From 59ca43808c1732864eb126e4fd93d5fc61f8a6ff Mon Sep 17 00:00:00 2001
From: Jia Zhang <qianyue.zj@alibaba-inc.com>
Date: Tue, 21 Nov 2017 09:32:12 -0500
Subject: meta-integrity: enable modsign support in kernel

Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
---
 .../recipes-kernel/linux/linux-yocto-integrity.inc | 23 +++++++++++++++++-----
 .../recipes-kernel/linux/linux-yocto/modsign.cfg   |  7 +++++++
 .../recipes-kernel/linux/linux-yocto/modsign.scc   |  5 +++++
 3 files changed, 30 insertions(+), 5 deletions(-)
 create mode 100644 meta-integrity/recipes-kernel/linux/linux-yocto/modsign.cfg
 create mode 100644 meta-integrity/recipes-kernel/linux/linux-yocto/modsign.scc

diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc b/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc
index a9e5a93..a70774e 100644
--- a/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc
+++ b/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc
@@ -1,19 +1,32 @@
 FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto:"
 
 IMA_ENABLED = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', '1', '0', d)}"
+MODSIGN_ENABLED = "${@bb.utils.contains('DISTRO_FEATURES', 'modsign', '1', '0', d)}"
 
-DEPENDS += "${@'key-store openssl-native' if d.getVar('IMA_ENABLED', True) == '1' else ''}"
+DEPENDS += "${@'key-store openssl-native' \
+               if d.getVar('IMA_ENABLED', True) == '1' or \
+                  d.getVar('MODSIGN_ENABLED', True) == '1' \
+               else ''}"
 
 SRC_URI += "\
-    ${@'file://ima.scc file://ima.cfg file://integrity.scc file://integrity.cfg' \
+    ${@'file://ima.scc file://ima.cfg' \
        if d.getVar('IMA_ENABLED', True) == '1' else ''} \
+    ${@'file://modsign.scc file://modsign.cfg' \
+       if d.getVar('MODSIGN_ENABLED', True) == '1' else ''} \
 "
 
 do_configure_prepend() {
-    cert="${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.crt"
+    sys_cert="${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.crt"
+    modsign_key="${STAGING_DIR_TARGET}${sysconfdir}/keys/modsign_key.key"
+    modsign_cert="${STAGING_DIR_TARGET}${sysconfdir}/keys/modsign_key.crt"
 
-    if [ -f "$cert" ]; then
-        install -m 0644 "$cert" "${B}"
+    if [ -f "$sys_cert" ]; then
+        install -m 0644 "$sys_cert" "${B}"
+    fi
+
+    if [ -f "$modsign_key" -a -f "$modsign_cert" ]; then
+        cat "$modsign_key" "$modsign_cert" \
+            > "${B}/modsign_key.pem"
     else
         true
     fi
diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto/modsign.cfg b/meta-integrity/recipes-kernel/linux/linux-yocto/modsign.cfg
new file mode 100644
index 0000000..4ac8dba
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux-yocto/modsign.cfg
@@ -0,0 +1,7 @@
+CONFIG_MODULE_SIG=y
+CONFIG_MODULE_SIG_FORCE=y
+CONFIG_MODULE_SIG_KEY="modsign_key.pem"
+CONFIG_MODULE_SIG_HASH="sha256"
+CONFIG_MODULE_SIG_SHA256=y
+CONFIG_CRYPTO_SHA256=y
+CONFIG_MODULE_SIG_ALL=y
diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto/modsign.scc b/meta-integrity/recipes-kernel/linux/linux-yocto/modsign.scc
new file mode 100644
index 0000000..99a4cdd
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux-yocto/modsign.scc
@@ -0,0 +1,5 @@
+define KFEATURE_DESCRIPTION "Kernel Module Signing (modsign) enablement"
+define KFEATURE_COMPATIBILITY all
+
+include integrity.scc
+kconf non-hardware modsign.cfg
-- 
cgit v1.2.3-54-g00ecf