feat(kernel): trust Blockcast module-signing cert (fix amt.ko EKEYREJECTED)#3
feat(kernel): trust Blockcast module-signing cert (fix amt.ko EKEYREJECTED)#3kkroo wants to merge 6 commits into
Conversation
…TED_KEYS) The custom AMT kernel (kernel:<ver>-amt → installer:<ver>-amt) shipped a stock keyring trusting ONLY the Sidero build-time throw-away key, so a Blockcast-signed amt.ko is rejected under module.sig_enforce=1 (`key was rejected by service`), verified on a freshly-imaged Talos node (.builtin_trusted_keys held only the Sidero key). The signed-kernel design (.planning 2026-06-17) never wired the kernel-trust half. Embed the Blockcast module-signing public cert in the kernel's builtin trusted keyring: - add kernel/build/certs/blockcast-modsign.crt (public cert; CN "Blockcast AMT Module Signing Key"; private key held as org secret BLOCKCAST_MODULE_SIGNING_KEY) - set CONFIG_SYSTEM_TRUSTED_KEYS="certs/blockcast-modsign.crt" (amd64+arm64) kernel/build/pkg.yaml already `cp /pkg/certs/* certs/`, so the cert lands at certs/blockcast-modsign.crt in the kernel tree. The throw-away CONFIG_MODULE_SIG_KEY is unchanged (Talos's own modules still verify); this only ADDS the Blockcast key. Pairs with re-enabling signing in linux-amt's amt-kmod build using the same key. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Pin the kernel to Linux 6.18.34 (Pkgfile version + sha256/sha512) and regenerate config-amd64 to match. Add CONFIG_STATIC_USERMODEHELPER and CONFIG_PAGE_TABLE_CHECK_ENFORCED to filter-hardened-check IGNORE_VIOLATIONS since the deployed Sidero stock kernel runs without them and enabling is unproven on these Talos VMs. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Paperclip triage owner: BLO-12691 (https://paperclip.blockcast.net/BLO/issues/BLO-12691). Disposition: fix/drive CI, not stale. Current blocker is the |
|
Paperclip review update for /BLO/issues/BLO-12691: The red Separate Staff review blocker: the kernel-trust change is not yet narrow. The diff rolls |
Restore unrelated kernel version, generated amd64 config drift, and hardened-check ignore changes from main. Keep only the public Blockcast module-signing certificate in SYSTEM_TRUSTED_KEYS for amd64 and arm64. Co-Authored-By: Paperclip <noreply@paperclip.ing>
Drift review for BLO-12691I reduced PR #3 back to the narrow module-signing trust path requested by BLO-12699.
Validation note: the latest |
This reverts commit 287cef5, restoring the deployed, empirically-validated lineage: - SYSTEM_TRUSTED_KEYS is a proven dead end on this build: the compiled kernel ships CONFIG_SYSTEM_TRUSTED_KEYS="" even though olddefconfig/ syncconfig preserve the value in config-amd64 (verified twice on the ct2 rebuild, cache-busted; /proc/keys on the booted node held only the Sidero throw-away key → amt.ko EKEYREJECTED). The working mechanism is CONFIG_MODULE_SIG_KEY="certs/blockcast_signing_key.pem" (custom path disables the certs/Makefile throw-away regen; kernel embeds the cert in .builtin_trusted_keys by construction). See 2026-06-24-amt-kmod-production-runbook.md (ct2/ct3 walls). - The 6.18.34→6.18.35 bump orphans the signed amt-kmod extension built for 6.18.34-talos (vermagic + module path) and desyncs this branch from the kernel actually deployed on the data nodes (ct4/signed6). Signed-off-by: Omar Ramadan <omar@blockcast.net>
GTM BGP-MVPN IR leaves receive replicated multicast as a single-label MPLS frame (the leaf's own advertised I-PMSI label, PHP'd transport). Enable the kernel disposition path (CONFIG_MPLS_ROUTING) so the node pops it natively via 'ip -f mpls route add <label> dev lo' instead of an XDP program; CONFIG_MPLS_IPTUNNEL for the encap direction. Both =y (builtin) to sidestep the Talos imager module-curation trap that bit amt.ko. CONFIG_MPLS/NET_MPLS_GSO were already =y; LWTUNNEL=y satisfies the iptunnel dependency. BLO-8371. Signed-off-by: Omar Ramadan <omar@blockcast.net> (cherry picked from commit d5c46ac)
cdn.kernel.org evicted the linux-6.18.34.tar.xz release tarball (superseded by 6.18.35), 404ing the pinned source. Staying on 6.18.34 is deliberate: the deployed amt-kmod extension is built and signed for 6.18.34-talos, and this branch's ct-lineage kernel is the one proven under module.sig_enforce=1. Switch the source to the git.kernel.org stable snapshot of the v6.18.34 tag (content-verified: Makefile VERSION/PATCHLEVEL/SUBLEVEL = 6.18.34) and re-pin its hashes. NOTE: snapshot tarballs are generated on demand and their hashes can rotate with kernel.org infra changes — if this pin ever mismatches, re-verify content and re-pin. BLO-8371. Signed-off-by: Omar Ramadan <omar@blockcast.net> (cherry picked from commit 7a1448f)
|
Pushed three commits on top of 287cef5:
Branch tip now matches |
There was a problem hiding this comment.
Ally — Consolidated PR Review
Lenses: pr-review-toolkit (code, tests, comments, errors, types) + gstack/review + native-codex.
Critical Issues (2)
-
[native-codex]
Pkgfile:106—linux_versionis silently downgraded from6.18.35(current value onmain) to6.18.34, with matching sha256/sha512 changes. This is not mentioned anywhere in the PR description, which is scoped entirely to trusting the Blockcast module-signing cert. Merging this PR would revert the kernel to an older point release for both amd64 and arm64. This also explains the ~350-line unrelated churn inkernel/build/config-amd64(ACPI, crypto, tracing options flippingm↔y, hardening flags changing) — that's fallout from the version downgrade, not from the stated cert-trust change. Recommend rebasing onto currentmain(which already has6.18.35) so the diff only contains the intendedCONFIG_SYSTEM_TRUSTED_KEYS+ cert addition. -
[native-codex]
kernel/build/config-amd64:7239—CONFIG_MODULE_SIG_KEYis changed from"certs/signing_key.pem"to"certs/blockcast_signing_key.pem", but no file with that name exists anywhere in the repo (only the publickernel/build/certs/blockcast-modsign.crtwas added by this PR; verified against both the PR head andmain). This directly contradicts the PR description's claim: "Throw-awayCONFIG_MODULE_SIG_KEYunchanged." The kernel'scerts/Makefileonly auto-generates the signing key whenCONFIG_MODULE_SIG_KEYis literally the default"certs/signing_key.pem"; a custom path that doesn't exist will fail the amd64 build at the module-signing step. Note this is amd64-only —config-arm64correctly leavesCONFIG_MODULE_SIG_KEY="certs/signing_key.pem"untouched, so this looks like an accidental edit (e.g. a leftover from local testing) rather than an intentional platform-specific difference.
Important Issues (1)
- [native-codex]
kernel/prepare/pkg.yaml— the kernel source download is switched from the officialcdn.kernel.orgrelease tarball (linux-{{version}}.tar.xz) to agit.kernel.orggit-snapshot tarball (linux-{{version}}.tar.gz). This is a supply-chain-relevant change (different artifact provenance/format) bundled into a security-focused PR without any mention in the description. The sha256/sha512 pins mitigate integrity risk, but the rationale for switching source/format isn't explained — worth calling out explicitly or splitting into its own PR.
Strengths
kernel/build/scripts/filter-hardened-check.py— the two new hardening-checker exceptions (CONFIG_STATIC_USERMODEHELPER,CONFIG_PAGE_TABLE_CHECK_ENFORCED) are each given a specific, sourced rationale tying them to the deployed Sidero stock kernel config, rather than silently suppressing the check.- The core intended change (
CONFIG_SYSTEM_TRUSTED_KEYS="certs/blockcast-modsign.crt"+ the new public cert) is correctly applied on bothconfig-amd64andconfig-arm64, matches the statedEKEYREJECTEDroot cause, and only adds a trust anchor rather than replacing the existing throw-away signing setup.
Recommended Action
- Rebase onto current
mainto drop the accidental6.18.35→6.18.34downgrade and the resulting unrelated config churn. - Revert the
CONFIG_MODULE_SIG_KEYchange onconfig-amd64back to"certs/signing_key.pem"(or add the missingblockcast_signing_key.pemif a key rename was actually intended) before merge. - Either justify the
pkg.yamlsource/format switch in the PR description or split it into a separate change.
|
Closing as superseded by #4 and #7. Disposition of Ally review 4628256791:
PR #3 is no longer mergeable as useful work: compared with current main it would remove the ct6 mroute/PIM flags and the proof workflows now shipped by #4. |
Problem
A freshly-imaged Talos node from
installer:v1.13.4-amtrejects the signedamt.koundermodule.sig_enforce=1:Its
.builtin_trusted_keyskeyring holds onlySidero Labs … Build time throw-away kernel key— the Blockcast cert that signedamt.kois not trusted. The 2026-06-17 signed-kernel design never wired the kernel-trust half (CONFIG_SYSTEM_TRUSTED_KEYS="").Fix
kernel/build/certs/blockcast-modsign.crt(public cert; private key = org secretBLOCKCAST_MODULE_SIGNING_KEY, scoped topkgs+linux-amt).CONFIG_SYSTEM_TRUSTED_KEYS="certs/blockcast-modsign.crt"(amd64+arm64).kernel/build/pkg.yamlalready copies/pkg/certs/*into the kernel tree.CONFIG_MODULE_SIG_KEYunchanged (Talos's own modules still verify); this only ADDS the Blockcast key to the trusted keyring.Pairs with
BLOCKCAST_MODULE_SIGNING_KEY(currently the Dockerfile disables signing).build-amt-kernel-pkgworkflow to rebuildkernel:<ver>-amt(currently missing).Verify: rebuild kernel→installer→signed-installer, re-image k8s-data-4,
talosctl patch mc machine.kernel.modules:[{name:amt}]→amtappears in/proc/modules.🤖 Generated with Claude Code