From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Date: Tue, 30 Mar 2021 09:53:46 +0200 From: Michael Olbrich Message-ID: <20210330075346.GA4162561@pengutronix.de> References: <968ee15dc49b1c81d53ef8b28f8d4c0eb50b88d4.camel@diehl.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <968ee15dc49b1c81d53ef8b28f8d4c0eb50b88d4.camel@diehl.com> Subject: Re: [ptxdist] [PATCH] kernel: do not strip signed modules List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: "ptxdist@pengutronix.de" Cc: Denis Osterland-Heim , Marc Kleine-Budde On Tue, Mar 30, 2021 at 06:08:10AM +0000, Denis Osterland-Heim wrote: > If CONFIG_MODULE_SIG_ALL is set in kernelconfig then modules will be > automatically signed during the modules_install phase of a kernel build. > > Signed modules are BRITTLE as the signature is outside of the defined ELF > container. Thus they MAY NOT be stripped once the signature is computed > and attached. Note the entire module is the signed payload, including any > and all debug information present at the time of signing. Hmm, we had the same issue at some point. The solution was a local copy of the shell code that does the stripping and installing. I think we added some code to sign the Modules again. The result was nice, but the whole thing was rather invasive and makes assumptions on how the module signing works internally in the kernel. So it was not something that I wanted to merge mainline that way. In general, I like this approach better. But there are two issues with it. 1. There are redundant options and if the uses gets it wrong then it wont fail at build time. We can get this from the kernelconfig: '$(shell ptxd_get_kconfig $(KERNEL_CONFIG) CONFIG_MODULE_SIG_ALL)' I think. But we have to make sure that it's not evaluated too early. To avoid slowing down ptxdist startup. 2. The modules are not stripped at all. So we should set INSTALL_MOD_STRIP=1 in this case. Marc, what do you think? Michael > See: https://www.kernel.org/doc/html/latest/admin-guide/module-signing.html > Signed-off-by: Denis Osterland-Heim > --- > platforms/kernel.in | 7 +++++++ > rules/kernel.make | 3 ++- > 2 files changed, 9 insertions(+), 1 deletion(-) > > diff --git a/platforms/kernel.in b/platforms/kernel.in > index 68899c0f7..8b9473b03 100644 > --- a/platforms/kernel.in > +++ b/platforms/kernel.in > @@ -32,6 +32,13 @@ config KERNEL_MODULES > default y > prompt "build kernel-modules" > > +config KERNEL_MODULES_SIGNED > + bool "kernel-modules are signed on install" > + depends on KERNEL_MODULES > + help > + Set this to y if CONFIG_MODULE_SIG_ALL is y in kernelconfig. > + Otherwise the strip would damage automatically generated signature. > + > config KERNEL_MODULES_INSTALL > bool > default y > diff --git a/rules/kernel.make b/rules/kernel.make > index ea748fc8a..c964bd672 100644 > --- a/rules/kernel.make > +++ b/rules/kernel.make > @@ -313,7 +313,8 @@ ifdef PTXCONF_KERNEL_MODULES_INSTALL > @$(call install_fixup, kernel-modules, AUTHOR,"Robert Schwebel ") > @$(call install_fixup, kernel-modules, DESCRIPTION,missing) > > - @$(call install_glob, kernel-modules, 0, 0, -, /lib/modules, *.ko,, k) > + @$(call install_glob, kernel-modules, 0, 0, -, /lib/modules, *.ko,, \ > + $(call ptx/ifdef,PTXCONF_KERNEL_MODULES_SIGNED,n,k)) > @$(call install_glob, kernel-modules, 0, 0, -, /lib/modules,, *.ko */build */source, n) > > @$(call install_finish, kernel-modules) > -- > 2.31.1 > > _______________________________________________ > ptxdist mailing list > ptxdist@pengutronix.de > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de