[OE-core] Strip kernel modules and signatures
Andre McCurdy
armccurdy at gmail.com
Thu Sep 6 23:37:34 UTC 2018
On Thu, Sep 6, 2018 at 2:04 PM, Trevor Woerner <twoerner at gmail.com> wrote:
> On Fri, Aug 3, 2018 at 4:16 AM, Andre McCurdy <armccurdy at gmail.com> wrote:
>>
>> On Thu, Aug 2, 2018 at 9:54 AM, Ocampo Coronado, Omar
>> <omar.ocampo.coronado at intel.com> wrote:
>> > Neither 'nm' or 'readelf' provide a symbol that we can use to strip.
>> > I'm having a hard time reading kernel-source/scripts/sign-file.c and how
>> > exactly how the sign works and what bytes are being added, so we can avoid
>> > stripping them.
>> >
>> > Looking into dracut, they simple avoid strip signed modules:
>> > From dracut.sh:1671 # strip kernel modules, but do not touch
>> > signed modules
>> >
>> > Perhaps we can do the same as dracut within meta/lib/oe/package.py.
>>
>> Some more information here:
>>
>> https://www.kernel.org/doc/html/v4.17/admin-guide/module-signing.html#signed-modules-and-stripping
>
> Reading the above "between the lines", could the module be stripped /then/
> signed?
I think so. But right now the default assumption is that signing
happens as part of the kernel's build process and stripping happens
later, as part of OE's packaging process. Stripping before signing
implies switching things around a little, e.g. either the kernel build
process takes care of both stripping and signing, or OE is able to
(re)sign modules after stripping them. Probably not a huge task to
figure out, but not trivial either.
More information about the Openembedded-core
mailing list