Skip to content

CP-12693 Sign kernel modules and image during kernel build (no shim) CP-12694 Sign ZFS modules after ZFS build (no shim) CP-12695 Sign connstat module after build (no shim) #371

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

CP-12693 Sign kernel modules and image during kernel build (no shim) CP-12694 Sign ZFS modules after ZFS build (no shim) CP-12695 Sign connstat module after build (no shim) #371

wants to merge 1 commit into from
+153 −3

Conversation

tonynguien
Copy link

@tonynguien tonynguien commented Aug 19, 2025
edited
Loading

Background

With Secure Boot, kernel image and modules needs to be be signed so that they can be verified on boot.

Solution

The changes here updated the following package builds:
  1. linux-kernel-* - includes CONFIG_MODULE_SIG_FORCE and CONFIG_MODULE_SIG_KEY such that kernel build uses our keys to sign modules. Also, signs vmlinuz after the build since kernel build does NOT sign kernel image.
  2. ZFS - signs zfs.ko and spl.ko for all generated deb packages after the build
  3. connstat - signs connstat.ko for all generated deb packages after the build

Testing Done

Last successful build (08/23) - https://selfservice-jenkins.eng-tools-prd.aws.delphixcloud.com/job/appliance-build-orchestrator-pre-push/11986/

Current build (08/25) - https://selfservice-jenkins.eng-tools-prd.aws.delphixcloud.com/job/appliance-build-orchestrator-pre-push/11996/console

@tonynguien tonynguien force-pushed the dlpx/pr/tonynguien/c8f44e0e-6f06-419f-b811-b7052daa30a8 branch 8 times, most recently from be56829 to bf232d8 Compare August 24, 2025 22:24
@tonynguien tonynguien changed the title Sign module and vmlinuz CP-12693 Sign kernel modules and image during kernel build (no shim) CP-12694 Sign ZFS modules after ZFS build (no shim) CP-12695 Sign connstat module after build (no shim) Aug 24, 2025
@tonynguien tonynguien force-pushed the dlpx/pr/tonynguien/c8f44e0e-6f06-419f-b811-b7052daa30a8 branch 17 times, most recently from 3ec6b2f to 98fa473 Compare August 25, 2025 15:07
@tonynguien tonynguien marked this pull request as ready for review August 25, 2025 15:20
@tonynguien tonynguien mentioned this pull request Aug 25, 2025
Open
sebroy
sebroy requested changes Aug 25, 2025
View reviewed changes
@tonynguien tonynguien force-pushed the dlpx/pr/tonynguien/c8f44e0e-6f06-419f-b811-b7052daa30a8 branch 10 times, most recently from 64b9e50 to 0307521 Compare August 26, 2025 01:21
@tonynguien
CP-12693 Sign kernel modules and image during kernel build (no shim)
231dc0b 
CP-12694 Sign ZFS modules after ZFS build (no shim)
CP-12695 Sign connstat module after build (no shim)

PR URL: https://www.github.com/delphix/linux-pkg/pull/371
@tonynguien tonynguien force-pushed the dlpx/pr/tonynguien/c8f44e0e-6f06-419f-b811-b7052daa30a8 branch from 0307521 to 231dc0b Compare August 26, 2025 01:23
@tonynguien tonynguien requested a review from sebroy August 26, 2025 02:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@prakashsurya prakashsurya Awaiting requested review from prakashsurya

@david-mendez1 david-mendez1 Awaiting requested review from david-mendez1

@sebroy sebroy Awaiting requested review from sebroy

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tonynguien @sebroy