On Tue, Mar 30, 2021 at 10:22:40AM +0200, Marc Kleine-Budde wrote:
> On 30.03.2021 09:53:46, Michael Olbrich wrote:
> > On Tue, Mar 30, 2021 at 06:08:10AM +0000, Denis Osterland-Heim wrote:
> > > If CONFIG_MODULE_SIG_ALL is set in kernelconfig then modules will be
> > > automatically signed during the modules_install phase of a kernel build.
> > >
> > > Signed modules are BRITTLE as the signature is outside of the defined ELF
> > > container. Thus they MAY NOT be stripped once the signature is computed
> > > and attached. Note the entire module is the signed payload, including any
> > > and all debug information present at the time of signing.
> >
> > Hmm, we had the same issue at some point. The solution was a local copy of
> > the shell code that does the stripping and installing. I think we added
> > some code to sign the Modules again.
> > The result was nice, but the whole thing was rather invasive and makes
> > assumptions on how the module signing works internally in the kernel.
> > So it was not something that I wanted to merge mainline that way.
> >
> > In general, I like this approach better. But there are two issues with it.
> >
> > 1. There are redundant options and if the uses gets it wrong then it wont
> > fail at build time. We can get this from the kernelconfig:
> > '$(shell ptxd_get_kconfig $(KERNEL_CONFIG) CONFIG_MODULE_SIG_ALL)' I think.
> > But we have to make sure that it's not evaluated too early. To avoid
> > slowing down ptxdist startup.
> >
> > 2. The modules are not stripped at all. So we should set
> > INSTALL_MOD_STRIP=1 in this case.
> >
> > Marc, what do you think?
>
> The current diff for module re-signing looks like this:
>
> | # $1: file to strip
> | #
> | # $strip: k for kernel modules
> | @@ -425,8 +15,26 @@ ptxd_install_file_strip() {
> | esac
> |
> | files=( "${sdirs[@]/%/${dst}}" )
> | install -d "${files[0]%/*}" &&
> | "${strip_cmd[@]}" -o "${files[0]}" "${src}" &&
> | + if [ "${strip}" = "k" -a -e "${pkg_build_dir}/scripts/sign-file" -a -n
> "${CONFIG_MODULE_SIG_KEY}" ]; then
> | + local sig_hash
> | +
> | + sig_hash="$(ptxd_get_kconfig "${pkg_config}"
> CONFIG_MODULE_SIG_HASH)" || return
> | +
> | + echo "sign module:"
> | + echo " file=$(ptxd_print_path ${files[0]})"
> | + echo " key=${CONFIG_MODULE_SIG_KEY}"
> | + echo " cert=$(ptxd_print_path
> ${pkg_build_dir}/certs/signing_key.x509)"
> | + echo " hash=${sig_hash}"
> | + echo
> | + "${pkg_build_dir}/scripts/sign-file" \
> | + "${sig_hash}" \
> | + "${CONFIG_MODULE_SIG_KEY}" \
> | + "${pkg_build_dir}/certs/signing_key.x509" \
> | + "${files[0]}" || return
> | + fi
> | +
> | for (( i=1 ; ${i} < ${#files[@]} ; i=$[i+1] )); do
> | install -m "${mod_rw}" -D "${files[0]}" "${files[${i}]}" || return
> | done &&
> | @@ -443,658 +51,3 @@ ptxd_install_file_strip() {
> | fi
> | }
>
> If we don't want to re-sign, we can use the above "if [ "${strip}" = "k"
> -a ... ]" and don't strip. This means no changes in the kernel.make
> files are needed.
I'm pretty sure, that we modified something to get CONFIG_MODULE_SIG_KEY
defined in this context.
And depending on scripts/sign-file is definitely not something I want to do
here.
Michael
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
ptxdist mailing list
[email protected]
To unsubscribe, send a mail with subject "unsubscribe" to
[email protected]
