Sign out of tree modules with modsign feature

[paraka]

Hi,

I have successfully integrated 'efi-secure-boot' feature in my images and also was trying to integrate 'modsign' for kernel modules integrity. It works properly for kernel modules which are in-tree but it is not working at all for out of tree modules. All my modules which are out of tree are not signed in the final image. I though that just having modules_install target in out of tree modules' Makefiles would be enough to sign them if CONFIG_MODULE_SIG_ALL is enabled in kernel configuration (which is the defaults when integrating modsign feature) but it looks it is not. Can you please clarify if is this a supported feature for out of tree modules and a possible path to go in order to have this working properly?

Thanks in advance for your time.

[paraka]

While I am waiting your feedback I have the following class in my image layer as a workaround:

$ cat classes/sign-external-modules.bbclass
# Kernel out of tree modules are not signed by default using
# meta-secure-core/meta-integrity layer 'modsign' feature.
# In order to avoid boot loading errors of our kernel modules
# be sure all that is inside 'extra' modules directory folder
# in rootfs is signed properly.
sign_external_modules () {
    local modsign_key="${MODSIGN_KEYS_DIR}/modsign_key.key"
    local modsign_cert="${MODSIGN_KEYS_DIR}/modsign_key.crt"

    if [ -f "${modsign_key}" -a -f "${modsign_cert}" ]; then
        cat "${modsign_key}" "${modsign_cert}" > "${B}/modsign_key.pem"
    else
        bbfatal "Cannot found ${modsign_cert} and ${modsign_key}"
    fi

    local sign_script="${STAGING_KERNEL_BUILDDIR}/scripts/sign-file"
    if [ ! -f "${sign_script}" ]; then
        bbfatal "Cannot found ${sign_script} for signing out of tree modules"
    fi

    local extra_mod_dir=`find ${IMAGE_ROOTFS}/${base_libdir} -name extra`
    for m in `ls ${extra_mod_dir}`; do
        local module_path="${extra_mod_dir}/${m}"
        ${sign_script} sha256 "${B}/modsign_key.pem" "${modsign_cert}" "${module_path}"
    done
}
ROOTFS_POSTPROCESS_COMMAND += "${@bb.utils.contains('DISTRO_FEATURES','modsign','sign_external_modules;','',d)}"

[yizhao1]

We haven't tested signing of out of tree modules before. I think it is not supported at the moment.

[paraka]

I can confirm your that it seems it is not supported (at least with kirkstone branch which is the one I have to use by now). Every module recipe inheriting from 'module' poky's bbclass is not signed by default. There is not very much information about it. I have found the following links:

• https://patchwork.yoctoproject.org/project/oe-core/patch/[email protected]/#7027
• Out-Of-Tree module fails to probe: "Required key not available" jiazhang0/meta-secure-core#79
• https://docs.yoctoproject.org/pipermail/yocto/2018-June/041513.html

I think that this feature is something that meta-secure-core/meta-integrity layer should support somewhere in time. IMHO normal kernel module recipes should not need any change and the signing process should be automatic just using 'modsign' feature. My workaround works well but it is assuming that all out of tree modules are in kernel modules 'extra' directory (at least all of them are put there with my different machines). You also need to inherit 'sign-external-modules' in your image recipes to have the post process command working... I don't know what would be the correct thing to do to properly integrating this.