linux: add support for kernel modules signing

Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
author: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> 2019-07-28 18:31:50 +0300
committer: Armin Kuster <akuster808@gmail.com> 2019-08-07 07:09:50 -0700
commit: eebe0ff18a87354f422c693262d43cf42c195316 (patch)
tree: ee6a7ca60c0473f8bd4ad6c66e4d40e8b4a116c6
parent: 79bc2559fef750dda6301e4c3ed891850d3244a1 (diff)
download: meta-security-eebe0ff18a87354f422c693262d43cf42c195316.tar.gz
3 files changed, 12 insertions, 0 deletions
diff --git a/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-integrity/recipes-kernel/linux/linux-%.bbappend
index 931854e..ca96c8d 100644
--- a/meta-integrity/recipes-kernel/linux/linux-%.bbappend
+++ b/meta-integrity/recipes-kernel/linux/linux-%.bbappend
@@ -1,3 +1,6 @@
 FILESEXTRAPATHS_prepend := "${THISDIR}/linux:"
 SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' file://ima.cfg', '', d)}"
+SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' file://modsign.scc file://modsign.cfg', '', d)}"
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)}
diff --git a/meta-integrity/recipes-kernel/linux/linux/modsign.cfg b/meta-integrity/recipes-kernel/linux/linux/modsign.cfg
new file mode 100644
index 0000000..c0c4ebc
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux/modsign.cfg
@@ -0,0 +1,5 @@
+CONFIG_MODULE_SIG=y
+CONFIG_MODULE_SIG_FORCE=y
+CONFIG_MODULE_SIG_SHA256=y
+CONFIG_MODULE_SIG_HASH="sha256"
+CONFIG_MODULE_SIG_KEY="modsign_key.pem"
diff --git a/meta-integrity/recipes-kernel/linux/linux/modsign.scc b/meta-integrity/recipes-kernel/linux/linux/modsign.scc
new file mode 100644
index 0000000..bce78ae
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux/modsign.scc
@@ -0,0 +1,4 @@
+define KFEATURE_DESCRIPTION "Kernel Module Signing (modsign) enablement"
+define KFEATURE_COMPATIBILITY all
+kconf non-hardware modsign.cfg
author	Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>	2019-07-28 18:31:50 +0300
committer	Armin Kuster <akuster808@gmail.com>	2019-08-07 07:09:50 -0700
commit	eebe0ff18a87354f422c693262d43cf42c195316 (patch)
tree	ee6a7ca60c0473f8bd4ad6c66e4d40e8b4a116c6
parent	79bc2559fef750dda6301e4c3ed891850d3244a1 (diff)
download	meta-security-eebe0ff18a87354f422c693262d43cf42c195316.tar.gz

diff --git a/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-integrity/recipes-kernel/linux/linux-%.bbappend index 931854e..ca96c8d 100644 --- a/meta-integrity/recipes-kernel/linux/linux-%.bbappend +++ b/meta-integrity/recipes-kernel/linux/linux-%.bbappend
@@ -1,3 +1,6 @@
1	FILESEXTRAPATHS_prepend := "${THISDIR}/linux:"	1	FILESEXTRAPATHS_prepend := "${THISDIR}/linux:"
2		2
3	SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' file://ima.cfg', '', d)}"	3	SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' file://ima.cfg', '', d)}"
		4	SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' file://modsign.scc file://modsign.cfg', '', d)}"
		5
		6	inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)}


diff --git a/meta-integrity/recipes-kernel/linux/linux/modsign.cfg b/meta-integrity/recipes-kernel/linux/linux/modsign.cfg new file mode 100644 index 0000000..c0c4ebc --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux/modsign.cfg
@@ -0,0 +1,5 @@
		1	CONFIG_MODULE_SIG=y
		2	CONFIG_MODULE_SIG_FORCE=y
		3	CONFIG_MODULE_SIG_SHA256=y
		4	CONFIG_MODULE_SIG_HASH="sha256"
		5	CONFIG_MODULE_SIG_KEY="modsign_key.pem"


diff --git a/meta-integrity/recipes-kernel/linux/linux/modsign.scc b/meta-integrity/recipes-kernel/linux/linux/modsign.scc new file mode 100644 index 0000000..bce78ae --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux/modsign.scc
@@ -0,0 +1,4 @@
		1	define KFEATURE_DESCRIPTION "Kernel Module Signing (modsign) enablement"
		2	define KFEATURE_COMPATIBILITY all
		3
		4	kconf non-hardware modsign.cfg