On 30.03.2021 09:53:46, Michael Olbrich wrote: > On Tue, Mar 30, 2021 at 06:08:10AM +0000, Denis Osterland-Heim wrote: > > If CONFIG_MODULE_SIG_ALL is set in kernelconfig then modules will be > > automatically signed during the modules_install phase of a kernel build. > > > > Signed modules are BRITTLE as the signature is outside of the defined ELF > > container. Thus they MAY NOT be stripped once the signature is computed > > and attached. Note the entire module is the signed payload, including any > > and all debug information present at the time of signing. > > Hmm, we had the same issue at some point. The solution was a local copy of > the shell code that does the stripping and installing. I think we added > some code to sign the Modules again. > The result was nice, but the whole thing was rather invasive and makes > assumptions on how the module signing works internally in the kernel. > So it was not something that I wanted to merge mainline that way. > > In general, I like this approach better. But there are two issues with it. > > 1. There are redundant options and if the uses gets it wrong then it wont > fail at build time. We can get this from the kernelconfig: > '$(shell ptxd_get_kconfig $(KERNEL_CONFIG) CONFIG_MODULE_SIG_ALL)' I think. > But we have to make sure that it's not evaluated too early. To avoid > slowing down ptxdist startup. > > 2. The modules are not stripped at all. So we should set > INSTALL_MOD_STRIP=1 in this case. > > Marc, what do you think?
The current diff for module re-signing looks like this:
| # $1: file to strip
| #
| # $strip: k for kernel modules
| @@ -425,8 +15,26 @@ ptxd_install_file_strip() {
| esac
|
| files=( "${sdirs[@]/%/${dst}}" )
| install -d "${files[0]%/*}" &&
| "${strip_cmd[@]}" -o "${files[0]}" "${src}" &&
| + if [ "${strip}" = "k" -a -e "${pkg_build_dir}/scripts/sign-file" -a -n
"${CONFIG_MODULE_SIG_KEY}" ]; then
| + local sig_hash
| +
| + sig_hash="$(ptxd_get_kconfig "${pkg_config}" CONFIG_MODULE_SIG_HASH)"
|| return
| +
| + echo "sign module:"
| + echo " file=$(ptxd_print_path ${files[0]})"
| + echo " key=${CONFIG_MODULE_SIG_KEY}"
| + echo " cert=$(ptxd_print_path
${pkg_build_dir}/certs/signing_key.x509)"
| + echo " hash=${sig_hash}"
| + echo
| + "${pkg_build_dir}/scripts/sign-file" \
| + "${sig_hash}" \
| + "${CONFIG_MODULE_SIG_KEY}" \
| + "${pkg_build_dir}/certs/signing_key.x509" \
| + "${files[0]}" || return
| + fi
| +
| for (( i=1 ; ${i} < ${#files[@]} ; i=$[i+1] )); do
| install -m "${mod_rw}" -D "${files[0]}" "${files[${i}]}" || return
| done &&
| @@ -443,658 +51,3 @@ ptxd_install_file_strip() {
| fi
| }
If we don't want to re-sign, we can use the above "if [ "${strip}" = "k"
-a ... ]" and don't strip. This means no changes in the kernel.make
files are needed.
Marc
--
Pengutronix e.K. | Marc Kleine-Budde |
Embedded Linux | https://www.pengutronix.de |
Vertretung West/Dortmund | Phone: +49-231-2826-924 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
signature.asc
Description: PGP signature
_______________________________________________ ptxdist mailing list [email protected] To unsubscribe, send a mail with subject "unsubscribe" to [email protected]
