From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 828BDC433FE for ; Mon, 28 Nov 2022 07:12:18 +0000 (UTC) Received: from mail-lf1-f41.google.com (mail-lf1-f41.google.com [209.85.167.41]) by mx.groups.io with SMTP id smtpd.web11.112040.1669619531786633709 for ; Sun, 27 Nov 2022 23:12:12 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=r2Wk36kG; spf=pass (domain: linaro.org, ip: 209.85.167.41, mailfrom: mikko.rapeli@linaro.org) Received: by mail-lf1-f41.google.com with SMTP id s8so15951035lfc.8 for ; Sun, 27 Nov 2022 23:12:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=pt1u5Gi7EeAmZ5DCjyTNygw1e7a1XwTwxh59mdwPCSw=; b=r2Wk36kGY1s+ivecZ70n+C5PsVv8uG9QS1jsRFnBTZ+yTxVIFVjLswBga9SjUw4WjD 7LW3rgii0oftSLxEq2KSR1pBUN4disogVEAjL7aH0RNpg7V36jsz283RXyW1M/J9DcMe MFQy9bF0GzlSnm6LvnvW5Qxh8gvZotbNhpOVuOHNf8SFxOzqZQ53j4w+9ZEOubHJNuKF lwmj2tIl98A/z9rpSS7zEAp5B109spjIdeT9v/06cE9WGw7kuogBsrm9oXdNAFJ1a8WD w3sOogjSXczaMD8g/w27BpIKTwI8tZ0+Xn1YRCxxHcJlltCa/+KK7igzB/qjFBx3I6FU 39xw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=pt1u5Gi7EeAmZ5DCjyTNygw1e7a1XwTwxh59mdwPCSw=; b=8Qm2sp/q6p4CPep+WdR52dXgvHLoI/u9vRZ+sHCKLbs3JAhZad9xaNp73vowQcJ9px wNdlp60FGEIxbz/RHCmW3xFCeilCY268fuLE2kFdfslSJJBOMGllqv4Hq7IceQqmToBG RTirVEIVUr3cU0+upkjJAujPDAvc15XNyDKLdxkhJsaCCAQHsy9L8S9kFirLp3zmCuAN 2U38AJoSc+bb4uIDMuYD1I3rxHPJgAKOmtx1NOl8CzaI1awbqSQxK9LurckBZi77gCFh P964pCo0ODVxkC+arVoMCSzcyaE+ov5xAmLzoPkctBqvXGrzJ5MIhL0HbUX1+hD+MM2e ZaZg== X-Gm-Message-State: ANoB5pkzPKEjwdOCRz6tR9zNABjexVQvJei6KqBh/hIynUs6RZEObu1N GTFle+O7GtIRR4r2BfneckquMQ== X-Google-Smtp-Source: AA0mqf6y3Uxl1hyNHVmE8Qs2twwy6xdIirm0z56/tpQ7VEG5NG8+gNm5leuhIKQV01umGyClmFZcXw== X-Received: by 2002:ac2:4ecf:0:b0:4b4:f311:5888 with SMTP id p15-20020ac24ecf000000b004b4f3115888mr6428789lfr.521.1669619529271; Sun, 27 Nov 2022 23:12:09 -0800 (PST) Received: from nuoska (dsl-olubng11-54f814-94.dhcp.inet.fi. [84.248.20.94]) by smtp.gmail.com with ESMTPSA id a7-20020ac25e67000000b00499bf7605afsm1606622lfr.143.2022.11.27.23.12.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 27 Nov 2022 23:12:08 -0800 (PST) Date: Mon, 28 Nov 2022 09:12:07 +0200 From: Mikko Rapeli To: Bruce Ashfield Cc: openembedded-core@lists.openembedded.org Subject: Re: [OE-core] [PATCH] linux-yocto: enable strict kernel module signing by default Message-ID: References: <20221125155412.1119701-1-mikko.rapeli@linaro.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 28 Nov 2022 07:12:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/173895 On Sat, Nov 26, 2022 at 10:06:57PM -0500, Bruce Ashfield wrote: > On Fri, Nov 25, 2022 at 10:54 AM Mikko Rapeli wrote: > > > > It's a good default and used in many Linux distributions. > > Did not test out of tree modules if they do correct things but > > any such failures should be fixed. > > > > One way to verify that kernel module signing also works: > > > > root@qemux86-64:~# dmesg|grep X.509 > > [ 1.298936] Loading compiled-in X.509 certificates > > [ 1.328280] Loaded X.509 cert 'Build time autogenerated kernel key: ee1bed6d845358744c764683bf73b4404cc79287' > > > > These logs in dmesg show that signing in kernel is enabled and > > key is found. Then if any kernel modules load, they were > > signed correctly. Additionally modinfo tool from kmod shows kernel module > > signing details: > > > > root@qemux86-64:~# lsmod > > Module Size Used by > > sch_fq_codel 20480 1 > > root@qemux86-64:~# modinfo sch_fq_codel > > filename: > > /lib/modules/5.19.9-yocto-standard/kernel/net/sched/sch_fq_codel.ko > > description: Fair Queue CoDel discipline > > license: GPL > > author: Eric Dumazet > > depends: > > retpoline: Y > > intree: Y > > name: sch_fq_codel > > vermagic: 5.19.9-yocto-standard SMP preempt mod_unload > > sig_id: PKCS#7 > > signer: Build time autogenerated kernel key > > sig_key: 2B:2A:BE:7D:B5:92:DC:98:A9:F8:D7:00:A6:73:35:20:10:D8:19:EE > > sig_hashalgo: sha512 > > signature: 72:6C:E1:78:7C:A7:7B:CC:C4:33:23:6B:95:EC:1B:2A:BD:D9:EC:7A: > > 85:07:05:B2:70:3C:C9:64:F6:78:8A:01:A0:E3:64:C7:47:BB:5D:0E: > > 86:BA:C1:DD:40:05:AE:1F:19:D4:F0:98:49:86:CC:61:14:3C:AB:1E: > > 4A:1C:83:47:1D:FA:6D:E4:83:79:3A:2B:3F:7D:B6:E0:09:AE:B4:01: > > 07:EE:C9:5B:99:70:4F:49:8A:64:E4:7D:84:AA:37:F5:DB:5F:16:5C: > > D4:DC:0C:33:73:5D:D9:8D:7E:71:5B:A1:ED:61:81:5E:1C:ED:A2:D8: > > 76:46:99:B3:78:08:F7:7F:0D:4B:94:26:21:63:47:B0:75:9F:A4:EA: > > 3D:14:D4:09:CC:59:F3:FC:80:AC:BF:56:1E:8C:73:FD:CB:07:27:C6: > > 3D:98:4C:E4:C3:9C:C0:AD:90:53:46:8F:AE:66:FE:10:C8:92:7F:BA: > > 74:C2:B0:E3:6E:47:66:AB:39:25:41:12:66:91:20:27:1A:58:77:75: > > 4F:C0:3F:F1:8E:5F:AB:0A:BD:8B:62:4F:2B:01:5A:5C:4E:5C:31:39: > > FB:F4:14:2E:BF:D8:51:4B:C8:D0:E2:0A:20:80:95:05:80:E3:46:75: > > 43:80:30:63:6F:A4:25:82:59:35:34:E8:6A:DC:FF:93:F8:32:BB:FA: > > 66:2D:B9:08:75:1A:3A:3A:5D:57:F4:63:85:01:B4:EB:96:1B:CE:6F: > > 4D:61:FC:AA:6C:39:7F:D6:37:C9:84:0A:84:17:FB:BE:FC:20:CB:EE: > > 8C:2F:93:92:F6:48:F4:07:50:84:D8:2C:B5:2E:A7:7D:3A:3F:DC:E9: > > B9:17:EF:47:49:EC:BA:62:1C:C4:C6:58:9C:0C:8D:26:41:6E:1F:C1: > > 95:A7:8B:57:5D:1D:4B:B4:04:00:F6:68:24:9E:E2:BF:11:EC:05:6C: > > 83:E8:C6:DB:BB:3D:22:8B:31:BB:99:1A:44:E1:15:71:C3:AA:FA:01: > > 98:BA:6B:20:26:D6:9C:61:5C:6F:81:29:09:B1:EA:C5:28:15:F3:98: > > C0:18:FE:08:8B:40:A5:F3:3C:71:4B:C6:41:CD:38:51:79:EA:5D:C9: > > 13:39:B5:FD:A3:D1:BB:11:94:66:F7:7B:6A:DC:2C:01:5F:AB:73:08: > > 68:24:32:BE:BC:7A:90:E5:FD:97:17:6C:DD:46:D0:0E:2C:03:31:66: > > B3:7C:B2:48:E1:E0:1A:63:20:48:4C:D4:55:56:71:04:3B:5F:3B:28: > > BF:64:6C:52:A9:07:6D:FF:21:E9:06:35:E8:A1:D7:F4:C2:F9:D7:7B: > > 9D:D2:90:16:2F:68:1E:3F:BE:43:ED:64 > > > > Failures in signed kernel module loading should show as errors at > > runtime, for example systemd services, or as oeqa parselogs test > > failures which detects signature verification error messages from the > > kernel. > > > > Signed-off-by: Mikko Rapeli > > --- > > meta/recipes-kernel/linux/linux-yocto.inc | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/meta/recipes-kernel/linux/linux-yocto.inc b/meta/recipes-kernel/linux/linux-yocto.inc > > index 091003ed82..bab1f21479 100644 > > --- a/meta/recipes-kernel/linux/linux-yocto.inc > > +++ b/meta/recipes-kernel/linux/linux-yocto.inc > > @@ -37,6 +37,9 @@ KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'cfg/ > > KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'numa', 'features/numa/numa.scc', '', d)}" > > KERNEL_FEATURES:append = " ${@bb.utils.contains('MACHINE_FEATURES', 'vfat', 'cfg/fs/vfat.scc', '', d)}" > > > > +# enable module signing by default > > +KERNEL_FEATURES:append = " features/module-signing/force-signing.scc" > > + > > For the reference kernels, there are a huge amount of use cases, and I > support a really broad set of deployments. > > We can enable this via either a distro or packageconfig, but not like > this, since disabling it is difficult and requires a :remove. It needs > to be opt-in. This signing is purely a kernel internal self protection. Thus I don't see a need for DISTRO_CONFIG, and kernel recipes don't use PACKAGECONFIG for some reason. I know :append is difficult to :remove but it's used with "numa", "vfat", "ptest" etc things too. -Mikko