Skip to content

Commit eca20d4

Browse files
yevgeny-shnaidmanchr15p
yevgeny-shnaidman
and
chr15p
authored
add the fields for signing to crd (kubernetes-sigs#91) (kubernetes-sigs#92)
this add four fields to the crd in their own subsection: FileList - a list of kmod files within the container to sign KeySecret and CertSecret - these are the names of secrets containing the private and public keys respectivly that will be used to sign the kmods. The public key should be the one added into the uefi moklist for secureboot, and KeySecret is its private component. (See the kernel docs e.g. https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html#manually-signing-modules for details of this process) unsignedImage - the optional name of a dtk image containing the unsigned knods, used only if their is no build stage. The expected workflow will be (not implemented in this commit): if there is only a kernelmapping.build section it will produce the image kernelmapping.containerImage (for the non-secureboot case) if there is both km.build and km.sign then build will produce an intermediate image and sign will consume that to produce km.containerImage if there is only km.sign signing will consumse km.sign.unsignedImage and produce km.containerImage (this is for the case where a vendor supplies prebuilt images that need signing) the generation of the intermediate image name will be handled automatically within the controller (again in a different commit) but will probably be something like km.containerImage + "-unsigned" Co-authored-by: Chris Procter <[email protected]>
1 parent 3996a0b commit eca20d4

File tree

4 files changed

+218
-0
lines changed

4 files changed

+218
-0
lines changed

api/v1beta1/module_types.go

+24
Original file line numberDiff line numberDiff line change
@@ -71,6 +71,22 @@ type Build struct {
7171
Secrets []v1.LocalObjectReference `json:"secrets"`
7272
}
7373

74+
type Sign struct {
75+
// +optional
76+
// Image to sign, ignored if a Build is present, required otherwise
77+
UnsignedImage string `json:"unsignedImage,omitempty"`
78+
79+
// a secret containing the private key used to sign kernel modules for secureboot
80+
KeySecret *v1.LocalObjectReference `json:"keySecret"`
81+
82+
// a secret containing the public key used to sign kernel modules for secureboot
83+
CertSecret *v1.LocalObjectReference `json:"certSecret"`
84+
85+
// +optional
86+
// paths inside the image for the kernel modules to sign (if ommited all kmods are signed)
87+
FilesToSign []string `json:"filesToSign,omitempty"`
88+
}
89+
7490
// KernelMapping pairs kernel versions with a DriverContainer image.
7591
// Kernel versions can be matched literally or using a regular expression.
7692
type KernelMapping struct {
@@ -79,6 +95,10 @@ type KernelMapping struct {
7995
// Build enables in-cluster builds for this mapping and allows overriding the Module's build settings.
8096
Build *Build `json:"build"`
8197

98+
// +optional
99+
// Sign enables in-cluster signing for this mapping
100+
Sign *Sign `json:"sign,omitempty"`
101+
82102
// ContainerImage is the name of the DriverContainer image that should be used to deploy the module.
83103
ContainerImage string `json:"containerImage"`
84104

@@ -142,6 +162,10 @@ type ModuleLoaderContainerSpec struct {
142162
// +optional
143163
Build *Build `json:"build,omitempty"`
144164

165+
// +optional
166+
// Sign provides default kmod signing settings
167+
Sign *Sign `json:"sign,omitempty"`
168+
145169
// ContainerImage is a top-level field
146170
// +optional
147171
ContainerImage string `json:"containerImage,omitempty"`

api/v1beta1/zz_generated.deepcopy.go

+40
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

bundle/manifests/kmm.sigs.k8s.io_modules.yaml

+77
Original file line numberDiff line numberDiff line change
@@ -2034,6 +2034,46 @@ spec:
20342034
description: Regexp is a regular expression to be match
20352035
against node kernels.
20362036
type: string
2037+
sign:
2038+
description: Sign enables in-cluster signing for this
2039+
mapping
2040+
properties:
2041+
certSecret:
2042+
description: a secret containing the public key
2043+
used to sign kernel modules for secureboot
2044+
properties:
2045+
name:
2046+
description: 'Name of the referent. More info:
2047+
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2048+
TODO: Add other useful fields. apiVersion,
2049+
kind, uid?'
2050+
type: string
2051+
type: object
2052+
filesToSign:
2053+
description: paths inside the image for the kernel
2054+
modules to sign (if ommited all kmods are signed)
2055+
items:
2056+
type: string
2057+
type: array
2058+
keySecret:
2059+
description: a secret containing the private key
2060+
used to sign kernel modules for secureboot
2061+
properties:
2062+
name:
2063+
description: 'Name of the referent. More info:
2064+
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2065+
TODO: Add other useful fields. apiVersion,
2066+
kind, uid?'
2067+
type: string
2068+
type: object
2069+
unsignedImage:
2070+
description: Image to sign, ignored if a Build is
2071+
present, required otherwise
2072+
type: string
2073+
required:
2074+
- certSecret
2075+
- keySecret
2076+
type: object
20372077
required:
20382078
- containerImage
20392079
type: object
@@ -2124,6 +2164,43 @@ spec:
21242164
accept any certificate provided by the registry.
21252165
type: boolean
21262166
type: object
2167+
sign:
2168+
description: Sign provides default kmod signing settings
2169+
properties:
2170+
certSecret:
2171+
description: a secret containing the public key used to
2172+
sign kernel modules for secureboot
2173+
properties:
2174+
name:
2175+
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2176+
TODO: Add other useful fields. apiVersion, kind,
2177+
uid?'
2178+
type: string
2179+
type: object
2180+
filesToSign:
2181+
description: paths inside the image for the kernel modules
2182+
to sign (if ommited all kmods are signed)
2183+
items:
2184+
type: string
2185+
type: array
2186+
keySecret:
2187+
description: a secret containing the private key used
2188+
to sign kernel modules for secureboot
2189+
properties:
2190+
name:
2191+
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2192+
TODO: Add other useful fields. apiVersion, kind,
2193+
uid?'
2194+
type: string
2195+
type: object
2196+
unsignedImage:
2197+
description: Image to sign, ignored if a Build is present,
2198+
required otherwise
2199+
type: string
2200+
required:
2201+
- certSecret
2202+
- keySecret
2203+
type: object
21272204
required:
21282205
- kernelMappings
21292206
- modprobe

config/crd/bases/kmm.sigs.k8s.io_modules.yaml

+77
Original file line numberDiff line numberDiff line change
@@ -2034,6 +2034,46 @@ spec:
20342034
description: Regexp is a regular expression to be match
20352035
against node kernels.
20362036
type: string
2037+
sign:
2038+
description: Sign enables in-cluster signing for this
2039+
mapping
2040+
properties:
2041+
certSecret:
2042+
description: a secret containing the public key
2043+
used to sign kernel modules for secureboot
2044+
properties:
2045+
name:
2046+
description: 'Name of the referent. More info:
2047+
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2048+
TODO: Add other useful fields. apiVersion,
2049+
kind, uid?'
2050+
type: string
2051+
type: object
2052+
filesToSign:
2053+
description: paths inside the image for the kernel
2054+
modules to sign (if ommited all kmods are signed)
2055+
items:
2056+
type: string
2057+
type: array
2058+
keySecret:
2059+
description: a secret containing the private key
2060+
used to sign kernel modules for secureboot
2061+
properties:
2062+
name:
2063+
description: 'Name of the referent. More info:
2064+
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2065+
TODO: Add other useful fields. apiVersion,
2066+
kind, uid?'
2067+
type: string
2068+
type: object
2069+
unsignedImage:
2070+
description: Image to sign, ignored if a Build is
2071+
present, required otherwise
2072+
type: string
2073+
required:
2074+
- certSecret
2075+
- keySecret
2076+
type: object
20372077
required:
20382078
- containerImage
20392079
type: object
@@ -2124,6 +2164,43 @@ spec:
21242164
accept any certificate provided by the registry.
21252165
type: boolean
21262166
type: object
2167+
sign:
2168+
description: Sign provides default kmod signing settings
2169+
properties:
2170+
certSecret:
2171+
description: a secret containing the public key used to
2172+
sign kernel modules for secureboot
2173+
properties:
2174+
name:
2175+
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2176+
TODO: Add other useful fields. apiVersion, kind,
2177+
uid?'
2178+
type: string
2179+
type: object
2180+
filesToSign:
2181+
description: paths inside the image for the kernel modules
2182+
to sign (if ommited all kmods are signed)
2183+
items:
2184+
type: string
2185+
type: array
2186+
keySecret:
2187+
description: a secret containing the private key used
2188+
to sign kernel modules for secureboot
2189+
properties:
2190+
name:
2191+
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2192+
TODO: Add other useful fields. apiVersion, kind,
2193+
uid?'
2194+
type: string
2195+
type: object
2196+
unsignedImage:
2197+
description: Image to sign, ignored if a Build is present,
2198+
required otherwise
2199+
type: string
2200+
required:
2201+
- certSecret
2202+
- keySecret
2203+
type: object
21272204
required:
21282205
- kernelMappings
21292206
- modprobe

0 commit comments

Comments
 (0)