Merge pull request #1401 from eric-ch/module-signing

jandryuk · web-flow · commit fee7aa29a238 · 2021-05-10T14:27:18.000-04:00
module-signing: amend build errors and dependency tracking
diff --git a/classes/kernel-module-signing.bbclass b/classes/kernel-module-signing.bbclass
@@ -7,19 +7,20 @@ SIGN_FILE = "${B}/scripts/sign-file"
 export KERNEL_MODULE_SIG_CERT
 
 do_configure_append() {
-    if [ -n "${KERNEL_MODULE_SIG_CERT}" ] &&
-       grep -q '^CONFIG_MODULE_SIG=y' ${B}/.config ; then
-        sed -i -e '/CONFIG_MODULE_SIG_KEY[ =]/d' ${B}/.config
-        echo "CONFIG_MODULE_SIG_KEY=\"${KERNEL_MODULE_SIG_CERT}\"" >> \
-               ${B}/.config
-        sed -i -e '/CONFIG_MODULE_SIG_ALL[ =]/d' ${B}/.config
-        echo "# CONFIG_MODULE_SIG_ALL is not set" >> \
-               ${B}/.config
+    if ! grep -q '^CONFIG_MODULE_SIG=y' ${B}/.config ; then
+        return
+    fi
+    if [ -z "${KERNEL_MODULE_SIG_CERT}" ]; then
+        bbfatal "Kernel module signing should only be used when setting \
+KERNEL_MODULE_SIG_CERT in local.conf."
     fi
-}
 
-def get_signing_key(d):
-    path = d.getVar("KERNEL_MODULE_SIG_CERT") or os.path.join(d.getVar("STAGING_KERNEL_BUILDDIR"),"certs","signing_key.x509")
-    return path + ":" + str(os.path.exists(path))
+    sed -i -e '/CONFIG_MODULE_SIG_KEY[ =]/d' ${B}/.config
+    echo "CONFIG_MODULE_SIG_KEY=\"${KERNEL_MODULE_SIG_CERT}\"" >> \
+        ${B}/.config
+    sed -i -e '/CONFIG_MODULE_SIG_ALL[ =]/d' ${B}/.config
+    echo "# CONFIG_MODULE_SIG_ALL is not set" >> \
+        ${B}/.config
+}
 
-do_shared_workdir[file-checksums] = "${@get_signing_key(d)}"
+do_configure[file-checksums] += "${@get_signing_cert(d)}"
diff --git a/classes/module-signing.bbclass b/classes/module-signing.bbclass
@@ -10,30 +10,51 @@ INHIBIT_PACKAGE_STRIP = "1"
 export HOST_EXTRACFLAGS = "${BUILD_CFLAGS} ${BUILD_LDFLAGS}"
 
 # Set KERNEL_MODULE_SIG_KEY in local.conf to the filepath of a private key
-# for signing kernel modules.  If unset, signing can be done offline.
+# for signing kernel modules. If unset, signing can be done offline.
 export KERNEL_MODULE_SIG_KEY
 # Set KERNEL_MODULE_SIG_CERT in local.conf to the filepath of the corresponging
-# public key to verify the signed modules.  If unset, an autogenerated
-# build-time keypair will be generated and used for signing and embedding.
+# public key to verify the signed modules.
 export KERNEL_MODULE_SIG_CERT
 
+def get_signing_cert(d):
+    path = d.getVar("KERNEL_MODULE_SIG_CERT")
+    if path:
+        return path + ":" + str(os.path.exists(path))
+    return ""
+
+def get_signing_key(d):
+    path = d.getVar("KERNEL_MODULE_SIG_KEY")
+    if path:
+        return path + ":" + str(os.path.exists(path))
+    return ""
+
 # Kernel builds will override this with ${B}/scripts/sign-file
 SIGN_FILE = "${STAGING_KERNEL_BUILDDIR}/scripts/sign-file"
 
 fakeroot do_sign_modules() {
-    if [ -n "${KERNEL_MODULE_SIG_KEY}" ] &&
-       grep -q '^CONFIG_MODULE_SIG=y' ${STAGING_KERNEL_BUILDDIR}/.config; then
+    if ! grep -q '^CONFIG_MODULE_SIG=y' "${STAGING_KERNEL_BUILDDIR}/.config"; then
+        bbnote "Kernel module signing deactivated in kernel configuration ${STAGING_KERNEL_BUILDDIR}/.config."
+        return
+    fi
+    if [ -z "${KERNEL_MODULE_SIG_CERT}" ]; then
+        bbfatal "Kernel module signing should only be used when setting \
+KERNEL_MODULE_SIG_CERT in local.conf."
+    fi
+
+    if [ -n "${KERNEL_MODULE_SIG_KEY}" ]; then
         SIG_HASH=$( grep CONFIG_MODULE_SIG_HASH= \
                         ${STAGING_KERNEL_BUILDDIR}/.config | \
                       cut -d '"' -f 2 )
-        [ -z "$SIG_HASH" ] && bbfatal CONFIG_MODULE_SIG_HASH is not set in .config
+        [ -z "$SIG_HASH" ] && bbfatal "CONFIG_MODULE_SIG_HASH is not set in .config"
 
         [ -x "${SIGN_FILE}" ] || bbfatal "Cannot find scripts/sign-file"
 
         find ${D} -name "*.ko" -print0 | \
-          xargs --no-run-if-empty -0 -n 1 \
+          xargs -t --no-run-if-empty -0 -n 1 \
               ${SIGN_FILE} $SIG_HASH ${KERNEL_MODULE_SIG_KEY} \
                   ${KERNEL_MODULE_SIG_CERT}
+    else
+        bbnote "Kernel module offline signing enabled, modules still need to be signed."
     fi
 }
 
@@ -44,3 +65,6 @@ addtask sign_modules after do_install before do_package
 do_install[lockfiles] = "${TMPDIR}/kernel-scripts.lock"
 # Explicit keys sign modules in do_sign_modules
 do_sign_modules[lockfiles] = "${TMPDIR}/kernel-scripts.lock"
+
+do_sign_modules[depends] += "virtual/kernel:do_shared_workdir"
+do_sign_modules[file-checksums] += "${@get_signing_key(d)} ${@get_signing_cert(d)}"
