I would like to use signed kernel module [https://www.kernel.org/doc/html/v4.10/admin-guide/module-signing.html]. Is this feature available in Openwrt?
No, kernel module signing is not implemented.
Where would be the best place to keep the hook something like below?
function pre_pkg_preinst() {
# This hook signs any out-of-tree kernel modules.
if [[ "$(type -t linux-mod_pkg_preinst)" != "function" ]]; then
# The package does not seem to install any kernel modules.
return
fi
# Get the signature algorithm used by the kernel.
local module_sig_hash="$(grep -Po '(?<=CONFIG_MODULE_SIG_HASH=").*(?=")' "${KERNEL_DIR}/.config")"
# Get the key file used by the kernel.
local module_sig_key="$(grep -Po '(?<=CONFIG_MODULE_SIG_KEY=").*(?=")' "${KERNEL_DIR}/.config")"
module_sig_key="${module_sig_key:-certs/signing_key.pem}"
# Path to the key file or PKCS11 URI
if [[ "${module_sig_key#pkcs11:}" == "${module_sig_key}" && "${module_sig_key#/}" == "${module_sig_key}" ]]; then
local key_path="${KERNEL_DIR}/${module_sig_key}"
else
local key_path="${module_sig_key}"
fi
# Certificate path
local cert_path="${KERNEL_DIR}/certs/signing_key.x509"
# Sign all installed modules before merging.
find "${D%/}/${INSDESTTREE#/}/" -name "*.ko" -exec "${KERNEL_DIR}/scripts/sign-file" "${module_sig_hash}" "${key_path}" "${cert_path}" '{}' \;
}
This is script from [https://wiki.gentoo.org/wiki/Signed_kernel_module_support].
Any suggestion?
One quick way to try it out is below:
diff --git a/include/image.mk b/include/image.mk
index fdbc71645a..b9c465fc27 100644
--- a/include/image.mk
+++ b/include/image.mk
@@ -276,6 +276,11 @@ define Image/Manifest
$(BIN_DIR)/$(IMG_PREFIX)$(if $(PROFILE_SANITIZED),-$(PROFILE_SANITIZED)).manifest
endef
+define Image/Signkmod
+ echo "Signing KMOD........................................................................"
+ find "$(TARGET_DIR)/lib/modules" -name "*.ko" -exec "$(LINUX_DIR)/scripts/sign-file" sha1 $(LINUX_DIR)/certs/signing_key.pem $(LINUX_DIR)/certs/signing_key.x509 '{}' \;
+endef
+
define Image/gzip-ext4-padded-squashfs
define Image/Build/squashfs
@@ -768,11 +773,13 @@ define BuildImage
endif
kernel_prepare: image_prepare
+ $(call Image/Signkmod)
$(call Image/Build/targz)
$(call Image/Build/cpiogz)
$(call Image/BuildKernel)
$(if $(CONFIG_TARGET_ROOTFS_INITRAMFS),$(if $(IB),,$(call Image/BuildKernel/Initramfs)))
$(call Image/InstallKernel)
+
.NOTPARALLEL :
$(foreach device,$(TARGET_DEVICES),$(call Device,$(device)))
This will sign kmod in the image only.