Re: [ptxdist] [PATCH] kernel: do not strip signed modules

[Michael Olbrich <m.olbrich@pengutronix.de>]

On Tue, Mar 30, 2021 at 06:08:10AM +0000, Denis Osterland-Heim wrote:
> If CONFIG_MODULE_SIG_ALL is set in kernelconfig then modules will be
> automatically signed during the modules_install phase of a kernel build.
> 
> Signed modules are BRITTLE as the signature is outside of the defined ELF
> container. Thus they MAY NOT be stripped once the signature is computed
> and attached. Note the entire module is the signed payload, including any
> and all debug information present at the time of signing.

Hmm, we had the same  issue at some point. The solution was a local copy of
the shell code that does the stripping and installing. I think we added
some code to sign the Modules again.
The result was nice, but the whole thing was rather invasive and makes
assumptions on how the module signing works internally in the kernel.
So it was not something that I wanted to merge mainline that way.

In general, I like this approach better. But there are two issues with it.

1. There are redundant options and if the uses gets it wrong then it wont
fail at build time. We can get this from the kernelconfig:
'$(shell ptxd_get_kconfig $(KERNEL_CONFIG) CONFIG_MODULE_SIG_ALL)' I think.
But we have to make sure that it's not evaluated too early. To avoid
slowing down ptxdist startup.

2. The modules are not stripped at all. So we should set
INSTALL_MOD_STRIP=1 in this case.

Marc, what do you think?

Michael

> See: https://www.kernel.org/doc/html/latest/admin-guide/module-signing.html
> Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
> ---
>  platforms/kernel.in | 7 +++++++
>  rules/kernel.make   | 3 ++-
>  2 files changed, 9 insertions(+), 1 deletion(-)
> 
> diff --git a/platforms/kernel.in b/platforms/kernel.in
> index 68899c0f7..8b9473b03 100644
> --- a/platforms/kernel.in
> +++ b/platforms/kernel.in
> @@ -32,6 +32,13 @@ config KERNEL_MODULES
>  	default y
>  	prompt "build kernel-modules"
>  
> +config KERNEL_MODULES_SIGNED
> +	bool "kernel-modules are signed on install"
> +	depends on KERNEL_MODULES
> +	help
> +	  Set this to y if CONFIG_MODULE_SIG_ALL is y in kernelconfig.
> +	  Otherwise the strip would damage automatically generated signature.
> +
>  config KERNEL_MODULES_INSTALL
>  	bool
>  	default y
> diff --git a/rules/kernel.make b/rules/kernel.make
> index ea748fc8a..c964bd672 100644
> --- a/rules/kernel.make
> +++ b/rules/kernel.make
> @@ -313,7 +313,8 @@ ifdef PTXCONF_KERNEL_MODULES_INSTALL
>  	@$(call install_fixup, kernel-modules, AUTHOR,"Robert Schwebel <r.schwebel@pengutronix.de>")
>  	@$(call install_fixup, kernel-modules, DESCRIPTION,missing)
>  
> -	@$(call install_glob, kernel-modules, 0, 0, -, /lib/modules, *.ko,, k)
> +	@$(call install_glob, kernel-modules, 0, 0, -, /lib/modules, *.ko,, \
> +		$(call ptx/ifdef,PTXCONF_KERNEL_MODULES_SIGNED,n,k))
>  	@$(call install_glob, kernel-modules, 0, 0, -, /lib/modules,, *.ko */build */source, n)
>  
>  	@$(call install_finish, kernel-modules)
> -- 
> 2.31.1
> 

> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de