layer: require out-of-tree signing key for modules

If module signing is enabled and key/cert are provided, add the
necessary dependencies between do_configure/do_sign_module to depend on
the out-of-tree key/cert.

If module signing is disabled, nothing is done, no dependency is added.

If module signing is enabled, but key/cert are not provided, error out,
this inevitably ends up re-generating a throw-away signing key when
out-of-tree modules dependencies are resolved (do_shared_workdir
does not store state, including signing keys).

Signed-off-by: Eric Chanudet <chanudete@ainfosec.com>

Author: Eric Chanudet

classes/kernel-module-signing.bbclass

@@ -7,6 +7,13 @@ SIGN_FILE = "${B}/scripts/sign-file"
 export KERNEL_MODULE_SIG_CERT
 
 do_configure_append() {
+    if [ -z "${KERNEL_MODULE_SIG_CERT}" ] || \
+       [ -z "${KERNEL_MODULE_SIG_KEY}" ] && \
+        grep -q '^CONFIG_MODULE_SIG=y' "${B}/.config"; then
+        bbfatal "Kernel module signing should only be used when setting \
+KERNEL_MODULE_SIG_{CERT,KEY} in local.conf."
+    fi
+
     if [ -n "${KERNEL_MODULE_SIG_CERT}" ] &&
        grep -q '^CONFIG_MODULE_SIG=y' ${B}/.config ; then
         sed -i -e '/CONFIG_MODULE_SIG_KEY[ =]/d' ${B}/.config
@@ -18,8 +25,4 @@ do_configure_append() {
     fi
 }
 
-def get_signing_key(d):
-    path = d.getVar("KERNEL_MODULE_SIG_CERT") or os.path.join(d.getVar("STAGING_KERNEL_BUILDDIR"),"certs","signing_key.x509")
-    return path + ":" + str(os.path.exists(path))
-
-do_shared_workdir[file-checksums] = "${@get_signing_key(d)}"
+do_configure[file-checksums] += "${@get_signing_cert(d)}"

classes/module-signing.bbclass

@@ -10,17 +10,35 @@ INHIBIT_PACKAGE_STRIP = "1"
 export HOST_EXTRACFLAGS = "${BUILD_CFLAGS} ${BUILD_LDFLAGS}"
 
 # Set KERNEL_MODULE_SIG_KEY in local.conf to the filepath of a private key
-# for signing kernel modules.  If unset, signing can be done offline.
+# for signing kernel modules.
 export KERNEL_MODULE_SIG_KEY
 # Set KERNEL_MODULE_SIG_CERT in local.conf to the filepath of the corresponging
-# public key to verify the signed modules.  If unset, an autogenerated
-# build-time keypair will be generated and used for signing and embedding.
+# public key to verify the signed modules.
 export KERNEL_MODULE_SIG_CERT
 
+def get_signing_cert(d):
+    path = d.getVar("KERNEL_MODULE_SIG_CERT")
+    if path:
+        return path + ":" + str(os.path.exists(path))
+    return ""
+
+def get_signing_key(d):
+    path = d.getVar("KERNEL_MODULE_SIG_KEY")
+    if path:
+        return path + ":" + str(os.path.exists(path))
+    return ""
+
 # Kernel builds will override this with ${B}/scripts/sign-file
 SIGN_FILE = "${STAGING_KERNEL_BUILDDIR}/scripts/sign-file"
 
 fakeroot do_sign_modules() {
+    if [ -z "${KERNEL_MODULE_SIG_CERT}" ] || \
+       [ -z "${KERNEL_MODULE_SIG_KEY}" ] && \
+        grep -q '^CONFIG_MODULE_SIG=y' "${B}/.config"; then
+        bbfatal "Kernel module signing should only be used when setting \
+KERNEL_MODULE_SIG_{CERT,KEY} in local.conf."
+    fi
+
     if [ -n "${KERNEL_MODULE_SIG_KEY}" ] &&
        grep -q '^CONFIG_MODULE_SIG=y' ${STAGING_KERNEL_BUILDDIR}/.config; then
         SIG_HASH=$( grep CONFIG_MODULE_SIG_HASH= \
@@ -44,3 +62,6 @@ addtask sign_modules after do_install before do_package
 do_install[lockfiles] = "${TMPDIR}/kernel-scripts.lock"
 # Explicit keys sign modules in do_sign_modules
 do_sign_modules[lockfiles] = "${TMPDIR}/kernel-scripts.lock"
+
+do_sign_modules[depends] += "virtual/kernel:do_shared_workdir"
+do_sign_modules[file-checksums] += "${@get_signing_key(d)} ${@get_signing_cert(d)}"