chore: add kernel module signtaure verification

Add kernel module signature verification for out of tree kernel modules.

Fixes: #7049

Signed-off-by: Noel Georgi <git@frezbo.dev>
(cherry picked from commit 5e9d836)

.drone.jsonnet

@@ -278,7 +278,7 @@ local save_artifacts = {
   commands: [
     'az login --service-principal -u "$${AZURE_STORAGE_USER}" -p "$${AZURE_STORAGE_PASS}" --tenant "$${AZURE_TENANT}"',
     'az storage container create --metadata ci=true -n ${CI_COMMIT_SHA}${DRONE_TAG//./-}',
-    'az storage blob upload-batch --overwrite -s _out -d  ${CI_COMMIT_SHA}${DRONE_TAG//./-}'
+    'az storage blob upload-batch --overwrite -s _out -d  ${CI_COMMIT_SHA}${DRONE_TAG//./-}',
   ],
   volumes: volumes.ForStep(),
   depends_on: [build.name, images_essential.name, iso.name, talosctl_cni_bundle.name],
@@ -297,7 +297,7 @@ local load_artifacts = {
   commands: [
     'az login --service-principal -u "$${AZURE_STORAGE_USER}" -p "$${AZURE_STORAGE_PASS}" --tenant "$${AZURE_TENANT}"',
     'az storage blob download-batch --overwrite true -d _out -s ${CI_COMMIT_SHA}${DRONE_TAG//./-}',
-    'chmod +x _out/clusterctl _out/integration-test-linux-amd64 _out/kubectl _out/kubestr _out/helm _out/cilium _out/talosctl*'
+    'chmod +x _out/clusterctl _out/integration-test-linux-amd64 _out/module-sig-verify-linux-amd64 _out/kubectl _out/kubestr _out/helm _out/cilium _out/talosctl*',
   ],
   volumes: volumes.ForStep(),
   depends_on: [setup_ci.name],
@@ -347,7 +347,7 @@ local extensions_patch_manifest = {
     // create a patch file to pass to the downstream build
     // ignore nvidia extensions, testing nvidia extensions needs a machine with nvidia graphics card
     // ignore nut extensions, needs extra config files
-    'jq -R < _out/extensions-metadata | jq -s \'[{"op":"add","path":"/machine/install/extensions","value":[{"image": map(select(. | contains("nvidia") or contains("nut") | not)) | .[]}]},{"op":"add","path":"/machine/sysctls","value":{"user.max_user_namespaces": "11255"}}]\' > _out/extensions-patch.json',
+    'jq -R < _out/extensions-metadata | jq -s -f hack/test/extensions/extension-patch-filter.jq > _out/extensions-patch.json',
     'cat _out/extensions-patch.json',
   ],
   depends_on: [extensions_artifacts.name],

Dockerfile

@@ -118,8 +118,7 @@ RUN --mount=type=cache,target=/.cache go install k8s.io/code-generator/cmd/deepc
 ARG VTPROTOBUF_VERSION
 RUN --mount=type=cache,target=/.cache go install github.com/planetscale/vtprotobuf/cmd/protoc-gen-go-vtproto@${VTPROTOBUF_VERSION} \
     && mv /go/bin/protoc-gen-go-vtproto /toolchain/go/bin/protoc-gen-go-vtproto
-# fix vulncheck at a previous version, as it seems to break in the latest commits
-RUN --mount=type=cache,target=/.cache go install golang.org/x/vuln/cmd/govulncheck@05fb7250142cc6010c39968839f2f3710afdd918 \
+RUN --mount=type=cache,target=/.cache go install golang.org/x/vuln/cmd/govulncheck@latest \
     && mv /go/bin/govulncheck /toolchain/go/bin/govulncheck
 RUN --mount=type=cache,target=/.cache go install github.com/uber/prototool/cmd/prototool@v1.10.0 \
     && mv /go/bin/prototool /toolchain/go/bin/prototool
@@ -252,23 +251,24 @@ RUN mkdir -p pkg/machinery/gendata/data && \
     echo -n ${PKGS} > pkg/machinery/gendata/data/pkgs && \
     echo -n ${TAG} > pkg/machinery/gendata/data/tag && \
     echo -n ${ARTIFACTS} > pkg/machinery/gendata/data/artifacts
-RUN mkdir -p _out && \
-    echo PKGS=${PKGS} >> _out/talos-metadata && \
-    echo TAG=${TAG} >> _out/talos-metadata && \
-    echo EXTRAS=${EXTRAS} >> _out/talos-metadata
 
 FROM scratch AS embed
 COPY --from=embed-generate /src/pkg/machinery/gendata/data /pkg/machinery/gendata/data
-COPY --from=embed-generate /src/_out/talos-metadata /_out/talos-metadata
 
 FROM embed-generate AS embed-abbrev-generate
 ARG ABBREV_TAG
 RUN echo -n "undefined" > pkg/machinery/gendata/data/sha && \
     echo -n ${ABBREV_TAG} > pkg/machinery/gendata/data/tag
+RUN mkdir -p _out && \
+    echo PKGS=${PKGS} >> _out/talos-metadata && \
+    echo TAG=${TAG} >> _out/talos-metadata && \
+    echo EXTRAS=${EXTRAS} >> _out/talos-metadata
+COPY --from=pkg-kernel /certs/signing_key.x509 _out/signing_key.x509
 
 FROM scratch AS embed-abbrev
 COPY --from=embed-abbrev-generate /src/pkg/machinery/gendata/data /pkg/machinery/gendata/data
 COPY --from=embed-abbrev-generate /src/_out/talos-metadata /_out/talos-metadata
+COPY --from=embed-abbrev-generate /src/_out/signing_key.x509 /_out/signing_key.x509
 
 FROM --platform=${BUILDPLATFORM} scratch AS generate
 COPY --from=proto-format-build /src/api /api/
@@ -777,6 +777,21 @@ RUN --mount=type=cache,target=/.cache GOOS=linux GOARCH=amd64 GOAMD64=${GOAMD64}
 FROM scratch AS integration-test-provision-linux
 COPY --from=integration-test-provision-linux-build /src/integration.test /integration-test-provision-linux-amd64
 
+# The module-sig-verify targets builds module-sig-verify binary.
+
+FROM build-go AS module-sig-verify-linux-build
+ARG GO_BUILDFLAGS
+ARG GO_LDFLAGS
+ARG GOAMD64
+WORKDIR /src/module-sig-verify
+COPY ./hack/module-sig-verify/go.mod ./hack/module-sig-verify/go.sum .
+RUN --mount=type=cache,target=/.cache go mod download
+COPY ./hack/module-sig-verify/main.go .
+RUN --mount=type=cache,target=/.cache GOOS=linux GOARCH=amd64 GOAMD64=${GOAMD64} go build -o module-sig-verify .
+
+FROM scratch AS module-sig-verify-linux
+COPY --from=module-sig-verify-linux-build /src/module-sig-verify/module-sig-verify /module-sig-verify-linux-amd64
+
 # The lint target performs linting on the source code.
 
 FROM base AS lint-go
@@ -886,19 +901,14 @@ RUN --mount=type=cache,target=/.cache go install github.com/psampaz/go-mod-outda
 COPY ./hack/cloud-image-uploader ./hack/cloud-image-uploader
 COPY ./hack/docgen ./hack/docgen
 COPY ./hack/gotagsrewrite ./hack/gotagsrewrite
-COPY ./hack/protoc-gen-doc ./hack/protoc-gen-doc
+COPY ./hack/module-sig-verify ./hack/module-sig-verify
 COPY ./hack/structprotogen ./hack/structprotogen
 # fail always to get the output back
-RUN --mount=type=cache,target=/.cache \
-    echo -e "\n>>>> pkg/machinery:" && \
-    (cd pkg/machinery && go list -u -m -json all | go-mod-outdated -update -direct) && \
-    echo -e "\n>>>> .:" && \
-    (go list -u -m -json all | go-mod-outdated -update -direct) && \
-    echo -e "\n>>>> hack/cloud-image-uploader:" && \
-    (cd hack/cloud-image-uploader && go list -u -m -json all | go-mod-outdated -update -direct) && \
-    echo -e "\n>>>> hack/docgen:" && \
-    (cd hack/docgen && go list -u -m -json all | go-mod-outdated -update -direct) && \
-    echo -e "\n>>>> hack/gotagsrewrite:" && \
-    (cd hack/gotagsrewrite && go list -u -m -json all | go-mod-outdated -update -direct) && \
-    echo -e "\n>>>> hack/structprotogen:" && \
-    (cd hack/structprotogen && go list -u -m -json all | go-mod-outdated -update -direct)
+RUN --mount=type=cache,target=/.cache <<EOF
+    for project in pkg/machinery . hack/cloud-image-uploader hack/docgen hack/gotagsrewrite hack/module-sig-verify hack/structprotogen; do
+        echo -e "\n>>>> ${project}:" && \
+        (cd "${project}" && go list -u -m -json all | go-mod-outdated -update -direct)
+    done
+
+    exit 1
+EOF

Makefile

@@ -14,7 +14,7 @@ NAME = Talos
 
 ARTIFACTS := _out
 TOOLS ?= ghcr.io/siderolabs/tools:v1.4.0-1-g955aabc
-PKGS ?= v1.4.1-1-ga6e9ad5
+PKGS ?= v1.4.1-4-g62c50e2
 EXTRAS ?= v1.4.0-1-g9b07505
 # renovate: datasource=github-tags depName=golang/go
 GO_VERSION ?= 1.20
@@ -46,6 +46,7 @@ TEXTLINT_RULE_ONE_SENTENCE_PER_LINE_VERSION ?= 2.0.0
 OPERATING_SYSTEM := $(shell uname -s | tr "[:upper:]" "[:lower:]")
 TALOSCTL_DEFAULT_TARGET := talosctl-$(OPERATING_SYSTEM)
 INTEGRATION_TEST_DEFAULT_TARGET := integration-test-$(OPERATING_SYSTEM)
+MODULE_SIG_VERIFY_DEFAULT_TARGET := module-sig-verify-$(OPERATING_SYSTEM)
 INTEGRATION_TEST_PROVISION_DEFAULT_TARGET := integration-test-provision-$(OPERATING_SYSTEM)
 # renovate: datasource=github-releases depName=kubernetes/kubernetes
 KUBECTL_VERSION ?= v1.27.0-rc.1
@@ -337,7 +338,7 @@ check-dirty: ## Verifies that source tree is not dirty
 	@if test -n "`git status --porcelain`"; then echo "Source tree is dirty"; git status; exit 1 ; fi
 
 go-mod-outdated: ## Runs the go-mod-oudated to show outdated dependencies.
-	@$(MAKE) target-go-mod-outdated PLATFORM=linux/amd64 PROGRESS=text
+	@$(MAKE) target-go-mod-outdated PLATFORM=linux/amd64
 
 # Tests
 
@@ -355,6 +356,9 @@ $(ARTIFACTS)/$(INTEGRATION_TEST_DEFAULT_TARGET)-amd64:
 $(ARTIFACTS)/$(INTEGRATION_TEST_PROVISION_DEFAULT_TARGET)-amd64:
 	@$(MAKE) local-$(INTEGRATION_TEST_PROVISION_DEFAULT_TARGET) DEST=$(ARTIFACTS) PLATFORM=linux/amd64 WITH_RACE=true NAME=Client
 
+$(ARTIFACTS)/$(MODULE_SIG_VERIFY_DEFAULT_TARGET)-amd64:
+	@$(MAKE) local-$(MODULE_SIG_VERIFY_DEFAULT_TARGET) DEST=$(ARTIFACTS) PLATFORM=linux/amd64
+
 $(ARTIFACTS)/kubectl:
 	@mkdir -p $(ARTIFACTS)
 	@curl -L -o $(ARTIFACTS)/kubectl "$(KUBECTL_URL)"
@@ -380,7 +384,7 @@ $(ARTIFACTS)/cilium:
 	@curl -L "$(CILIUM_CLI_URL)" | tar xzf - -C $(ARTIFACTS) cilium
 	@chmod +x $(ARTIFACTS)/cilium
 
-external-artifacts: $(ARTIFACTS)/kubectl $(ARTIFACTS)/clusterctl $(ARTIFACTS)/kubestr $(ARTIFACTS)/helm $(ARTIFACTS)/cilium
+external-artifacts: $(ARTIFACTS)/kubectl $(ARTIFACTS)/clusterctl $(ARTIFACTS)/kubestr $(ARTIFACTS)/helm $(ARTIFACTS)/cilium $(ARTIFACTS)/$(MODULE_SIG_VERIFY_DEFAULT_TARGET)-amd64
 
 e2e-%: $(ARTIFACTS)/$(INTEGRATION_TEST_DEFAULT_TARGET)-amd64 external-artifacts ## Runs the E2E test for the specified platform (e.g. e2e-docker).
 	@$(MAKE) hack-test-$@ \
@@ -393,6 +397,8 @@ e2e-%: $(ARTIFACTS)/$(INTEGRATION_TEST_DEFAULT_TARGET)-amd64 external-artifacts
 		ARTIFACTS=$(ARTIFACTS) \
 		TALOSCTL=$(PWD)/$(ARTIFACTS)/$(TALOSCTL_DEFAULT_TARGET)-amd64 \
 		INTEGRATION_TEST=$(PWD)/$(ARTIFACTS)/$(INTEGRATION_TEST_DEFAULT_TARGET)-amd64 \
+		MODULE_SIG_VERIFY=$(PWD)/$(ARTIFACTS)/$(MODULE_SIG_VERIFY_DEFAULT_TARGET)-amd64 \
+		KERNEL_MODULE_SIGNING_PUBLIC_KEY=$(PWD)/$(ARTIFACTS)/signing_key.x509 \
 		SHORT_INTEGRATION_TEST=$(SHORT_INTEGRATION_TEST) \
 		CUSTOM_CNI_URL=$(CUSTOM_CNI_URL) \
 		KUBECTL=$(PWD)/$(ARTIFACTS)/kubectl \

go.work

@@ -3,7 +3,9 @@ go 1.19
 use (
 	.
 	./hack/cloud-image-uploader
+	./hack/docgen
 	./hack/gotagsrewrite
+	./hack/module-sig-verify
 	./hack/structprotogen
 	./pkg/machinery
 )

hack/docgen/go.mod

@@ -4,7 +4,7 @@ go 1.20
 
 // forked go-yaml that introduces RawYAML interface, which can be used to populate YAML fields using bytes
 // which are then encoded as a valid YAML blocks with proper indentiation
-replace gopkg.in/yaml.v3 => github.com/unix4ever/yaml v0.0.0-20210315173758-8fb30b8e5a5b
+replace gopkg.in/yaml.v3 => github.com/unix4ever/yaml v0.0.0-20220527175918-f17b0f05cf2c
 
 require (
 	github.com/gomarkdown/markdown v0.0.0-20230322041520-c84983bdbf2a

hack/docgen/go.sum

@@ -28,8 +28,8 @@ github.com/siderolabs/gen v0.4.3/go.mod h1:wS8tFq7sn5vqKAuyS30vJUig3tX5v6q79VG4K
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.1-0.20190311161405-34c6fa2dc709/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
-github.com/unix4ever/yaml v0.0.0-20210315173758-8fb30b8e5a5b h1:8pnPjZJU0SYanlmHnhMTeR8OR148K9yStwBz1GsjBsQ=
-github.com/unix4ever/yaml v0.0.0-20210315173758-8fb30b8e5a5b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+github.com/unix4ever/yaml v0.0.0-20220527175918-f17b0f05cf2c h1:Vn6nVVu9MdOYvXPkJP83iX5jVIfvxFC9v9xIKb+DlaQ=
+github.com/unix4ever/yaml v0.0.0-20220527175918-f17b0f05cf2c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ=

hack/module-sig-verify/go.mod

@@ -0,0 +1,5 @@
+module module-sig-verify
+
+go 1.20
+
+require go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352

hack/module-sig-verify/go.sum

@@ -0,0 +1,2 @@
+go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 h1:CCriYyAfq1Br1aIYettdHZTy8mBTIPo7We18TuO/bak=
+go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk=