On 30.03.2021 09:53:46, Michael Olbrich wrote:
> On Tue, Mar 30, 2021 at 06:08:10AM +0000, Denis Osterland-Heim wrote:
> > If CONFIG_MODULE_SIG_ALL is set in kernelconfig then modules will be
> > automatically signed during the modules_install phase of a kernel build.
> > 
> > Signed modules are BRITTLE as the signature is outside of the defined ELF
> > container. Thus they MAY NOT be stripped once the signature is computed
> > and attached. Note the entire module is the signed payload, including any
> > and all debug information present at the time of signing.
> 
> Hmm, we had the same  issue at some point. The solution was a local copy of
> the shell code that does the stripping and installing. I think we added
> some code to sign the Modules again.
> The result was nice, but the whole thing was rather invasive and makes
> assumptions on how the module signing works internally in the kernel.
> So it was not something that I wanted to merge mainline that way.
> 
> In general, I like this approach better. But there are two issues with it.
> 
> 1. There are redundant options and if the uses gets it wrong then it wont
> fail at build time. We can get this from the kernelconfig:
> '$(shell ptxd_get_kconfig $(KERNEL_CONFIG) CONFIG_MODULE_SIG_ALL)' I think.
> But we have to make sure that it's not evaluated too early. To avoid
> slowing down ptxdist startup.
> 
> 2. The modules are not stripped at all. So we should set
> INSTALL_MOD_STRIP=1 in this case.
> 
> Marc, what do you think?

The current diff for module re-signing looks like this:

|  # $1: file to strip
|  #
|  # $strip: k for kernel modules
| @@ -425,8 +15,26 @@ ptxd_install_file_strip() {
|      esac
|  
|      files=( "${sdirs[@]/%/${dst}}" )
|      install -d "${files[0]%/*}" &&
|      "${strip_cmd[@]}" -o "${files[0]}" "${src}" &&
| +    if [ "${strip}" = "k" -a -e "${pkg_build_dir}/scripts/sign-file" -a -n "${CONFIG_MODULE_SIG_KEY}" ]; then
| +       local sig_hash
| +
| +       sig_hash="$(ptxd_get_kconfig "${pkg_config}" CONFIG_MODULE_SIG_HASH)" || return
| +
| +       echo "sign module:"
| +       echo "  file=$(ptxd_print_path ${files[0]})"
| +       echo "  key=${CONFIG_MODULE_SIG_KEY}"
| +       echo "  cert=$(ptxd_print_path ${pkg_build_dir}/certs/signing_key.x509)"
| +       echo "  hash=${sig_hash}"
| +       echo
| +       "${pkg_build_dir}/scripts/sign-file" \
| +           "${sig_hash}" \
| +           "${CONFIG_MODULE_SIG_KEY}" \
| +           "${pkg_build_dir}/certs/signing_key.x509" \
| +           "${files[0]}" || return
| +    fi
| +
|      for (( i=1 ; ${i} < ${#files[@]} ; i=$[i+1] )); do
|         install -m "${mod_rw}" -D "${files[0]}" "${files[${i}]}" || return
|      done &&
| @@ -443,658 +51,3 @@ ptxd_install_file_strip() {
|      fi
|  }

If we don't want to re-sign, we can use the above "if [ "${strip}" = "k"
-a ... ]" and don't strip. This means no changes in the kernel.make
files are needed.

Marc

-- 
Pengutronix e.K.                 | Marc Kleine-Budde           |
Embedded Linux                   | https://www.pengutronix.de  |
Vertretung West/Dortmund         | Phone: +49-231-2826-924     |
Amtsgericht Hildesheim, HRA 2686 | Fax:   +49-5121-206917-5555 |