[OE-core] [PATCH] package: skip strip on signed kernel modules
Ocampo Coronado, Omar
omar.ocampo.coronado at intel.com
Fri Aug 3 20:40:20 UTC 2018
Yes, we would like to keep the symbols on a signed kernel module.
Andre shared this link: https://www.kernel.org/doc/html/v4.17/admin-guide/module-signing.html#signed-modules-and-stripping , from conversation topic: Re: [OE-core] Strip kernel modules and signatures
-28 are the last 28 bytes of the file. The same amount of bytes are being read by dracut to check if a module is signed.
And you are correct Victor, I'm unsure if this would work outside x86 arch.
Two pending fixes:
1) This patch also needs to fix the mode of the file as the original may not be preserved.
2) Seems like 'return' is not accepted by oe.utils.multiprocess, still getting familiar with OE
-----Original Message-----
From: Victor Kamensky [mailto:kamensky at cisco.com]
Sent: Friday, August 3, 2018 3:28 PM
To: Ocampo Coronado, Omar <omar.ocampo.coronado at intel.com>
Cc: openembedded-core at lists.openembedded.org
Subject: Re: [OE-core] [PATCH] package: skip strip on signed kernel modules
On Fri, 3 Aug 2018, omar.ocampo.coronado at intel.com wrote:
> From: foocampo <omar.ocampo.coronado at intel.com>
>
> Executing strip action on kernel modules removes the signature.
> Is not possible to strip and keep the signature, therefore avoid strip
> signed kernel modules.
>
> Signed-off-by: foocampo <omar.ocampo.coronado at intel.com>
> ---
> meta/lib/oe/package.py | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/meta/lib/oe/package.py b/meta/lib/oe/package.py index
> fa3428ad61..f7d2d3b7c4 100644
> --- a/meta/lib/oe/package.py
> +++ b/meta/lib/oe/package.py
> @@ -24,6 +24,9 @@ def runstrip(arg):
>
> # kernel module
> if elftype & 16:
> + if is_kernel_module_signed(file):
> + bb.debug(1, "Skip strip on signed module %s" % file)
> + return
It does not look right to me. Above means that signed KLM will go into image with symbols. Or I don't read code correctly?
Where is signature stored? Is it some kind of an ELF NOTE? In this case you would just need to drop only "--remove-section=.note"
from strip command. Wondering why .notes were stripped in the first place.
> stripcmd.extend(["--strip-debug", "--remove-section=.comment",
> "--remove-section=.note", "--preserve-dates"])
I suggest split above into two invocations and do second
stripcmd.extend(["--remove-section=.note"]) only for non signed modules.
Assuming that signature is in the .note section. If it is not .comment, do that with "--remove-section=.comment" instead.
> # .so and shared library
> @@ -46,6 +49,13 @@ def is_kernel_module(path):
> with open(path) as f:
> return mmap.mmap(f.fileno(), 0,
> prot=mmap.PROT_READ).find(b"vermagic=") >= 0
>
> +# Detect if .ko module is signed
> +def is_kernel_module_signed(path):
> + with open(path, "rb") as f:
> + f.seek(-28, 2)
Where magic -28 comes from? Is it true for all cases, all CPU arches?
I think it could be done more cleanly here.
Thanks,
Victor
> + module_tail = f.read()
> + return "Module signature appended" in "".join(chr(c) for c in
> + bytearray(module_tail))
> +
> # Return type (bits):
> # 0 - not elf
> # 1 - ELF
> --
> 2.18.0
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
More information about the Openembedded-core
mailing list