[OE-core] Strip kernel modules and signatures
Andre McCurdy
armccurdy at gmail.com
Wed Aug 1 22:55:01 UTC 2018
On Wed, Aug 1, 2018 at 3:46 PM, Ocampo Coronado, Omar
<omar.ocampo.coronado at intel.com> wrote:
> Hello OE,
>
> While attempting to sign our kernel modules (using the kernel configuration CONFIG_MODULE_SIG) the drivers in our image did not have the signature, even the certificate was being loaded by the kernel or the driver being signed during do_install().
>
> Turns out package.bbclass, while it ignores to create debug info files it does strips the kernel modules files:
>
> python split_and_strip_files () {
> ...
> ...
> for f in kernmods:
> sfiles.append((f, 16, strip))
>
> oe.utils.multiprocess_exec(sfiles, oe.package.runstrip)
> #
> # End of strip
> #
> os.chdir(oldcwd)
> }
>
> The strip is required for many reasons yet it removes the signature which we want to preserve in this scenario.
> To work around this issue add
> INHIBIT_PACKAGE_STRIP = "1"
> either on your virtual/kernel bb file or driver bb file.
>
> Hope this helps someone in the future when adding signature to files, perhaps including this into the Yocto kernel development manual.
The better fix would perhaps be to determine which section the
signature information is stored in and then update the code which
strips kernel modules to specifically leave that section intact.
> Cheers
>
> P.S.
> In a linux-intel kernel (master) without stripped kernel modules the image size increased in 650kb.
More information about the Openembedded-core
mailing list