On Thu, Jun 9, 2022 at 8:21 AM <sartr...@email.ecagroup.com> wrote: > > Hello, > > I've noticed that on kirkstone branch, the call to objcopy > --add-gnu-debuglink, made by splitdebuginfo() function, on a signed kernel > module is removing the signature. > An easy fix is to set INHIBIT_PACKAGE_DEBUG_SPLIT to "1" in the kernel > recipe, this way kernel module signatures are not removed. > Maybe I can submitt this simple fix to meta-security layer. > But maybe it is better to handle it in oe-core as it was done in runstrip() > function in lib/oe/package.py, there is already a is_kernel_module_signed() > helper that detect if a kernel module is signed or not. > What do you think?
It would be worth checking with Saul/Joshua to make sure that SBOM or licensing isn't hooked into the debug split packages. I vaguely recall Saul requiring the debug split, or at least debug info, to track down the kernel source for a given module, so that it could be part of SBOM. Anything we did for this signed issue, would have be be sure to not break that. Bruce > > Regards > -- > Leo > > -- - Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end - "Use the force Harry" - Gandalf, Star Trek II
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#166780): https://lists.openembedded.org/g/openembedded-core/message/166780 Mute This Topic: https://lists.openembedded.org/mt/91643928/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-