diff options
author | Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> | 2019-07-28 18:31:49 +0300 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2019-08-07 07:09:43 -0700 |
commit | 79bc2559fef750dda6301e4c3ed891850d3244a1 (patch) | |
tree | fbfd7cf5882181bdfc2c0dcab0f6002c76b5026f | |
parent | c2ddc05c2090d856e849b074d3dffa056a784bb5 (diff) | |
download | meta-security-79bc2559fef750dda6301e4c3ed891850d3244a1.tar.gz |
kernel-modsign.bbclass: add support for kernel modules signing
Add bbclass responsible for handling signing of kernel modules.
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
fixup class to avoid including in every configure task
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta-integrity/classes/kernel-modsign.bbclass | 29 | ||||
-rw-r--r-- | meta-integrity/data/debug-keys/privkey_modsign.pem | 28 | ||||
-rw-r--r-- | meta-integrity/data/debug-keys/x509_modsign.crt | 22 |
3 files changed, 79 insertions, 0 deletions
diff --git a/meta-integrity/classes/kernel-modsign.bbclass b/meta-integrity/classes/kernel-modsign.bbclass new file mode 100644 index 0000000..09025ba --- /dev/null +++ b/meta-integrity/classes/kernel-modsign.bbclass | |||
@@ -0,0 +1,29 @@ | |||
1 | # No default! Either this or MODSIGN_PRIVKEY/MODSIGN_X509 have to be | ||
2 | # set explicitly in a local.conf before activating kernel-modsign. | ||
3 | # To use the insecure (because public) example keys, use | ||
4 | # MODSIGN_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" | ||
5 | MODSIGN_KEY_DIR ?= "MODSIGN_KEY_DIR_NOT_SET" | ||
6 | |||
7 | # Private key for modules signing. The default is okay when | ||
8 | # using the example key directory. | ||
9 | MODSIGN_PRIVKEY ?= "${MODSIGN_KEY_DIR}/privkey_modsign.pem" | ||
10 | |||
11 | # Public part of certificates used for modules signing. | ||
12 | # The default is okay when using the example key directory. | ||
13 | MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt" | ||
14 | |||
15 | # If this class is enabled, disable stripping signatures from modules | ||
16 | INHIBIT_PACKAGE_STRIP = "1" | ||
17 | |||
18 | kernel_do_configure_prepend() { | ||
19 | if [ -f "${MODSIGN_PRIVKEY}" -a -f "${MODSIGN_X509}" ]; then | ||
20 | cat "${MODSIGN_PRIVKEY}" "${MODSIGN_X509}" \ | ||
21 | > "${B}/modsign_key.pem" | ||
22 | else | ||
23 | bberror "Either modsign key or certificate are invalid" | ||
24 | fi | ||
25 | } | ||
26 | |||
27 | do_shared_workdir_append() { | ||
28 | cp modsign_key.pem $kerneldir/ | ||
29 | } | ||
diff --git a/meta-integrity/data/debug-keys/privkey_modsign.pem b/meta-integrity/data/debug-keys/privkey_modsign.pem new file mode 100644 index 0000000..4cac00a --- /dev/null +++ b/meta-integrity/data/debug-keys/privkey_modsign.pem | |||
@@ -0,0 +1,28 @@ | |||
1 | -----BEGIN PRIVATE KEY----- | ||
2 | MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDEWsJjB2pA5Ih6 | ||
3 | EelXvVjwWY1ix1azMciNRNPPQN1AMXF0K/VUkfOYbaPajg1cQYEf9gk3q7OZ5Axk | ||
4 | UY/e5piZORaPcsmj0lV0L+NSlRYydR5M/QxtEz26585FgqRGdAe6umStPmVKdqa2 | ||
5 | d68O4PgQgJJtVuz6ndm+0uNEUDCVLwhkGQSwNB3qBbZAUX9escZ/a8eUiBfMYKaO | ||
6 | k8JRyM+2br9dgpTFg4UfBYexgNSQo8g5TIBGc8KgQiKCuFj1fQEhV5z4RusHthjc | ||
7 | NYXa3RHmdclxyrGeYr5ZRc47HqE1gd5NDR0WeHn4C4YKcfK1rZZz/2+6hfsIRfGx | ||
8 | 6cQKk23hAgMBAAECggEAJ0ULiWirPG04SkmYxF5vEiqm1zGMymvTc0VnoxSS60q4 | ||
9 | KQa9mvtRn5OV6JjuXRwQqga30zV4xvdP7yRMxMSTkllThL7tSuE/C+yj5xlABjlc | ||
10 | JQOa35mwh9fibg5xslF0Vkj+55MKCPlv4CBRl4Uwt4QvRMTUwk6dhMeCgmATR1J1 | ||
11 | 2/7AipjtfFYreDx7sLbRVvSzUhmZS0iCbNOhtTWPLNW+9YKHTOffKa04HzNtnAXq | ||
12 | OjJ0IRZD/C6LfkBUsnHg2eEiA97QXh/Srsl9nc8DaUK1IXRywEdmYIoNMWMav2Hm | ||
13 | RO8kkU30BqKW+/EO2ZbH2GmkxvwWd0ocBnLC3FRWEQKBgQDu4T8CB3YsOcVjqem4 | ||
14 | iBlaSht/b46YQc7A1SOqZCimehmmXNSxQOkapIG3wlIr5edtXQA+xv09+WrproUB | ||
15 | SjAnqaH6pYeCvbNlY5k344gtYs+Kco2rq5GYa+LumAeX2Sam8F7u4LxvEogCecX7 | ||
16 | e4rnG3lt3AVuuRE7zpCQtaWcJQKBgQDSbUvea9pcYli9pssTl+ijQKkgG9DdaYbA | ||
17 | I5w5bY1TPYZ/Ocysljefv/ssaHFh4DPxE1MQ5JHwZgZRo1EICxxYzGsLjyR/fmjz | ||
18 | 1c/NJlTtalCNtLvWaf7b02ag/abnP8neiSpLL5xqHvGo5ikWwgYQD+9HVKGvL3S1 | ||
19 | kI7x/ziADQKBgQCqFbkuMa/jh3LTJp0iZc1fa1qu3vhx0pFq3Zeab9w9xLxUps5O | ||
20 | MwCGltFBzNuDJBwm00wkZrzTjq6gGkHbjD5DT1XkyE13OqjsLQFgOOKyJiPN2Qik | ||
21 | TfHJzC91YMwvQ09xF78QaPXiRBiRYrEkAXACY56PKVS45I6vvcFTN/Ll/QKBgA9m | ||
22 | KDMyuVwhZlUaq6nXaBLqXHYZEwPhARd2g6xANCNvUTRmSnAm3hM2vW7WhdWfzq1J | ||
23 | uL53u6ZYEQZQaVGpXn2xF/RUmVsrKQsPDpH4yCZHrXVxUH20bA4yPkRxy5EIvgEn | ||
24 | EI1IAq5RbWXq0f70W/U49U3HB74GPwg6d/uFreDRAoGAN+v9gMQA6A1vM7LvbYR8 | ||
25 | 5CwwyqS/CfI9zKPLn53QstguXC/ObafIYQzVRqGb9lCQgtlmmKw4jMY0B/lDzpcH | ||
26 | zS8rqoyvDj/m7i17NYkqXErJKLRQ0ptXKdLXHlG0u185e7Y5p4O3Z5dk8bACkpHi | ||
27 | hp764y+BtU4qIcVaPsPK4uU= | ||
28 | -----END PRIVATE KEY----- | ||
diff --git a/meta-integrity/data/debug-keys/x509_modsign.crt b/meta-integrity/data/debug-keys/x509_modsign.crt new file mode 100644 index 0000000..5fa2a90 --- /dev/null +++ b/meta-integrity/data/debug-keys/x509_modsign.crt | |||
@@ -0,0 +1,22 @@ | |||
1 | -----BEGIN CERTIFICATE----- | ||
2 | MIIDnjCCAoagAwIBAgIUUqmBj5Q8edHMMTXsoGVGEEKdwV4wDQYJKoZIhvcNAQEL | ||
3 | BQAwZzEqMCgGA1UEAxMhbWV0YS1zZWN1cml0eSBtb2R1bGVzIHNpZ25pbmcga2V5 | ||
4 | MRQwEgYDVQQKEwtleGFtcGxlLmNvbTEjMCEGCSqGSIb3DQEJARYUam9obi5kb2VA | ||
5 | ZXhhbXBsZS5jb20wIBcNMTkwNzI3MjIzOTA3WhgPMjExOTA3MjcyMjM5MTVaMGcx | ||
6 | KjAoBgNVBAMTIW1ldGEtc2VjdXJpdHkgbW9kdWxlcyBzaWduaW5nIGtleTEUMBIG | ||
7 | A1UEChMLZXhhbXBsZS5jb20xIzAhBgkqhkiG9w0BCQEWFGpvaG4uZG9lQGV4YW1w | ||
8 | bGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxFrCYwdqQOSI | ||
9 | ehHpV71Y8FmNYsdWszHIjUTTz0DdQDFxdCv1VJHzmG2j2o4NXEGBH/YJN6uzmeQM | ||
10 | ZFGP3uaYmTkWj3LJo9JVdC/jUpUWMnUeTP0MbRM9uufORYKkRnQHurpkrT5lSnam | ||
11 | tnevDuD4EICSbVbs+p3ZvtLjRFAwlS8IZBkEsDQd6gW2QFF/XrHGf2vHlIgXzGCm | ||
12 | jpPCUcjPtm6/XYKUxYOFHwWHsYDUkKPIOUyARnPCoEIigrhY9X0BIVec+EbrB7YY | ||
13 | 3DWF2t0R5nXJccqxnmK+WUXOOx6hNYHeTQ0dFnh5+AuGCnHyta2Wc/9vuoX7CEXx | ||
14 | senECpNt4QIDAQABo0AwPjAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHgAAw | ||
15 | HQYDVR0OBBYEFDa35X9LnPlrd76inh/cYgeXh6X4MA0GCSqGSIb3DQEBCwUAA4IB | ||
16 | AQBTPTh7zY9BrfZW9Izk9JSZYNigwUDwjrhNBSLr5NKi2A/LmZ0jjdCDkwaCn5io | ||
17 | xrAq5oxPCAkwlzKwY2ootcL3+En4Pq2e5U+n9kRrpDpKKiR5/0S0d9vpgg4eZR0R | ||
18 | kxqE9APCQ5SFU3PgnJ5H5y2SPXzle3bgUsWxNGD81zXFn5clJj4XHvJDWTQ/jG7C | ||
19 | FTQ1o1HXtzda4EmKIzrSU/ayVbpPg5fPEBJjk/hHPT45kfzVZBuxwBLXVbe/YyWi | ||
20 | NTFWCbJwjZwVRKrsQ3HFpYMWvugtcsSHo7vGi06FvUHcS2sUZH5sFn7hulcIGICt | ||
21 | EztTO8Q+yhZujZbmEyJmxqZv | ||
22 | -----END CERTIFICATE----- | ||