Out-Of-Tree module fails to probe: "Required key not available"
robbawebba opened this issue · 11 comments
Hello!
I'm have an out-of-tree kernel module that I'm including in my image. I'm following the out-of-tree modules guide that's included in the Yocto kernel development manual to include it properly in my build.
I get the following error when trying to probe this module:
modprobe: ERROR: could not insert 'my-custom-module': Required key not available
I have the modsign and ima distro features enabled and I'm including linux-yocto-integrity.inc in my kernel recipe. I would expect this error for a module that I did not build with the rest of my image, but this module was built as a recipe along with my kernel, so I was hoping this module would also be signed.
Would it be possible to append the module.bbclass class that's provided by OpenEmbedded Core to include a module signing task? If not, would the correct approach be to create a new signed-module.bbclass that inherits from module.bbclass that includes the signing step?
I was trying to hack on this idea last night but I'm unfamiliar with how to sign kernel modules. Thanks for your help!
When googling for Yocto/OE things, made sure to double-check the version of the results.
The link you provide for the out-of-tree modules guide is from 1.4-daisy, over 4 years ago. I don't know if much has changed in this aspect of OE, but maybe the latest documentation helps?
There has been some discussion on the yocto mailing list about signing, but I think that's mostly to do with u-boot and measured boot.
@twoerner Thanks for catching that! I was definitely following the latest documentation when creating my out-of-tree module recipe, but just grabbed the wrong link when I googled this documentation without checking the version.
Do you happen to know how the Linux kernel signs modules? Is it part of the make modules step, or is it a separate stop altogether?
@robbawebba Currently, the modsign feature available in meta-integrity completely depends on kernel build infrastructure (aka kbuild). meta-integrity provides a signing key, and kbuild will sign kernel module with the signing tool scripts/sign-file during make modules_sign if CONFIG_MODULE_SIG_ALL=y.
The usage of scripts/sign-file is:
<kern_src>/scripts/sign-file <hash_algo> <private_key_name> \
<x509_name> <module_name> [<dest_name>]
Here is a manual step to sign a kernel module with meta-secure-core build on my box:
$ cd $build/tmp/work/qemux86_64-poky-linux/linux-yocto/*/linux-qemux86_64-*-build/
$ ./scripts/sign-file sha256 modsign_key.pem certs/signing_key.x509 drivers/char/lp.ko lp.ko.signed
Check the signing result:
$ tail -1 lp.ko.signed
You will see a magic string "Module signature appended" if signing succeeds. Note that I don't actually run it.
However, we still need an engineering solution to handle out-of-tree kernel module in SDK and build infrastructure.
Hi @jiazhang0, Sorry for the delay! I had and idea on how to implement this and would like your feedback.
The overall solution that came to mind is a bbclass called signed-module, that inherits from the OE module.bbclass. It borrows everything from that class and adds an extra task right after the do_install (modules_install) task. This new task, let's call it do_sign for now, will make use of the make modules_sign target that's available for working with out-of-tree modules. Here's a link to the patch that I'm referencing: https://lore.kernel.org/patchwork/patch/337562/
So the Makefile for the out-of-tree module would need to include this target. Here's an example borrowed from meta-skeleton/recipes-kernel/hello-mod:
obj-m := hello.o
SRC := $(shell pwd)
all:
$(MAKE) -C $(KERNEL_SRC) M=$(SRC)
modules_install:
$(MAKE) -C $(KERNEL_SRC) M=$(SRC) modules_install
# new make target to support a signed-module bbclass
modules_sign:
$(MAKE) -C $(KERNEL_SRC) M=$(SRC) modules_sign
clean:
rm -f *.o *~ core .depend .*.cmd *.ko *.mod.c
rm -f Module.markers Module.symvers modules.order
rm -rf .tmp_versions Modules.symvers
@jiazhang0 Please let me know if you have any thoughts on this approach! I plan on creating an example of this bbclass to test this, so I'll let you know how it works out. If you don't mind, I am pretty interested in adding this enhancement to meta-secure-core. Thanks in advance!
@robbawebba This sounds good. You can even define a new meta-skeleton for meta-secure-core to do this.
@jiazhang0 Thanks!
Also, are there any special details I should consider when contributing this change? For example, what branch should be the destination branch of my PR? master, Sumo, or Rocko?
@robbawebba The master branch is good enough. I will cherry-pick your commit to other stable branches.
Any luck on this? Using make modules_sign doesn't seem to work as the recipe will run in the kbuild directory, and the key is not there. Trying to find a usable reference to the directory where the key is generated to reference it and use sign-file manually is not obvious to me, still looking for a way to do it.
Hi @bluca, It's been quite some time since I worked on this issue unfortunately. I took a stab at the make modules_sign approach I explained above, but I quickly found the same issue that you are identifying. I have not resumed development on this issue because I got busy with other tasks at work. I might take another look this weekend to re-familiarize myself with the issue. I'll let you know if I discover anything, and please keep me updated if you find a solution as well.
Commenting here as this is the result returned by Google for "yocto sign out of tree kernel module": I was able to sign out of tree kernel modules by adding CONFIG_MODULE_SIG_ALL=y to the kernel configuration (5.4 / dunfell). This adds the signature as part of the existing module_install target and requires no change to the module code/recipes :)