Skip to content

CP-12693 Sign kernel modules and image during kernel build (no shim) CP-12694 Sign ZFS modules after ZFS build (no shim) CP-12695 Sign connstat module after build (no shim) #371

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 27, 2025
Merged

CP-12693 Sign kernel modules and image during kernel build (no shim) CP-12694 Sign ZFS modules after ZFS build (no shim) CP-12695 Sign connstat module after build (no shim) #371

merged 1 commit into from
Aug 27, 2025

Conversation

tonynguien
Copy link
Contributor

@tonynguien tonynguien commented Aug 19, 2025
edited
Loading

Background

With Secure Boot, kernel image and modules needs to be be signed so that they can be verified on boot.

Solution

The changes here updated the following package builds:
  1. linux-kernel-* - includes CONFIG_MODULE_SIG_FORCE and CONFIG_MODULE_SIG_KEY such that kernel build uses our keys to sign modules. Also, signs vmlinuz after the build since kernel build does NOT sign kernel image.
  2. ZFS - signs zfs.ko and spl.ko for all generated deb packages after the build
  3. connstat - signs connstat.ko for all generated deb packages after the build

Testing Done

  • Successful appliance builds for ESX, AWS, GCP, and Azure which imported created images and successfully booted VMs on those cloud platforms.
  • On AWS, upgrade blackbox test also ran successfully.

Last successful build (08/23) - https://selfservice-jenkins.eng-tools-prd.aws.delphixcloud.com/job/appliance-build-orchestrator-pre-push/11986/

Current build (08/25) - https://selfservice-jenkins.eng-tools-prd.aws.delphixcloud.com/job/appliance-build-orchestrator-pre-push/11996/console

@tonynguien tonynguien force-pushed the dlpx/pr/tonynguien/c8f44e0e-6f06-419f-b811-b7052daa30a8 branch 8 times, most recently from be56829 to bf232d8 Compare August 24, 2025 22:24
@tonynguien tonynguien changed the title Sign module and vmlinuz CP-12693 Sign kernel modules and image during kernel build (no shim) CP-12694 Sign ZFS modules after ZFS build (no shim) CP-12695 Sign connstat module after build (no shim) Aug 24, 2025
@tonynguien tonynguien force-pushed the dlpx/pr/tonynguien/c8f44e0e-6f06-419f-b811-b7052daa30a8 branch 17 times, most recently from 3ec6b2f to 98fa473 Compare August 25, 2025 15:07
@tonynguien tonynguien marked this pull request as ready for review August 25, 2025 15:20
@tonynguien tonynguien mentioned this pull request Aug 25, 2025
Merged
sebroy
sebroy requested changes Aug 25, 2025
View reviewed changes
@tonynguien tonynguien force-pushed the dlpx/pr/tonynguien/c8f44e0e-6f06-419f-b811-b7052daa30a8 branch 11 times, most recently from 0307521 to 231dc0b Compare August 26, 2025 01:23
@tonynguien tonynguien requested a review from sebroy August 26, 2025 02:15
@tonynguien tonynguien force-pushed the dlpx/pr/tonynguien/c8f44e0e-6f06-419f-b811-b7052daa30a8 branch from 231dc0b to 79fc722 Compare August 26, 2025 13:15
sebroy
sebroy approved these changes Aug 26, 2025
View reviewed changes
@tonynguien tonynguien force-pushed the dlpx/pr/tonynguien/c8f44e0e-6f06-419f-b811-b7052daa30a8 branch from 79fc722 to 82c7281 Compare August 27, 2025 01:02
@tonynguien
CP-12693 Sign kernel modules and image during kernel build (no shim)
9a747b7 
CP-12694 Sign ZFS modules after ZFS build (no shim)
CP-12695 Sign connstat module after build (no shim)

PR URL: https://www.github.com/delphix/linux-pkg/pull/371
@tonynguien tonynguien force-pushed the dlpx/pr/tonynguien/c8f44e0e-6f06-419f-b811-b7052daa30a8 branch from 82c7281 to 9a747b7 Compare August 27, 2025 14:15
@tonynguien tonynguien merged commit 54c1efe into develop Aug 27, 2025
12 checks passed
@tonynguien tonynguien deleted the dlpx/pr/tonynguien/c8f44e0e-6f06-419f-b811-b7052daa30a8 branch August 27, 2025 22:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sebroy sebroy sebroy approved these changes

@david-mendez1 david-mendez1 david-mendez1 approved these changes

@prakashsurya prakashsurya Awaiting requested review from prakashsurya

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tonynguien @sebroy @david-mendez1