kernel : enable module signing

Enable build time module signing and enforce loading only signed
modules at run-time.

Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>

pkg/kernel/Dockerfile

@@ -79,6 +79,7 @@ ENV KERNEL_DEFCONFIG=x86_64_defconfig
 FROM kernel-target-${TARGETARCH} AS kernel-build
 
 COPY /kernel-config/* /
+COPY /certs /certs
 COPY /patches-5.10.x /patches-5.10.x
 COPY /patches-zfs-2.1.2 /patches-zfs-2.1.2
 
@@ -113,6 +114,10 @@ RUN set -e ; KERNEL_SERIES="${KERNEL_VERSION%.*}".x; \
         patch -p1 < "$patch"; \
     done
 
+WORKDIR /linux
+RUN echo "Copying module signing x509 template"; \
+    cp /certs/x509.genkey /linux/certs/
+
 # Copy default kconfig and prepare kbuild
 # hadolint ignore=SC2086
 RUN KERNEL_DEF_CONF="/linux/arch/${KERNEL_ARCH}/configs/${KERNEL_DEFCONFIG}"; \
@@ -202,6 +207,24 @@ RUN make -j "$(getconf _NPROCESSORS_ONLN)" CROSS_COMPILE="${CROSS_COMPILE_ENV}"
 # Strip at least some of the modules to conserve space
 RUN if [ "${EVE_TARGET_ARCH}" = aarch64 ];then "${CROSS_COMPILE_ENV}strip" --strip-debug `find /tmp/kernel-modules/lib/modules -name \*.ko` ;fi
 
+# Resign stripped kernel modules again
+RUN if [ "${EVE_TARGET_ARCH}" = aarch64 ];then \
+    KERNEL_DEF_CONF="/linux/arch/${KERNEL_ARCH}/configs/${KERNEL_DEFCONFIG}"; \
+    if grep -q "^CONFIG_MODULE_SIG_FORCE=y" "${KERNEL_DEF_CONF}" ;then \
+        make INSTALL_MOD_PATH=/tmp/kernel-modules modules_sign ; \
+    fi \
+fi
+
+# Sign out-of-tree module(s)
+WORKDIR /linux
+RUN KERNEL_DEF_CONF="/linux/arch/${KERNEL_ARCH}/configs/${KERNEL_DEFCONFIG}"; \
+    if grep -q "^CONFIG_MODULE_SIG_FORCE=y" "${KERNEL_DEF_CONF}" ;then \
+        SIG_HASH=$(sed -n '/^CONFIG_MODULE_SIG_HASH=/s///p' ${KERNEL_DEF_CONF} | tr -d '"') ; \
+        SIG_KEY_SRCPREFIX=$(sed -n '/^MODULE_SIG_KEY_SRCPREFIX=/s///p' ${KERNEL_DEF_CONF} | tr -d '"') ; \
+        SIG_KEY=$(sed -n '/^CONFIG_MODULE_SIG_KEY=/s///p' ${KERNEL_DEF_CONF} | tr -d '"') ; \
+        scripts/sign-file ${SIG_HASH} /linux/${SIG_KEY_SRCPREFIX}${SIG_KEY} /linux/certs/signing_key.x509 $(find /tmp/kernel-modules/lib/modules -name 8821cu.ko); \
+    fi
+
 # Device Tree Blobs
 RUN if [ "${EVE_TARGET_ARCH}" = aarch64 ];then make INSTALL_DTBS_PATH=/tmp/kernel-modules/boot/dtb CROSS_COMPILE="${CROSS_COMPILE_ENV}" ARCH="${KERNEL_ARCH}" dtbs_install ;fi
 

pkg/kernel/certs/x509.genkey

@@ -0,0 +1,17 @@
+[ req ]
+default_bits = 4096
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = myexts
+
+[ req_distinguished_name ]
+O = LF Edge EVE-OS
+CN = Build-time generated signing key
+emailAddress = eve-security@lists.lfedge.org
+
+[ myexts ]
+basicConstraints=critical,CA:FALSE
+keyUsage=digitalSignature
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid

pkg/kernel/kernel-config/kernel_config-5.10.x-aarch64

@@ -866,8 +866,8 @@ CONFIG_MODVERSIONS=y
 CONFIG_ASM_MODVERSIONS=y
 CONFIG_MODULE_SRCVERSION_ALL=y
 CONFIG_MODULE_SIG=y
-# CONFIG_MODULE_SIG_FORCE is not set
-# CONFIG_MODULE_SIG_ALL is not set
+CONFIG_MODULE_SIG_FORCE=y
+CONFIG_MODULE_SIG_ALL=y
 # CONFIG_MODULE_SIG_SHA1 is not set
 # CONFIG_MODULE_SIG_SHA224 is not set
 CONFIG_MODULE_SIG_SHA256=y

pkg/kernel/kernel-config/kernel_config-5.10.x-x86_64

@@ -807,7 +807,12 @@ CONFIG_MODULE_UNLOAD=y
 # CONFIG_MODULE_FORCE_UNLOAD is not set
 # CONFIG_MODVERSIONS is not set
 # CONFIG_MODULE_SRCVERSION_ALL is not set
-# CONFIG_MODULE_SIG is not set
+CONFIG_MODULE_SIG_FORMAT=y
+CONFIG_MODULE_SIG=y
+CONFIG_MODULE_SIG_FORCE=y
+CONFIG_MODULE_SIG_ALL=y
+CONFIG_MODULE_SIG_SHA256=y
+CONFIG_MODULE_SIG_HASH="sha256"
 # CONFIG_MODULE_COMPRESS is not set
 # CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS is not set
 # CONFIG_UNUSED_SYMBOLS is not set
@@ -5599,6 +5604,7 @@ CONFIG_PKCS7_MESSAGE_PARSER=y
 #
 # Certificates for signature checking
 #
+CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
 CONFIG_SYSTEM_TRUSTED_KEYRING=y
 CONFIG_SYSTEM_TRUSTED_KEYS=""
 # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set