipes-kernel/linux/linux-yocto.inc | 3 +++
> > >  1 file changed, 3 insertions(+)
> > >
> > > diff --git a/meta/recipes-kernel/linux/linux-yocto.inc b/meta/recipes-kernel/linux/linux-yocto.inc
> > > index 091003ed82..bab1f21479 100644
> > > --- a/meta/recipes-kernel/linux/linux-yocto.inc
> > > +++ b/meta/recipes-kernel/linux/linux-yocto.inc
> > > @@ -37,6 +37,9 @@ KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'cfg/
> > >  KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'numa', 'features/numa/numa.scc', '', d)}"
> > >  KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'vfat', 'cfg/fs/vfat.scc', '', d)}"
> > >
> > > +# enable module signing by default
> > > +KERNEL_FEATURES:append = " features/module-signing/force-signing.scc"
> > > +
> >
> > For the reference kernels, there are a huge amount of use cases, and I
> > support a really broad set of deployments.
> >
> > We can enable this via either a distro or packageconfig, but not like
> > this, since disabling it is difficult and requires a :remove. It needs
> > to be opt-in.
>
> This signing is purely a kernel internal self protection. Thus I don't see a
> need for DISTRO_CONFIG, and kernel recipes don't use PACKAGECONFIG for
> some reason. I know :append is difficult to :remove but it's used with "numa", "vfat",
> "ptest" etc things too.

And I've complained about those being added at times as well, in fact,
I have a bug somewhere to clean them up.

Signing impacts the runtime, and can chain throughout the system (as
with the stripping of the modules), so in this case, it has to be
opt-in.

Bruce

>
> -Mikko
Mikko Rapeli Nov. 28, 2022, 2:23 p.m. UTC | #11 
On Mon, Nov 28, 2022 at 09:03:04AM -0500, Bruce Ashfield wrote:
> On Mon, Nov 28, 2022 at 2:12 AM Mikko Rapeli <mikko.rapeli@linaro.org> wrote:
> >
> > On Sat, Nov 26, 2022 at 10:06:57PM -0500, Bruce Ashfield wrote:
> > > On Fri, Nov 25, 2022 at 10:54 AM Mikko Rapeli <mikko.rapeli@linaro.org> wrote:
> > > >
> > > > It's a good default and used in many Linux distributions.
> > > > Did not test out of tree modules if they do correct things but
> > > > any such failures should be fixed.
> > > >
> > > > One way to verify that kernel module signing also works:
> > > >
> > > > root@qemux86-64:~# dmesg|grep X.509
> > > > [    1.298936] Loading compiled-in X.509 certificates
> > > > [    1.328280] Loaded X.509 cert 'Build time autogenerated kernel key: ee1bed6d845358744c764683bf73b4404cc79287'
> > > >
> > > > These logs in dmesg show that signing in kernel is enabled and
> > > > key is found. Then if any kernel modules load, they were
> > > > signed correctly. Additionally modinfo tool from kmod shows kernel module
> > > > signing details:
> > > >
> > > > root@qemux86-64:~# lsmod
> > > > Module                  Size  Used by
> > > > sch_fq_codel           20480  1
> > > > root@qemux86-64:~# modinfo sch_fq_codel
> > > > filename:
> > > > /lib/modules/5.19.9-yocto-standard/kernel/net/sched/sch_fq_codel.ko
> > > > description:    Fair Queue CoDel discipline
> > > > license:        GPL
> > > > author:         Eric Dumazet
> > > > depends:
> > > > retpoline:      Y
> > > > intree:         Y
> > > > name:           sch_fq_codel
> > > > vermagic:       5.19.9-yocto-standard SMP preempt mod_unload
> > > > sig_id:         PKCS#7
> > > > signer:         Build time autogenerated kernel key
> > > > sig_key:        2B:2A:BE:7D:B5:92:DC:98:A9:F8:D7:00:A6:73:35:20:10:D8:19:EE
> > > > sig_hashalgo:   sha512
> > > > signature:      72:6C:E1:78:7C:A7:7B:CC:C4:33:23:6B:95:EC:1B:2A:BD:D9:EC:7A:
> > > >                 85:07:05:B2:70:3C:C9:64:F6:78:8A:01:A0:E3:64:C7:47:BB:5D:0E:
> > > >                 86:BA:C1:DD:40:05:AE:1F:19:D4:F0:98:49:86:CC:61:14:3C:AB:1E:
> > > >                 4A:1C:83:47:1D:FA:6D:E4:83:79:3A:2B:3F:7D:B6:E0:09:AE:B4:01:
> > > >                 07:EE:C9:5B:99:70:4F:49:8A:64:E4:7D:84:AA:37:F5:DB:5F:16:5C:
> > > >                 D4:DC:0C:33:73:5D:D9:8D:7E:71:5B:A1:ED:61:81:5E:1C:ED:A2:D8:
> > > >                 76:46:99:B3:78:08:F7:7F:0D:4B:94:26:21:63:47:B0:75:9F:A4:EA:
> > > >                 3D:14:D4:09:CC:59:F3:FC:80:AC:BF:56:1E:8C:73:FD:CB:07:27:C6:
> > > >                 3D:98:4C:E4:C3:9C:C0:AD:90:53:46:8F:AE:66:FE:10:C8:92:7F:BA:
> > > >                 74:C2:B0:E3:6E:47:66:AB:39:25:41:12:66:91:20:27:1A:58:77:75:
> > > >                 4F:C0:3F:F1:8E:5F:AB:0A:BD:8B:62:4F:2B:01:5A:5C:4E:5C:31:39:
> > > >                 FB:F4:14:2E:BF:D8:51:4B:C8:D0:E2:0A:20:80:95:05:80:E3:46:75:
> > > >                 43:80:30:63:6F:A4:25:82:59:35:34:E8:6A:DC:FF:93:F8:32:BB:FA:
> > > >                 66:2D:B9:08:75:1A:3A:3A:5D:57:F4:63:85:01:B4:EB:96:1B:CE:6F:
> > > >                 4D:61:FC:AA:6C:39:7F:D6:37:C9:84:0A:84:17:FB:BE:FC:20:CB:EE:
> > > >                 8C:2F:93:92:F6:48:F4:07:50:84:D8:2C:B5:2E:A7:7D:3A:3F:DC:E9:
> > > >                 B9:17:EF:47:49:EC:BA:62:1C:C4:C6:58:9C:0C:8D:26:41:6E:1F:C1:
> > > >                 95:A7:8B:57:5D:1D:4B:B4:04:00:F6:68:24:9E:E2:BF:11:EC:05:6C:
> > > >                 83:E8:C6:DB:BB:3D:22:8B:31:BB:99:1A:44:E1:15:71:C3:AA:FA:01:
> > > >                 98:BA:6B:20:26:D6:9C:61:5C:6F:81:29:09:B1:EA:C5:28:15:F3:98:
> > > >                 C0:18:FE:08:8B:40:A5:F3:3C:71:4B:C6:41:CD:38:51:79:EA:5D:C9:
> > > >                 13:39:B5:FD:A3:D1:BB:11:94:66:F7:7B:6A:DC:2C:01:5F:AB:73:08:
> > > >                 68:24:32:BE:BC:7A:90:E5:FD:97:17:6C:DD:46:D0:0E:2C:03:31:66:
> > > >                 B3:7C:B2:48:E1:E0:1A:63:20:48:4C:D4:55:56:71:04:3B:5F:3B:28:
> > > >                 BF:64:6C:52:A9:07:6D:FF:21:E9:06:35:E8:A1:D7:F4:C2:F9:D7:7B:
> > > >                 9D:D2:90:16:2F:68:1E:3F:BE:43:ED:64
> > > >
> > > > Failures in signed kernel module loading should show as errors at
> > > > runtime, for example systemd services, or as oeqa parselogs test
> > > > failures which detects signature verification error messages from the
> > > > kernel.
> > > >
> > > > Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
> > > > ---
> > > >  meta/recipes-kernel/linux/linux-yocto.inc | 3 +++
> > > >  1 file changed, 3 insertions(+)
> > > >
> > > > diff --git a/meta/recipes-kernel/linux/linux-yocto.inc b/meta/recipes-kernel/linux/linux-yocto.inc
> > > > index 091003ed82..bab1f21479 100644
> > > > --- a/meta/recipes-kernel/linux/linux-yocto.inc
> > > > +++ b/meta/recipes-kernel/linux/linux-yocto.inc
> > > > @@ -37,6 +37,9 @@ KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'cfg/
> > > >  KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'numa', 'features/numa/numa.scc', '', d)}"
> > > >  KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'vfat', 'cfg/fs/vfat.scc', '', d)}"
> > > >
> > > > +# enable module signing by default
> > > > +KERNEL_FEATURES:append = " features/module-signing/force-signing.scc"
> > > > +
> > >
> > > For the reference kernels, there are a huge amount of use cases, and I
> > > support a really broad set of deployments.
> > >
> > > We can enable this via either a distro or packageconfig, but not like
> > > this, since disabling it is difficult and requires a :remove. It needs
> > > to be opt-in.
> >
> > This signing is purely a kernel internal self protection. Thus I don't see a
> > need for DISTRO_CONFIG, and kernel recipes don't use PACKAGECONFIG for
> > some reason. I know :append is difficult to :remove but it's used with "numa", "vfat",
> > "ptest" etc things too.
> 
> And I've complained about those being added at times as well, in fact,
> I have a bug somewhere to clean them up.
> 
> Signing impacts the runtime, and can chain throughout the system (as
> with the stripping of the modules), so in this case, it has to be
> opt-in.

Ok, fair enough. This can't be the default then and this patch can be
ignored.

I hope the kmod openssl support can be enable by default though.
linux-yocto too has openssl dependency by default even when signing is
disabled.

Cheers,

-Mikko
diff mbox series

Patch

diff --git a/meta/recipes-kernel/linux/linux-yocto.inc b/meta/recipes-kernel/linux/linux-yocto.inc
index 091003ed82..bab1f21479 100644
--- a/meta/recipes-kernel/linux/linux-yocto.inc
+++ b/meta/recipes-kernel/linux/linux-yocto.inc
@@ -37,6 +37,9 @@  KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'cfg/
 KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'numa', 'features/numa/numa.scc', '', d)}"
 KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'vfat', 'cfg/fs/vfat.scc', '', d)}"
 
+# enable module signing by default
+KERNEL_FEATURES:append = " features/module-signing/force-signing.scc"
+
 # A KMACHINE is the mapping of a yocto $MACHINE to what is built
 # by the kernel. This is typically the branch that should be built,
 # and it can be specific to the machine or shared