Hi, On Fri, Nov 25, 2022 at 04:11:40PM +0000, Jack Mitchell wrote: > On 25/11/2022 15:54, Mikko Rapeli wrote: > > It's a good default and used in many Linux distributions. > > Did not test out of tree modules if they do correct things but > > any such failures should be fixed. > > > > One way to verify that kernel module signing also works: > > > > root@qemux86-64:~# dmesg|grep X.509 > > [ 1.298936] Loading compiled-in X.509 certificates > > [ 1.328280] Loaded X.509 cert 'Build time autogenerated kernel key: > > ee1bed6d845358744c764683bf73b4404cc79287' > > > > These logs in dmesg show that signing in kernel is enabled and > > key is found. Then if any kernel modules load, they were > > signed correctly. Additionally modinfo tool from kmod shows kernel module > > signing details: > > Hi Mikko, > > Do the kernel modules get properly stripped, last time I was looking at > this it was skipped when signed and as such root filesystem sizes > ballooned with signed modules.
Yes, possibly. Linux kernel build scripts can also do this stripping though, and they do it correctly for kernel modules wile keeping signing and other data intact. We could provide EXTRA_OEMAKE += "INSTALL_MOD_STRIP=1" for kernel and module builds to strip debug info. $ cat linux/scripts/Makefile.modinst ... # Strip # # INSTALL_MOD_STRIP, if defined, will cause modules to be stripped after # they # are installed. If INSTALL_MOD_STRIP is '1', then the default option # --strip-debug will be used. Otherwise, INSTALL_MOD_STRIP value will be # used # as the options to the strip command. ifdef INSTALL_MOD_STRIP ifeq ($(INSTALL_MOD_STRIP),1) strip-option := --strip-debug else strip-option := $(INSTALL_MOD_STRIP) endif ... Cheers, -Mikko
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#173791): https://lists.openembedded.org/g/openembedded-core/message/173791 Mute This Topic: https://lists.openembedded.org/mt/95256076/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
