summaryrefslogtreecommitdiffstats
path: root/meta-integrity/classes
diff options
context:
space:
mode:
authorDmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>2019-07-28 18:31:49 +0300
committerArmin Kuster <akuster808@gmail.com>2019-08-07 07:09:43 -0700
commit79bc2559fef750dda6301e4c3ed891850d3244a1 (patch)
treefbfd7cf5882181bdfc2c0dcab0f6002c76b5026f /meta-integrity/classes
parentc2ddc05c2090d856e849b074d3dffa056a784bb5 (diff)
downloadmeta-security-79bc2559fef750dda6301e4c3ed891850d3244a1.tar.gz
kernel-modsign.bbclass: add support for kernel modules signing
Add bbclass responsible for handling signing of kernel modules. Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> fixup class to avoid including in every configure task Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-integrity/classes')
-rw-r--r--meta-integrity/classes/kernel-modsign.bbclass29
1 files changed, 29 insertions, 0 deletions
diff --git a/meta-integrity/classes/kernel-modsign.bbclass b/meta-integrity/classes/kernel-modsign.bbclass
new file mode 100644
index 0000000..09025ba
--- /dev/null
+++ b/meta-integrity/classes/kernel-modsign.bbclass
@@ -0,0 +1,29 @@
1# No default! Either this or MODSIGN_PRIVKEY/MODSIGN_X509 have to be
2# set explicitly in a local.conf before activating kernel-modsign.
3# To use the insecure (because public) example keys, use
4# MODSIGN_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
5MODSIGN_KEY_DIR ?= "MODSIGN_KEY_DIR_NOT_SET"
6
7# Private key for modules signing. The default is okay when
8# using the example key directory.
9MODSIGN_PRIVKEY ?= "${MODSIGN_KEY_DIR}/privkey_modsign.pem"
10
11# Public part of certificates used for modules signing.
12# The default is okay when using the example key directory.
13MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt"
14
15# If this class is enabled, disable stripping signatures from modules
16INHIBIT_PACKAGE_STRIP = "1"
17
18kernel_do_configure_prepend() {
19 if [ -f "${MODSIGN_PRIVKEY}" -a -f "${MODSIGN_X509}" ]; then
20 cat "${MODSIGN_PRIVKEY}" "${MODSIGN_X509}" \
21 > "${B}/modsign_key.pem"
22 else
23 bberror "Either modsign key or certificate are invalid"
24 fi
25}
26
27do_shared_workdir_append() {
28 cp modsign_key.pem $kerneldir/
29}