From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Date: Tue, 30 Mar 2021 10:57:56 +0200 From: Marc Kleine-Budde Message-ID: <20210330085756.sazoqoqjltlbqzcr@pengutronix.de> References: <968ee15dc49b1c81d53ef8b28f8d4c0eb50b88d4.camel@diehl.com> <20210330075346.GA4162561@pengutronix.de> <20210330082240.qdw6w6q7zkthhwj2@pengutronix.de> <20210330083941.GA12201@pengutronix.de> MIME-Version: 1.0 In-Reply-To: <20210330083941.GA12201@pengutronix.de> Subject: Re: [ptxdist] [PATCH] kernel: do not strip signed modules List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: multipart/mixed; boundary="===============0099751937==" Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: "ptxdist@pengutronix.de" , Denis Osterland-Heim --===============0099751937== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="e74u435x2yfrk3ny" Content-Disposition: inline --e74u435x2yfrk3ny Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 30.03.2021 10:39:41, Michael Olbrich wrote: > On Tue, Mar 30, 2021 at 10:22:40AM +0200, Marc Kleine-Budde wrote: > > On 30.03.2021 09:53:46, Michael Olbrich wrote: > > > On Tue, Mar 30, 2021 at 06:08:10AM +0000, Denis Osterland-Heim wrote: > > > > If CONFIG_MODULE_SIG_ALL is set in kernelconfig then modules will be > > > > automatically signed during the modules_install phase of a kernel b= uild. > > > >=20 > > > > Signed modules are BRITTLE as the signature is outside of the defin= ed ELF > > > > container. Thus they MAY NOT be stripped once the signature is comp= uted > > > > and attached. Note the entire module is the signed payload, includi= ng any > > > > and all debug information present at the time of signing. > > >=20 > > > Hmm, we had the same issue at some point. The solution was a local c= opy of > > > the shell code that does the stripping and installing. I think we add= ed > > > some code to sign the Modules again. > > > The result was nice, but the whole thing was rather invasive and makes > > > assumptions on how the module signing works internally in the kernel. > > > So it was not something that I wanted to merge mainline that way. > > >=20 > > > In general, I like this approach better. But there are two issues wit= h it. > > >=20 > > > 1. There are redundant options and if the uses gets it wrong then it = wont > > > fail at build time. We can get this from the kernelconfig: > > > '$(shell ptxd_get_kconfig $(KERNEL_CONFIG) CONFIG_MODULE_SIG_ALL)' I = think. > > > But we have to make sure that it's not evaluated too early. To avoid > > > slowing down ptxdist startup. > > >=20 > > > 2. The modules are not stripped at all. So we should set > > > INSTALL_MOD_STRIP=3D1 in this case. > > >=20 > > > Marc, what do you think? > >=20 > > The current diff for module re-signing looks like this: > >=20 > > | # $1: file to strip > > | # > > | # $strip: k for kernel modules > > | @@ -425,8 +15,26 @@ ptxd_install_file_strip() { > > | esac > > | =20 > > | files=3D( "${sdirs[@]/%/${dst}}" ) > > | install -d "${files[0]%/*}" && > > | "${strip_cmd[@]}" -o "${files[0]}" "${src}" && > > | + if [ "${strip}" =3D "k" -a -e "${pkg_build_dir}/scripts/sign-fil= e" -a -n "${CONFIG_MODULE_SIG_KEY}" ]; then > > | + local sig_hash > > | + > > | + sig_hash=3D"$(ptxd_get_kconfig "${pkg_config}" CONFIG_MODULE_= SIG_HASH)" || return > > | + > > | + echo "sign module:" > > | + echo " file=3D$(ptxd_print_path ${files[0]})" > > | + echo " key=3D${CONFIG_MODULE_SIG_KEY}" > > | + echo " cert=3D$(ptxd_print_path ${pkg_build_dir}/certs/signi= ng_key.x509)" > > | + echo " hash=3D${sig_hash}" > > | + echo > > | + "${pkg_build_dir}/scripts/sign-file" \ > > | + "${sig_hash}" \ > > | + "${CONFIG_MODULE_SIG_KEY}" \ > > | + "${pkg_build_dir}/certs/signing_key.x509" \ > > | + "${files[0]}" || return > > | + fi > > | + > > | for (( i=3D1 ; ${i} < ${#files[@]} ; i=3D$[i+1] )); do > > | install -m "${mod_rw}" -D "${files[0]}" "${files[${i}]}" || r= eturn > > | done && > > | @@ -443,658 +51,3 @@ ptxd_install_file_strip() { > > | fi > > | } > >=20 > > If we don't want to re-sign, we can use the above "if [ "${strip}" =3D = "k" > > -a ... ]" and don't strip. This means no changes in the kernel.make > > files are needed. >=20 > I'm pretty sure, that we modified something to get CONFIG_MODULE_SIG_KEY > defined in this context. KERNEL_CONF_ENV =3D \ $(CODE_SIGNING_ENV) \ CONFIG_MODULE_SIG_KEY=3D'$(shell cs_get_uri evm)' =20 > And depending on scripts/sign-file is definitely not something I want to = do > here. We have to call scripts/sign-file to sign modules :) Marc --=20 Pengutronix e.K. | Marc Kleine-Budde | Embedded Linux | https://www.pengutronix.de | Vertretung West/Dortmund | Phone: +49-231-2826-924 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | --e74u435x2yfrk3ny Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAABCgAdFiEEK3kIWJt9yTYMP3ehqclaivrt76kFAmBi6BEACgkQqclaivrt 76kYsQf+JV/ociBd6zYqLtZ09m93T8Bzc3NRV7TqIBZ2nyibHIDafigXcG7WAy+9 eZ9zAgUEB+drgVyNZwj3seUt5iYiG7Qv2TI+JhSks6u7UZOdGe2hUGid/AhoBuip EUGSZIhr0CHQ5OJg4dh14ZMOhvcqCj/62PleEvkeriq5gB/t+w9U/2FdhNLgDMKW cvhsPKusu9PtXuhiU+odHQgNQg1/HjFGt9Y9MGej+jXcf/B3MZvZz5qm9rH7kHw0 LzPh94NaQGDCJiN3CZeqpfPhvYdCny2KqY8K0elHt0p9waKdIec0QirZGyX00wBe +yDp+OxbWWXVgCOEiOwZ2QrIC2eOeA== =2NGJ -----END PGP SIGNATURE----- --e74u435x2yfrk3ny-- --===============0099751937== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de --===============0099751937==--