[OE-core] [PATCH] package: skip strip on signed kernel modules

Victor Kamensky kamensky at cisco.com
Fri Aug 3 20:27:34 UTC 2018 


On Fri, 3 Aug 2018, omar.ocampo.coronado at intel.com wrote:

> From: foocampo <omar.ocampo.coronado at intel.com>
>
> Executing strip action on kernel modules removes the signature.
> Is not possible to strip and keep the signature, therefore avoid
> strip signed kernel modules.
>
> Signed-off-by: foocampo <omar.ocampo.coronado at intel.com>
> ---
> meta/lib/oe/package.py | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/meta/lib/oe/package.py b/meta/lib/oe/package.py
> index fa3428ad61..f7d2d3b7c4 100644
> --- a/meta/lib/oe/package.py
> +++ b/meta/lib/oe/package.py
> @@ -24,6 +24,9 @@ def runstrip(arg):
>
>     # kernel module
>     if elftype & 16:
> +        if is_kernel_module_signed(file):
> +            bb.debug(1, "Skip strip on signed module %s" % file)
> +            return

It does not look right to me. Above means that signed
KLM will go into image with symbols. Or I don't read
code correctly?

Where is signature stored? Is it some kind of an ELF NOTE? In
this case you would just need to drop only "--remove-section=.note"
from strip command. Wondering why .notes were stripped in the
first place.

>         stripcmd.extend(["--strip-debug", "--remove-section=.comment",
>             "--remove-section=.note", "--preserve-dates"])

I suggest split above into two invocations and do second
stripcmd.extend(["--remove-section=.note"]) only for non signed modules.
Assuming that signature is in the .note section. If it is not .comment,
do that with "--remove-section=.comment" instead.

>     # .so and shared library
> @@ -46,6 +49,13 @@ def is_kernel_module(path):
>     with open(path) as f:
>         return mmap.mmap(f.fileno(), 0, prot=mmap.PROT_READ).find(b"vermagic=") >= 0
>
> +# Detect if .ko module is signed
> +def is_kernel_module_signed(path):
> +    with open(path, "rb") as f:
> +        f.seek(-28, 2)

Where magic -28 comes from? Is it true for all cases, all CPU arches?
I think it could be done more cleanly here.

Thanks,
Victor

> +        module_tail = f.read()
> +        return "Module signature appended" in "".join(chr(c) for c in bytearray(module_tail))
> +
> # Return type (bits):
> # 0 - not elf
> # 1 - ELF
> -- 
> 2.18.0
>
> -- 
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>

More information about the Openembedded-core mailing list