Re: [yocto] [meta-security 2/3] kernel-modsign.bbclass: add support for kernel modules signing

Sun, 04 Aug 2019 13:26:00 -0700 

вс, 4 авг. 2019 г. в 18:30, akuster808 <akuster...@gmail.com>:
> On 7/28/19 8:31 AM, Dmitry Eremin-Solenikov wrote:
> > From: Dmitry Eremin-Solenikov <dmitry_eremin-soleni...@mentor.com>
> >
> > Add bbclass responsible for handling signing of kernel modules.
> >
> > Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-soleni...@mentor.com>
> > ---
> >  meta-integrity/classes/kernel-modsign.bbclass | 29 +++++++++++++++++++
> >  .../data/debug-keys/privkey_modsign.pem       | 28 ++++++++++++++++++
> >  .../data/debug-keys/x509_modsign.crt          | 22 ++++++++++++++
> >  3 files changed, 79 insertions(+)
> >  create mode 100644 meta-integrity/classes/kernel-modsign.bbclass
> >  create mode 100644 meta-integrity/data/debug-keys/privkey_modsign.pem
> >  create mode 100644 meta-integrity/data/debug-keys/x509_modsign.crt
> >
> > diff --git a/meta-integrity/classes/kernel-modsign.bbclass 
> > b/meta-integrity/classes/kernel-modsign.bbclass
> > new file mode 100644
> > index 000000000000..1e4d94b79091
> > --- /dev/null
> > +++ b/meta-integrity/classes/kernel-modsign.bbclass
> > @@ -0,0 +1,29 @@
> > +# No default! Either this or MODSIGN_PRIVKEY/MODSIGN_X509 have to be
> > +# set explicitly in a local.conf before activating kernel-modsign.
> > +# To use the insecure (because public) example keys, use
> > +# MODSIGN_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
> > +MODSIGN_KEY_DIR ?= "MODSIGN_KEY_DIR_NOT_SET"
> > +
> > +# Private key for modules signing. The default is okay when
> > +# using the example key directory.
> > +MODSIGN_PRIVKEY ?= "${MODSIGN_KEY_DIR}/privkey_modsign.pem"
> > +
> > +# Public part of certificates used for modules signing.
> > +# The default is okay when using the example key directory.
> > +MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt"
> > +
> > +# If this class is enabled, disable stripping signatures from modules
> > +INHIBIT_PACKAGE_STRIP = "1"
> > +
> > +do_configure_prepend() {
>
> This is being pulled in with every configure task and causing parsing
> issues.
>
> I changed it to "kernel_do_configure_prepend" and that fixed the issue I
> was seeing.

Interesting. I haven't seen this issue. Could you please share any details?

Changed bbclass appears to work for me, so either of them is fine from my
point of view.

> things appear to be still working, Can you double check.

-- 
With best wishes
Dmitry
-- 
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Reply via email to