diff options
| author | Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> | 2019-07-28 18:31:49 +0300 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2019-08-07 07:09:43 -0700 |
| commit | 79bc2559fef750dda6301e4c3ed891850d3244a1 (patch) | |
| tree | fbfd7cf5882181bdfc2c0dcab0f6002c76b5026f /meta-integrity/classes | |
| parent | c2ddc05c2090d856e849b074d3dffa056a784bb5 (diff) | |
| download | meta-security-79bc2559fef750dda6301e4c3ed891850d3244a1.tar.gz | |
kernel-modsign.bbclass: add support for kernel modules signing
Add bbclass responsible for handling signing of kernel modules.
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
fixup class to avoid including in every configure task
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-integrity/classes')
| -rw-r--r-- | meta-integrity/classes/kernel-modsign.bbclass | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/meta-integrity/classes/kernel-modsign.bbclass b/meta-integrity/classes/kernel-modsign.bbclass new file mode 100644 index 0000000..09025ba --- /dev/null +++ b/meta-integrity/classes/kernel-modsign.bbclass | |||
| @@ -0,0 +1,29 @@ | |||
| 1 | # No default! Either this or MODSIGN_PRIVKEY/MODSIGN_X509 have to be | ||
| 2 | # set explicitly in a local.conf before activating kernel-modsign. | ||
| 3 | # To use the insecure (because public) example keys, use | ||
| 4 | # MODSIGN_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" | ||
| 5 | MODSIGN_KEY_DIR ?= "MODSIGN_KEY_DIR_NOT_SET" | ||
| 6 | |||
| 7 | # Private key for modules signing. The default is okay when | ||
| 8 | # using the example key directory. | ||
| 9 | MODSIGN_PRIVKEY ?= "${MODSIGN_KEY_DIR}/privkey_modsign.pem" | ||
| 10 | |||
| 11 | # Public part of certificates used for modules signing. | ||
| 12 | # The default is okay when using the example key directory. | ||
| 13 | MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt" | ||
| 14 | |||
| 15 | # If this class is enabled, disable stripping signatures from modules | ||
| 16 | INHIBIT_PACKAGE_STRIP = "1" | ||
| 17 | |||
| 18 | kernel_do_configure_prepend() { | ||
| 19 | if [ -f "${MODSIGN_PRIVKEY}" -a -f "${MODSIGN_X509}" ]; then | ||
| 20 | cat "${MODSIGN_PRIVKEY}" "${MODSIGN_X509}" \ | ||
| 21 | > "${B}/modsign_key.pem" | ||
| 22 | else | ||
| 23 | bberror "Either modsign key or certificate are invalid" | ||
| 24 | fi | ||
| 25 | } | ||
| 26 | |||
| 27 | do_shared_workdir_append() { | ||
| 28 | cp modsign_key.pem $kerneldir/ | ||
| 29 | } | ||
