Re: [OE-core] [PATCH] package: skip strip on signed kernel modules

Fri, 03 Aug 2018 13:27:49 -0700 



On Fri, 3 Aug 2018, omar.ocampo.coron...@intel.com wrote:


From: foocampo <omar.ocampo.coron...@intel.com>

Executing strip action on kernel modules removes the signature.
Is not possible to strip and keep the signature, therefore avoid
strip signed kernel modules.

Signed-off-by: foocampo <omar.ocampo.coron...@intel.com>
---
meta/lib/oe/package.py | 10 ++++++++++
1 file changed, 10 insertions(+)

diff --git a/meta/lib/oe/package.py b/meta/lib/oe/package.py
index fa3428ad61..f7d2d3b7c4 100644
--- a/meta/lib/oe/package.py
+++ b/meta/lib/oe/package.py
@@ -24,6 +24,9 @@ def runstrip(arg):

    # kernel module
    if elftype & 16:
+        if is_kernel_module_signed(file):
+            bb.debug(1, "Skip strip on signed module %s" % file)
+            return


It does not look right to me. Above means that signed
KLM will go into image with symbols. Or I don't read
code correctly?

Where is signature stored? Is it some kind of an ELF NOTE? In
this case you would just need to drop only "--remove-section=.note"
from strip command. Wondering why .notes were stripped in the
first place.


        stripcmd.extend(["--strip-debug", "--remove-section=.comment",
            "--remove-section=.note", "--preserve-dates"])


I suggest split above into two invocations and do second
stripcmd.extend(["--remove-section=.note"]) only for non signed modules.
Assuming that signature is in the .note section. If it is not .comment,
do that with "--remove-section=.comment" instead.


    # .so and shared library
@@ -46,6 +49,13 @@ def is_kernel_module(path):
    with open(path) as f:
        return mmap.mmap(f.fileno(), 0, prot=mmap.PROT_READ).find(b"vermagic=") 
>= 0

+# Detect if .ko module is signed
+def is_kernel_module_signed(path):
+    with open(path, "rb") as f:
+        f.seek(-28, 2)


Where magic -28 comes from? Is it true for all cases, all CPU arches?
I think it could be done more cleanly here.

Thanks,
Victor


+        module_tail = f.read()
+        return "Module signature appended" in "".join(chr(c) for c in 
bytearray(module_tail))
+
# Return type (bits):
# 0 - not elf
# 1 - ELF
--
2.18.0

--
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core


--
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core






















					Reply via email to