On Thu, Aug 2, 2018 at 9:54 AM, Ocampo Coronado, Omar <omar.ocampo.coron...@intel.com> wrote: > Neither 'nm' or 'readelf' provide a symbol that we can use to strip. > I'm having a hard time reading kernel-source/scripts/sign-file.c and how > exactly how the sign works and what bytes are being added, so we can avoid > stripping them. > > Looking into dracut, they simple avoid strip signed modules: > From dracut.sh:1671 # strip kernel modules, but do not touch signed > modules > > Perhaps we can do the same as dracut within meta/lib/oe/package.py.
Some more information here: https://www.kernel.org/doc/html/v4.17/admin-guide/module-signing.html#signed-modules-and-stripping It looks like signed kernel modules can't be stripped at all. The packaging code should probably be updated to detect signed modules and then leave them alone. > -----Original Message----- > From: richard.pur...@linuxfoundation.org > [mailto:richard.pur...@linuxfoundation.org] > Sent: Thursday, August 2, 2018 4:19 AM > To: Ocampo Coronado, Omar <omar.ocampo.coron...@intel.com>; > openembedded-core@lists.openembedded.org > Subject: Re: [OE-core] Strip kernel modules and signatures > > On Wed, 2018-08-01 at 22:46 +0000, Ocampo Coronado, Omar wrote: >> Hello OE, >> >> While attempting to sign our kernel modules (using the kernel >> configuration CONFIG_MODULE_SIG) the drivers in our image did not >> have the signature, even the certificate was being loaded by the >> kernel or the driver being signed during do_install(). >> >> Turns out package.bbclass, while it ignores to create debug info files >> it does strips the kernel modules files: >> >> python split_and_strip_files () { >> ... >> ... >> for f in kernmods: >> sfiles.append((f, 16, strip)) >> >> oe.utils.multiprocess_exec(sfiles, oe.package.runstrip) >> # >> # End of strip >> # >> os.chdir(oldcwd) >> } >> >> The strip is required for many reasons yet it removes the signature >> which we want to preserve in this scenario. >> To work around this issue add >> INHIBIT_PACKAGE_STRIP = "1" >> either on your virtual/kernel bb file or driver bb file. >> >> Hope this helps someone in the future when adding signature to files, >> perhaps including this into the Yocto kernel development manual. > > The code which handles kernel module stripping is in > meta/lib/oe/package.py: > > stripcmd.extend(["--strip-debug", "--remove-section=.comment", > "--remove-section=.note", "--preserve-dates"]) > > It would be good to see what we'd have to do to tweak that to work for signed > modules. > > Cheers, > > Richard > -- > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
