[OE-core] Strip kernel modules and signatures

Ocampo Coronado, Omar omar.ocampo.coronado at intel.com
Thu Aug 2 16:54:09 UTC 2018 

Neither 'nm' or 'readelf' provide a symbol that we can use to strip. 
I'm having a hard time reading kernel-source/scripts/sign-file.c and how exactly how the sign works and what bytes are being added, so we can avoid stripping them.

Looking into dracut, they simple avoid strip signed modules:
	From dracut.sh:1671 # strip kernel modules, but do not touch signed modules

Perhaps we can do the same as dracut within meta/lib/oe/package.py.

-----Original Message-----
From: richard.purdie at linuxfoundation.org [mailto:richard.purdie at linuxfoundation.org] 
Sent: Thursday, August 2, 2018 4:19 AM
To: Ocampo Coronado, Omar <omar.ocampo.coronado at intel.com>; openembedded-core at lists.openembedded.org
Subject: Re: [OE-core] Strip kernel modules and signatures

On Wed, 2018-08-01 at 22:46 +0000, Ocampo Coronado, Omar wrote:
> Hello OE,
> 
> While attempting to sign our kernel modules (using the kernel 
> configuration  CONFIG_MODULE_SIG) the drivers in our image did not 
> have the signature, even the certificate was being loaded by the 
> kernel or the driver being signed during do_install().
> 
> Turns out package.bbclass, while it ignores to create debug info files 
> it does strips the kernel modules files:
> 
> python split_and_strip_files () {
> 	...
> 	...
> 	        for f in kernmods:
>                           sfiles.append((f, 16, strip))
> 
>         oe.utils.multiprocess_exec(sfiles, oe.package.runstrip)
>     #
>     # End of strip
>     #
>     os.chdir(oldcwd)
> }
> 
> The strip is required for many reasons yet it removes the signature 
> which we want to preserve in this scenario.
> To work around this issue add
>      INHIBIT_PACKAGE_STRIP = "1"
>      either on your virtual/kernel bb file or driver bb file.
> 
> Hope this helps someone in the future when adding signature to files, 
> perhaps including this into the Yocto kernel development manual.

The code which handles kernel module stripping is in
meta/lib/oe/package.py:

stripcmd.extend(["--strip-debug", "--remove-section=.comment",
            "--remove-section=.note", "--preserve-dates"])

It would be good to see what we'd have to do to tweak that to work for signed modules.

Cheers,

Richard

More information about the Openembedded-core mailing list