* [ptxdist] [PATCH v3] kernel: proper handle signed modules @ 2021-03-31 11:37 Denis Osterland-Heim 2021-04-01 5:59 ` Michael Olbrich 0 siblings, 1 reply; 3+ messages in thread From: Denis Osterland-Heim @ 2021-03-31 11:37 UTC (permalink / raw) To: ptxdist [-- Attachment #1: Type: text/plain, Size: 1305 bytes --] Diehl Connectivity Solutions GmbH Geschäftsführung: Horst Leonberger Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht Nürnberg: HRB 32315 ________________________________ Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen. Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht. Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt. - Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter: https://www.diehl.com/group/de/transparenz-und-informationspflichten/ The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited. - For general information on data protection and your respective rights please visit: https://www.diehl.com/group/en/transparency-and-information-obligations/ [-- Attachment #2: 20210331113525.22330-1-denis.osterland.mbox --] [-- Type: application/mbox, Size: 2658 bytes --] [-- Attachment #3: Type: text/plain, Size: 181 bytes --] _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [ptxdist] [PATCH v3] kernel: proper handle signed modules 2021-03-31 11:37 [ptxdist] [PATCH v3] kernel: proper handle signed modules Denis Osterland-Heim @ 2021-04-01 5:59 ` Michael Olbrich 2021-04-01 6:54 ` Marc Kleine-Budde 0 siblings, 1 reply; 3+ messages in thread From: Michael Olbrich @ 2021-04-01 5:59 UTC (permalink / raw) To: ptxdist; +Cc: Marc Kleine-Budde On Wed, Mar 31, 2021 at 11:37:11AM +0000, Denis Osterland-Heim wrote: > If CONFIG_MODULE_SIG_ALL is set in kernelconfig then modules will be > automatically signed during the modules_install phase of a kernel build. > > Signed modules are BRITTLE as the signature is outside of the defined ELF > container. Thus they MAY NOT be stripped once the signature is computed > and attached. Note the entire module is the signed payload, including any > and all debug information present at the time of signing. > > See: https://www.kernel.org/doc/html/latest/admin-guide/module-signing.html > Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com> > --- > v2 -> v3: > - move TARGET_COMPILER_RECORD_SWITCHES to PTXDIST_LOWLEVEL_WRAPPER_BLACKLIST Marc, what do you think? > > rules/kernel.make | 3 ++- > rules/pre/kernel.make | 3 ++- > 2 files changed, 4 insertions(+), 2 deletions(-) > > diff --git a/rules/kernel.make b/rules/kernel.make > index ea748fc8a..2b564612b 100644 > --- a/rules/kernel.make > +++ b/rules/kernel.make > @@ -61,6 +61,7 @@ KERNEL_BASE_OPT := \ > CROSS_COMPILE=$(KERNEL_CROSS_COMPILE) \ > DEPMOD=$(PTXDIST_SYSROOT_HOST)/sbin/depmod \ > \ > + INSTALL_MOD_STRIP=1 \ > INSTALL_MOD_PATH=$(KERNEL_PKGDIR) \ > PTX_KERNEL_DIR=$(KERNEL_DIR) \ > $(call remove_quotes,$(PTXCONF_KERNEL_EXTRA_MAKEVARS)) > @@ -313,7 +314,7 @@ ifdef PTXCONF_KERNEL_MODULES_INSTALL > @$(call install_fixup, kernel-modules, AUTHOR,"Robert Schwebel <r.schwebel@pengutronix.de>") > @$(call install_fixup, kernel-modules, DESCRIPTION,missing) > > - @$(call install_glob, kernel-modules, 0, 0, -, /lib/modules, *.ko,, k) > + @$(call install_glob, kernel-modules, 0, 0, -, /lib/modules, *.ko,, n) We should do the same thing for the kernel template. But I'll take care of that. There is some cleanup that I want to do anyways in that area. Michael > @$(call install_glob, kernel-modules, 0, 0, -, /lib/modules,, *.ko */build */source, n) > > @$(call install_finish, kernel-modules) > diff --git a/rules/pre/kernel.make b/rules/pre/kernel.make > index df53020aa..fb38d416d 100644 > --- a/rules/pre/kernel.make > +++ b/rules/pre/kernel.make > @@ -85,7 +85,8 @@ PTXDIST_LOWLEVEL_WRAPPER_BLACKLIST := \ > TARGET_HARDEN_PIE \ > TARGET_HARDEN_GLIBCXX_ASSERTIONS \ > TARGET_DEBUG \ > - TARGET_BUILD_ID > + TARGET_BUILD_ID \ > + TARGET_COMPILER_RECORD_SWITCHES > > # > # handle special compiler > -- > 2.31.1 > > _______________________________________________ > ptxdist mailing list > ptxdist@pengutronix.de > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [ptxdist] [PATCH v3] kernel: proper handle signed modules 2021-04-01 5:59 ` Michael Olbrich @ 2021-04-01 6:54 ` Marc Kleine-Budde 0 siblings, 0 replies; 3+ messages in thread From: Marc Kleine-Budde @ 2021-04-01 6:54 UTC (permalink / raw) To: ptxdist [-- Attachment #1.1.1: Type: text/plain, Size: 1141 bytes --] On 4/1/21 7:59 AM, Michael Olbrich wrote: > On Wed, Mar 31, 2021 at 11:37:11AM +0000, Denis Osterland-Heim wrote: >> If CONFIG_MODULE_SIG_ALL is set in kernelconfig then modules will be >> automatically signed during the modules_install phase of a kernel build. >> >> Signed modules are BRITTLE as the signature is outside of the defined ELF >> container. Thus they MAY NOT be stripped once the signature is computed >> and attached. Note the entire module is the signed payload, including any >> and all debug information present at the time of signing. >> >> See: https://www.kernel.org/doc/html/latest/admin-guide/module-signing.html >> Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com> >> --- >> v2 -> v3: >> - move TARGET_COMPILER_RECORD_SWITCHES to PTXDIST_LOWLEVEL_WRAPPER_BLACKLIST > > Marc, what do you think? lgtm Marc -- Pengutronix e.K. | Marc Kleine-Budde | Embedded Linux | https://www.pengutronix.de | Vertretung West/Dortmund | Phone: +49-231-2826-924 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | [-- Attachment #1.2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 488 bytes --] [-- Attachment #2: Type: text/plain, Size: 181 bytes --] _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-04-01 6:54 UTC | newest] Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-03-31 11:37 [ptxdist] [PATCH v3] kernel: proper handle signed modules Denis Osterland-Heim 2021-04-01 5:59 ` Michael Olbrich 2021-04-01 6:54 ` Marc Kleine-Budde
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox