@@ -99,6 +99,21 @@ The YAML below will add the public/private key-pair as secrets with the required
9999It will then pull down the ` unsignedImage ` image, open it up, sign the kernel modules listed in ` filesToSign ` , add them
100100back and push the resulting image as ` containerImage ` .
101101
102+ ## Specifying files to sign (filesToSign)
103+
104+ When the ` sign ` section is set, ` filesToSign ` is ** required** . You can specify either:
105+
106+ - ** Explicit full paths** — One or more absolute paths to kernel module files (` .ko ` ) inside the image, for example:
107+ - ` /opt/lib/modules/${KERNEL_FULL_VERSION}/my-kmod.ko `
108+ - ** Glob patterns** — Any pattern supported by the ** Bash shell** (used in the sign container). The shell expands each
109+ entry at sign time, so you can match multiple modules with a single entry. Examples:
110+ - ` /opt/lib/modules/${KERNEL_FULL_VERSION}/*.ko ` — sign all ` .ko ` files in that directory
111+ - ` /opt/lib/modules/${KERNEL_FULL_VERSION}/kmm_ci_?.ko ` — sign modules matching that pattern (e.g. ` kmm_ci_a.ko ` , ` kmm_ci_b.ko ` )
112+ - ` /opt/lib/modules/${KERNEL_FULL_VERSION}/driver-[abc].ko ` — sign ` driver-a.ko ` , ` driver-b.ko ` , or ` driver-c.ko `
113+ - ` /opt/lib/modules/${KERNEL_FULL_VERSION}/mod-[0-9].ko ` — sign ` mod-0.ko ` through ` mod-9.ko `
114+
115+ All paths in ` filesToSign ` must be under the directory defined by ** ` dirName ` ** in the same ` moduleLoader.container.modprobe ` (default ` /opt ` ).
116+
102117KMM should then load the signed kmods onto all the nodes with that match the selector.
103118The kmods should be successfully loaded on any nodes that have the public key in their MOK database, and any nodes that
104119are not secure-boot enabled (which will just ignore the signature).
@@ -134,7 +149,7 @@ spec:
134149 name : <private key secret name>
135150 certSecret : # a secret holding the public secureboot key with the key 'cert'
136151 name : <certificate secret name>
137- filesToSign : # full path within the unsignedImage container to the kmod (s) to sign
152+ filesToSign : # full path(s) or Bash shell glob (s) under dirName, see "Specifying files to sign" above
138153 - /opt/lib/modules/4.18.0-348.2.1.el8_5.x86_64/kmm_ci_a.ko
139154 imageRepoSecret :
140155 # the name of a secret containing credentials to pull unsignedImage and push containerImage to the registry
0 commit comments