On 30.03.2021 10:39:41, Michael Olbrich wrote: > On Tue, Mar 30, 2021 at 10:22:40AM +0200, Marc Kleine-Budde wrote: > > On 30.03.2021 09:53:46, Michael Olbrich wrote: > > > On Tue, Mar 30, 2021 at 06:08:10AM +0000, Denis Osterland-Heim wrote: > > > > If CONFIG_MODULE_SIG_ALL is set in kernelconfig then modules will be > > > > automatically signed during the modules_install phase of a kernel build. > > > > > > > > Signed modules are BRITTLE as the signature is outside of the defined ELF > > > > container. Thus they MAY NOT be stripped once the signature is computed > > > > and attached. Note the entire module is the signed payload, including any > > > > and all debug information present at the time of signing. > > > > > > Hmm, we had the same issue at some point. The solution was a local copy of > > > the shell code that does the stripping and installing. I think we added > > > some code to sign the Modules again. > > > The result was nice, but the whole thing was rather invasive and makes > > > assumptions on how the module signing works internally in the kernel. > > > So it was not something that I wanted to merge mainline that way. > > > > > > In general, I like this approach better. But there are two issues with it. > > > > > > 1. There are redundant options and if the uses gets it wrong then it wont > > > fail at build time. We can get this from the kernelconfig: > > > '$(shell ptxd_get_kconfig $(KERNEL_CONFIG) CONFIG_MODULE_SIG_ALL)' I think. > > > But we have to make sure that it's not evaluated too early. To avoid > > > slowing down ptxdist startup. > > > > > > 2. The modules are not stripped at all. So we should set > > > INSTALL_MOD_STRIP=1 in this case. > > > > > > Marc, what do you think? > > > > The current diff for module re-signing looks like this: > > > > | # $1: file to strip > > | # > > | # $strip: k for kernel modules > > | @@ -425,8 +15,26 @@ ptxd_install_file_strip() { > > | esac > > | > > | files=( "${sdirs[@]/%/${dst}}" ) > > | install -d "${files[0]%/*}" && > > | "${strip_cmd[@]}" -o "${files[0]}" "${src}" && > > | + if [ "${strip}" = "k" -a -e "${pkg_build_dir}/scripts/sign-file" -a -n "${CONFIG_MODULE_SIG_KEY}" ]; then > > | + local sig_hash > > | + > > | + sig_hash="$(ptxd_get_kconfig "${pkg_config}" CONFIG_MODULE_SIG_HASH)" || return > > | + > > | + echo "sign module:" > > | + echo " file=$(ptxd_print_path ${files[0]})" > > | + echo " key=${CONFIG_MODULE_SIG_KEY}" > > | + echo " cert=$(ptxd_print_path ${pkg_build_dir}/certs/signing_key.x509)" > > | + echo " hash=${sig_hash}" > > | + echo > > | + "${pkg_build_dir}/scripts/sign-file" \ > > | + "${sig_hash}" \ > > | + "${CONFIG_MODULE_SIG_KEY}" \ > > | + "${pkg_build_dir}/certs/signing_key.x509" \ > > | + "${files[0]}" || return > > | + fi > > | + > > | for (( i=1 ; ${i} < ${#files[@]} ; i=$[i+1] )); do > > | install -m "${mod_rw}" -D "${files[0]}" "${files[${i}]}" || return > > | done && > > | @@ -443,658 +51,3 @@ ptxd_install_file_strip() { > > | fi > > | } > > > > If we don't want to re-sign, we can use the above "if [ "${strip}" = "k" > > -a ... ]" and don't strip. This means no changes in the kernel.make > > files are needed. > > I'm pretty sure, that we modified something to get CONFIG_MODULE_SIG_KEY > defined in this context. KERNEL_CONF_ENV = \ $(CODE_SIGNING_ENV) \ CONFIG_MODULE_SIG_KEY='$(shell cs_get_uri evm)' > And depending on scripts/sign-file is definitely not something I want to do > here. We have to call scripts/sign-file to sign modules :) Marc -- Pengutronix e.K. | Marc Kleine-Budde | Embedded Linux | https://www.pengutronix.de | Vertretung West/Dortmund | Phone: +49-231-2826-924 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |