Out-Of-Tree module fails to probe: "Required key not available"

[robbawebba]

Hello!

I'm have an out-of-tree kernel module that I'm including in my image. I'm following the out-of-tree modules guide that's included in the Yocto kernel development manual to include it properly in my build.

I get the following error when trying to probe this module:

modprobe: ERROR: could not insert 'my-custom-module': Required key not available

I have the modsign and ima distro features enabled and I'm including linux-yocto-integrity.inc in my kernel recipe. I would expect this error for a module that I did not build with the rest of my image, but this module was built as a recipe along with my kernel, so I was hoping this module would also be signed.

Would it be possible to append the module.bbclass class that's provided by OpenEmbedded Core to include a module signing task? If not, would the correct approach be to create a new signed-module.bbclass that inherits from module.bbclass that includes the signing step?

I was trying to hack on this idea last night but I'm unfamiliar with how to sign kernel modules. Thanks for your help!

[twoerner]

When googling for Yocto/OE things, made sure to double-check the version of the results.

The link you provide for the out-of-tree modules guide is from 1.4-daisy, over 4 years ago. I don't know if much has changed in this aspect of OE, but maybe the latest documentation helps?

https://www.yoctoproject.org/docs/latest/kernel-dev/kernel-dev.html#incorporating-out-of-tree-modules

There has been some discussion on the yocto mailing list about signing, but I think that's mostly to do with u-boot and measured boot.

[robbawebba]

@twoerner Thanks for catching that! I was definitely following the latest documentation when creating my out-of-tree module recipe, but just grabbed the wrong link when I googled this documentation without checking the version.

Do you happen to know how the Linux kernel signs modules? Is it part of the make modules step, or is it a separate stop altogether?

[jiazhang0]

@robbawebba Currently, the modsign feature available in meta-integrity completely depends on kernel build infrastructure (aka kbuild). meta-integrity provides a signing key, and kbuild will sign kernel module with the signing tool scripts/sign-file during make modules_sign if CONFIG_MODULE_SIG_ALL=y.

The usage of scripts/sign-file is:

<kern_src>/scripts/sign-file <hash_algo> <private_key_name> \
    <x509_name> <module_name> [<dest_name>]

Here is a manual step to sign a kernel module with meta-secure-core build on my box:

$ cd $build/tmp/work/qemux86_64-poky-linux/linux-yocto/*/linux-qemux86_64-*-build/
$ ./scripts/sign-file sha256 modsign_key.pem certs/signing_key.x509 drivers/char/lp.ko lp.ko.signed

Check the signing result:

$ tail -1 lp.ko.signed

You will see a magic string "Module signature appended" if signing succeeds. Note that I don't actually run it.

However, we still need an engineering solution to handle out-of-tree kernel module in SDK and build infrastructure.

[robbawebba]

Hi @jiazhang0, Sorry for the delay! I had and idea on how to implement this and would like your feedback.

The overall solution that came to mind is a bbclass called signed-module, that inherits from the OE module.bbclass. It borrows everything from that class and adds an extra task right after the do_install (modules_install) task. This new task, let's call it do_sign for now, will make use of the make modules_sign target that's available for working with out-of-tree modules. Here's a link to the patch that I'm referencing: https://lore.kernel.org/patchwork/patch/337562/

So the Makefile for the out-of-tree module would need to include this target. Here's an example borrowed from meta-skeleton/recipes-kernel/hello-mod:

obj-m := hello.o

SRC := $(shell pwd)

all:
	$(MAKE) -C $(KERNEL_SRC) M=$(SRC)

modules_install:
	$(MAKE) -C $(KERNEL_SRC) M=$(SRC) modules_install

# new make target to support a signed-module bbclass
modules_sign:
	$(MAKE) -C $(KERNEL_SRC) M=$(SRC) modules_sign

clean:
	rm -f *.o *~ core .depend .*.cmd *.ko *.mod.c
	rm -f Module.markers Module.symvers modules.order
	rm -rf .tmp_versions Modules.symvers

@jiazhang0 Please let me know if you have any thoughts on this approach! I plan on creating an example of this bbclass to test this, so I'll let you know how it works out. If you don't mind, I am pretty interested in adding this enhancement to meta-secure-core. Thanks in advance!

[jiazhang0]

@robbawebba This sounds good. You can even define a new meta-skeleton for meta-secure-core to do this.

[robbawebba]

@jiazhang0 Thanks!

Also, are there any special details I should consider when contributing this change? For example, what branch should be the destination branch of my PR? master, Sumo, or Rocko?

[jiazhang0]

@robbawebba The master branch is good enough. I will cherry-pick your commit to other stable branches.

[bluca]

Any luck on this? Using make modules_sign doesn't seem to work as the recipe will run in the kbuild directory, and the key is not there. Trying to find a usable reference to the directory where the key is generated to reference it and use sign-file manually is not obvious to me, still looking for a way to do it.

[robbawebba]

Hi @bluca, It's been quite some time since I worked on this issue unfortunately. I took a stab at the make modules_sign approach I explained above, but I quickly found the same issue that you are identifying. I have not resumed development on this issue because I got busy with other tasks at work. I might take another look this weekend to re-familiarize myself with the issue. I'll let you know if I discover anything, and please keep me updated if you find a solution as well.

[yadutaf]

Commenting here as this is the result returned by Google for "yocto sign out of tree kernel module": I was able to sign out of tree kernel modules by adding CONFIG_MODULE_SIG_ALL=y to the kernel configuration (5.4 / dunfell). This adds the signature as part of the existing module_install target and requires no change to the module code/recipes :)

[kk2mkk]

Hi @yadutaf is it working the same with self-generated keys i.e configuring CONFIG_MODULE_SIG_KEY="certs/my_key.pem"
regards
KK