[OE-core] Strip kernel modules and signatures
Richard Purdie
richard.purdie at linuxfoundation.org
Thu Aug 2 09:18:56 UTC 2018
On Wed, 2018-08-01 at 22:46 +0000, Ocampo Coronado, Omar wrote:
> Hello OE,
>
> While attempting to sign our kernel modules (using the kernel
> configuration CONFIG_MODULE_SIG) the drivers in our image did not
> have the signature, even the certificate was being loaded by the
> kernel or the driver being signed during do_install().
>
> Turns out package.bbclass, while it ignores to create debug info
> files it does strips the kernel modules files:
>
> python split_and_strip_files () {
> ...
> ...
> for f in kernmods:
> sfiles.append((f, 16, strip))
>
> oe.utils.multiprocess_exec(sfiles, oe.package.runstrip)
> #
> # End of strip
> #
> os.chdir(oldcwd)
> }
>
> The strip is required for many reasons yet it removes the signature
> which we want to preserve in this scenario.
> To work around this issue add
> INHIBIT_PACKAGE_STRIP = "1"
> either on your virtual/kernel bb file or driver bb file.
>
> Hope this helps someone in the future when adding signature to files,
> perhaps including this into the Yocto kernel development manual.
The code which handles kernel module stripping is in
meta/lib/oe/package.py:
stripcmd.extend(["--strip-debug", "--remove-section=.comment",
"--remove-section=.note", "--preserve-dates"])
It would be good to see what we'd have to do to tweak that to work for
signed modules.
Cheers,
Richard
More information about the Openembedded-core
mailing list