CP-12693 Sign kernel modules and image during kernel build (no shim)

tonynguien · tonynguien · commit 3a780ad8b1a1 · 2025-08-24T16:25:38.000-06:00
CP-12694 Sign ZFS modules after ZFS build (no shim) CP-12695 Sign connstat module after build (no shim) PR URL: https://www.github.com/delphix/linux-pkg/pull/371
diff --git a/default-package-config.sh b/default-package-config.sh
@@ -160,6 +160,35 @@ function kernel_build() {
 	#
 	logmust fakeroot debian/rules printenv "${debian_rules_args[@]}"
 
+  #
+  # Download SB keys and configure signing keys/certs before build
+  #
+  SB_KEYS_DIR="/var/tmp/sbkeys"
+  logmust mkdir -p $SB_KEYS_DIR
+  logmust aws s3 cp --recursive s3://secure-boot-keys-prod/temp/db/ $SB_KEYS_DIR
+
+	FLAVOUR=$platform
+	OBJ=debian/build/build-$FLAVOUR
+	CERTS=$OBJ/certs
+
+	ensure the objdir + certs dir exist
+	mkdir -p "$CERTS"
+
+	# provide the key the packaging expects INSIDE the objdir
+	# (symlink or copy)
+	logmust ln -sf "${SB_KEYS_DIR}/signing_key.pem" "$CERTS/signing_key.pem"
+	logmust chmod 600 "$CERTS/signing_key.pem"
+
+	# create the DER .x509 that sign-file needs from .crt)
+	logmust openssl x509 -in "${SB_KEYS_DIR}/db.crt" -outform DER -out "$CERTS/signing_key.x509"
+	# sanity checks
+	logmust test -s "$CERTS/signing_key.pem" || { echo "missing signing_key.pem"; exit 1; }
+	logmust test -s "$CERTS/signing_key.x509" || { echo "missing signing_key.x509"; exit 1; }
+	logmust openssl pkey -in "$CERTS/signing_key.pem" -noout >/dev/null || { echo "key unreadable"; exit 1; }
+
+	SBSIGN_KEY="${SBSIGN_KEY:-$SB_KEYS_DIR/db.key}"
+	SBSIGN_CERT="${SBSIGN_CERT:-$SB_KEYS_DIR/db.crt}"
+
 	#
 	# The default value of the tool argument for mk-build-deps
 	# is the following:
@@ -203,6 +232,33 @@ function kernel_build() {
 	# one of the .debs produced
 	#
 	logmust test -f "artifacts/linux-image-${kernel_version}_"*.deb
+
+	#
+	# After the build, unpackage linux-image package and sign vmlinuz
+	#
+	linux_deb=$(find artifacts -type f -name "linux-image-${kernel_version}*.deb" | head -n1)
+	temp_dir=$(mktemp -d -p "/var/tmp/")
+	logmust fakeroot dpkg-deb -R $linux_deb "$temp_dir"
+
+	bz="$temp_dir/boot/vmlinuz-${kernel_version}"
+	logmust sbsign --key $SBSIGN_KEY --cert $SBSIGN_CERT --output "$bz.signed" "$bz"
+	logmust mv "$bz.signed" "$bz"
+	logmust sbverify --list "$bz"
+
+	# Update md5sums
+	( cd "$temp_dir"
+		: > DEBIAN/md5sums
+		# print paths relative to root of package
+		while IFS= read -r -d '' f; do
+		rel="${f#./}"
+		md5sum "$rel" >> DEBIAN/md5sums
+		done < <(find . -type f ! -path './DEBIAN/*' -print0)
+	)
+
+	# Repack the .deb"
+	out_deb="artifacts/linux-image.deb"
+	logmust fakeroot dpkg-deb -b "$temp_dir" "$out_deb"
+	logmust mv "$out_deb" "$linux_deb"
 }
 
 #
diff --git a/packages/common.sh b/packages/common.sh
@@ -0,0 +1,23 @@
+S3_KEYS_URL="s3://secure-boot-keys-prod/temp"
+SB_KEYS_DIR="/var/tmp/sbkeys"
+SBSIGN_KEY="$SB_KEYS_DIR/db.key"
+SBSIGN_DER="$SB_KEYS_DIR/db.der"
+
+function download_keys() {
+	echo_bold "Signing constat module"
+  logmust mkdir -p $SB_KEYS_DIR
+  logmust aws s3 cp --recursive s3://secure-boot-keys-prod/temp/db/ $SB_KEYS_DIR
+}
+
+function delete_keys() {
+  logmust rm -r $SB_KEYS_DIR
+}
+
+function repack_deb() {
+  deb_name=$1
+  deb_dir=$2
+  temp_deb=$(mktemp /tmp/deb.XXXXXX)
+
+	logmust fakeroot dpkg-deb -b "$deb_dir" "$temp_deb"
+	logmust mv "$out_deb" "$deb_name"
+}
diff --git a/packages/connstat/config.sh b/packages/connstat/config.sh
@@ -16,6 +16,8 @@
 #
 # shellcheck disable=SC2034
 
+source ../common.sh
+
 DEFAULT_PACKAGE_GIT_URL="https://github.com/delphix/connstat.git"
 PACKAGE_DEPENDENCIES="@linux-kernel dwarves"
 
@@ -50,4 +52,43 @@ function build() {
 
 	logmust cd "$WORKDIR/repo"
 	logmust mv ./*deb "$WORKDIR/artifacts/"
+
+  # Sign the module
+	sign_module
+}
+
+SB_KEYS_DIR="/var/tmp/sbkeys"
+SBSIGN_KEY="$SB_KEYS_DIR/db.key"
+SBSIGN_DER="$SB_KEYS_DIR/db.der"
+
+# Unpack connstat module package in artifacts directory, sign, then repack
+#
+function sign_module() {
+	echo_bold "Signing constat module"
+  download_keys
+
+  for connstat_pkg in $(find "$WORKDIR/artifacts" -type f -name "connstat-module-*.deb" ! -name "*-dbg*"); do
+	  echo_bold "Processing $connstat_pkg"
+	  temp_dir=$(mktemp -d -p "/var/tmp/")
+	  logmust fakeroot dpkg-deb -R $connstat_pkg "$temp_dir"
+
+	  connstat_mod=$(find $temp_dir -type f -name connstat.ko)
+	  logmust kmodsign sha256 $SBSIGN_KEY $SBSIGN_DER $connstat_mod "$connstat_mod.signed"
+	  logmust mv "$connstat_mod.signed" "$connstat_mod"
+	  logmust modinfo -F signer "$connstat_mod"
+
+	  # Update md5sums
+	  ( cd "$temp_dir"
+		  : > DEBIAN/md5sums
+		  # print paths relative to root of package
+		  while IFS= read -r -d '' f; do
+		  rel="${f#./}"
+		  md5sum "$rel" >> DEBIAN/md5sums
+		  done < <(find . -type f ! -path './DEBIAN/*' ! -path './etc/depmod*' -print0)
+	  )
+
+	  # Repack the .deb"
+	  repack_deb "$connstat_pkg" "$temp_dir"
+  done
+  delete_keys
 }
diff --git a/packages/zfs/config.sh b/packages/zfs/config.sh
@@ -174,6 +174,52 @@ function build() {
 	done
 	logmust cd "$WORKDIR"
 	logmust mv "all-packages/"*.deb "artifacts/"
+
+  # Sign ZFS modules in all packages
+  sign_zfs_modules
+}
+
+SB_KEYS_DIR="/var/tmp/sbkeys"
+SBSIGN_KEY="$SB_KEYS_DIR/db.key"
+SBSIGN_DER="$SB_KEYS_DIR/db.der"
+
+#
+# Unpack zfs-modules packages in artifacts directory, sign, then repack
+#
+function sign_zfs_modules() {
+	echo_bold "Signing ZFS modules"
+  logmust mkdir -p $SB_KEYS_DIR
+  logmust aws s3 cp --recursive s3://secure-boot-keys-prod/temp/db/ $SB_KEYS_DIR
+  for zfs_pkg in $(find "$WORKDIR/artifacts" -type f -name "zfs-modules-*.deb" ! -name "*-dbg*"); do
+	  echo_bold "Processing $zfs_pkg"
+	  temp_dir=$(mktemp -d -p "/var/tmp/")
+	  logmust fakeroot dpkg-deb -R $zfs_pkg "$temp_dir"
+
+	  zfs=$(find $temp_dir -type f -name zfs.ko)
+	  spl=$(find $temp_dir -type f -name spl.ko)
+
+	  logmust kmodsign sha256 $SBSIGN_KEY $SBSIGN_DER $zfs "$zfs.signed"
+	  logmust kmodsign sha256 $SBSIGN_KEY $SBSIGN_DER $spl "$spl.signed"
+	  logmust mv "$zfs.signed" "$zfs"
+	  logmust mv "$spl.signed" "$spl"
+	  logmust modinfo -F signer "$zfs"
+	  logmust modinfo -F signer "$spl"
+
+	  # Update md5sums
+	  ( cd "$temp_dir"
+      : > DEBIAN/md5sums
+	    # print paths relative to root of package
+	    while IFS= read -r -d '' f; do
+	    rel="${f#./}"
+	    md5sum "$rel" >> DEBIAN/md5sums
+	    done < <(find . -type f ! -path './DEBIAN/*' ! -path './etc/depmod*' -print0)
+    )
+
+	  # Repack the .deb"
+	  out_deb="$WORKDIR/artifacts/zfs-modules.deb"
+	  logmust fakeroot dpkg-deb -b "$temp_dir" "$out_deb"
+	  logmust mv "$out_deb" "$zfs_pkg"
+	done
 }
 
 function update_upstream() {
diff --git a/resources/delphix_kernel_annotations b/resources/delphix_kernel_annotations
@@ -2,6 +2,9 @@
 # FORMAT: 4
 # ARCH: amd64
 # FLAVOUR: amd64-aws amd64-azure amd64-generic amd64-gcp amd64-oracle
+#
+CONFIG_MODULE_SIG_KEY  		policy<{'amd64': '"/var/tmp/sbkeys/signing_key.pem"'}>
+CONFIG_MODULE_SIG_FORCE 			policy<{'amd64': 'y', 'arm64': 'y'}>
 
 #
 # Disable various "net" modules which we don't use.

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,9 @@`
`2`	`2`	`# FORMAT: 4`
`3`	`3`	`# ARCH: amd64`
`4`	`4`	`# FLAVOUR: amd64-aws amd64-azure amd64-generic amd64-gcp amd64-oracle`
	`5`	`+#`
	`6`	`+CONFIG_MODULE_SIG_KEY policy<{'amd64': '"/var/tmp/sbkeys/signing_key.pem"'}>`
	`7`	`+CONFIG_MODULE_SIG_FORCE policy<{'amd64': 'y', 'arm64': 'y'}>`
`5`	`8`
`6`	`9`	`#`
`7`	`10`	`# Disable various "net" modules which we don't use.`