Skip to content

Commit 1ec2ff1

Browse files
Add documentation for filesToSign wildcard and glob pattern support
Doc update for the new glob support feature when signing kmods - explicit paths and Bash globs paths.
1 parent ba24117 commit 1ec2ff1

2 files changed

Lines changed: 17 additions & 1 deletion

File tree

docs/mkdocs/documentation/deploy_kmod.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -238,6 +238,7 @@ spec:
238238
name: cert-secret # Required
239239
keySecret:
240240
name: key-secret # Required
241+
# Required when sign is set. Use absolute paths or Bash shell absolute globs (e.g. /opt/lib/modules/<kernel-version>/*.ko), see Secure Boot docs.
241242
filesToSign:
242243
- /opt/lib/modules/${KERNEL_FULL_VERSION}/my-kmod.ko
243244
registryTLS:

docs/mkdocs/documentation/secure_boot.md

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -99,6 +99,21 @@ The YAML below will add the public/private key-pair as secrets with the required
9999
It will then pull down the `unsignedImage` image, open it up, sign the kernel modules listed in `filesToSign`, add them
100100
back and push the resulting image as `containerImage`.
101101

102+
## Specifying files to sign (filesToSign)
103+
104+
When the `sign` section is set, `filesToSign` is **required**. You can specify either:
105+
106+
- **Explicit full paths** — One or more absolute paths to kernel module files (`.ko`) inside the image, for example:
107+
- `/opt/lib/modules/${KERNEL_FULL_VERSION}/my-kmod.ko`
108+
- **Glob patterns** — Any pattern supported by the **Bash shell** (used in the sign container). The shell expands each
109+
entry at sign time, so you can match multiple modules with a single entry. Examples:
110+
- `/opt/lib/modules/${KERNEL_FULL_VERSION}/*.ko` — sign all `.ko` files in that directory
111+
- `/opt/lib/modules/${KERNEL_FULL_VERSION}/kmm_ci_?.ko` — sign modules matching that pattern (e.g. `kmm_ci_a.ko`, `kmm_ci_b.ko`)
112+
- `/opt/lib/modules/${KERNEL_FULL_VERSION}/driver-[abc].ko` — sign `driver-a.ko`, `driver-b.ko`, or `driver-c.ko`
113+
- `/opt/lib/modules/${KERNEL_FULL_VERSION}/mod-[0-9].ko` — sign `mod-0.ko` through `mod-9.ko`
114+
115+
All paths in `filesToSign` must be under the directory defined by **`dirName`** in the same `moduleLoader.container.modprobe` (default `/opt`).
116+
102117
KMM should then load the signed kmods onto all the nodes with that match the selector.
103118
The kmods should be successfully loaded on any nodes that have the public key in their MOK database, and any nodes that
104119
are not secure-boot enabled (which will just ignore the signature).
@@ -134,7 +149,7 @@ spec:
134149
name: <private key secret name>
135150
certSecret: # a secret holding the public secureboot key with the key 'cert'
136151
name: <certificate secret name>
137-
filesToSign: # full path within the unsignedImage container to the kmod(s) to sign
152+
filesToSign: # full path(s) or Bash shell glob(s) under dirName, see "Specifying files to sign" above
138153
- /opt/lib/modules/4.18.0-348.2.1.el8_5.x86_64/kmm_ci_a.ko
139154
imageRepoSecret:
140155
# the name of a secret containing credentials to pull unsignedImage and push containerImage to the registry

0 commit comments

Comments
 (0)