Re: [OE-core] [PATCH] package: skip strip on signed kernel modules
Yes, we would like to keep the symbols on a signed kernel module. Andre shared this link: https://www.kernel.org/doc/html/v4.17/admin-guide/module-signing.html#signed-modules-and-stripping , from conversation topic: Re: [OE-core] Strip kernel modules and signatures -28 are the last 28 bytes of the file. The same amount of bytes are being read by dracut to check if a module is signed. And you are correct Victor, I'm unsure if this would work outside x86 arch. Two pending fixes: 1) This patch also needs to fix the mode of the file as the original may not be preserved. 2) Seems like 'return' is not accepted by oe.utils.multiprocess, still getting familiar with OE -Original Message- From: Victor Kamensky [mailto:kamen...@cisco.com] Sent: Friday, August 3, 2018 3:28 PM To: Ocampo Coronado, Omar Cc: openembedded-core@lists.openembedded.org Subject: Re: [OE-core] [PATCH] package: skip strip on signed kernel modules On Fri, 3 Aug 2018, omar.ocampo.coron...@intel.com wrote: > From: foocampo > > Executing strip action on kernel modules removes the signature. > Is not possible to strip and keep the signature, therefore avoid strip > signed kernel modules. > > Signed-off-by: foocampo > --- > meta/lib/oe/package.py | 10 ++ > 1 file changed, 10 insertions(+) > > diff --git a/meta/lib/oe/package.py b/meta/lib/oe/package.py index > fa3428ad61..f7d2d3b7c4 100644 > --- a/meta/lib/oe/package.py > +++ b/meta/lib/oe/package.py > @@ -24,6 +24,9 @@ def runstrip(arg): > > # kernel module > if elftype & 16: > +if is_kernel_module_signed(file): > +bb.debug(1, "Skip strip on signed module %s" % file) > +return It does not look right to me. Above means that signed KLM will go into image with symbols. Or I don't read code correctly? Where is signature stored? Is it some kind of an ELF NOTE? In this case you would just need to drop only "--remove-section=.note" from strip command. Wondering why .notes were stripped in the first place. > stripcmd.extend(["--strip-debug", "--remove-section=.comment", > "--remove-section=.note", "--preserve-dates"]) I suggest split above into two invocations and do second stripcmd.extend(["--remove-section=.note"]) only for non signed modules. Assuming that signature is in the .note section. If it is not .comment, do that with "--remove-section=.comment" instead. > # .so and shared library > @@ -46,6 +49,13 @@ def is_kernel_module(path): > with open(path) as f: > return mmap.mmap(f.fileno(), 0, > prot=mmap.PROT_READ).find(b"vermagic=") >= 0 > > +# Detect if .ko module is signed > +def is_kernel_module_signed(path): > +with open(path, "rb") as f: > +f.seek(-28, 2) Where magic -28 comes from? Is it true for all cases, all CPU arches? I think it could be done more cleanly here. Thanks, Victor > +module_tail = f.read() > +return "Module signature appended" in "".join(chr(c) for c in > + bytearray(module_tail)) > + > # Return type (bits): > # 0 - not elf > # 1 - ELF > -- > 2.18.0 > > -- > ___ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core > -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] Strip kernel modules and signatures
Neither 'nm' or 'readelf' provide a symbol that we can use to strip. I'm having a hard time reading kernel-source/scripts/sign-file.c and how exactly how the sign works and what bytes are being added, so we can avoid stripping them. Looking into dracut, they simple avoid strip signed modules: From dracut.sh:1671 # strip kernel modules, but do not touch signed modules Perhaps we can do the same as dracut within meta/lib/oe/package.py. -Original Message- From: richard.pur...@linuxfoundation.org [mailto:richard.pur...@linuxfoundation.org] Sent: Thursday, August 2, 2018 4:19 AM To: Ocampo Coronado, Omar ; openembedded-core@lists.openembedded.org Subject: Re: [OE-core] Strip kernel modules and signatures On Wed, 2018-08-01 at 22:46 +, Ocampo Coronado, Omar wrote: > Hello OE, > > While attempting to sign our kernel modules (using the kernel > configuration CONFIG_MODULE_SIG) the drivers in our image did not > have the signature, even the certificate was being loaded by the > kernel or the driver being signed during do_install(). > > Turns out package.bbclass, while it ignores to create debug info files > it does strips the kernel modules files: > > python split_and_strip_files () { > ... > ... > for f in kernmods: > sfiles.append((f, 16, strip)) > > oe.utils.multiprocess_exec(sfiles, oe.package.runstrip) > # > # End of strip > # > os.chdir(oldcwd) > } > > The strip is required for many reasons yet it removes the signature > which we want to preserve in this scenario. > To work around this issue add > INHIBIT_PACKAGE_STRIP = "1" > either on your virtual/kernel bb file or driver bb file. > > Hope this helps someone in the future when adding signature to files, > perhaps including this into the Yocto kernel development manual. The code which handles kernel module stripping is in meta/lib/oe/package.py: stripcmd.extend(["--strip-debug", "--remove-section=.comment", "--remove-section=.note", "--preserve-dates"]) It would be good to see what we'd have to do to tweak that to work for signed modules. Cheers, Richard -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] Strip kernel modules and signatures
Hello OE, While attempting to sign our kernel modules (using the kernel configuration CONFIG_MODULE_SIG) the drivers in our image did not have the signature, even the certificate was being loaded by the kernel or the driver being signed during do_install(). Turns out package.bbclass, while it ignores to create debug info files it does strips the kernel modules files: python split_and_strip_files () { ... ... for f in kernmods: sfiles.append((f, 16, strip)) oe.utils.multiprocess_exec(sfiles, oe.package.runstrip) # # End of strip # os.chdir(oldcwd) } The strip is required for many reasons yet it removes the signature which we want to preserve in this scenario. To work around this issue add INHIBIT_PACKAGE_STRIP = "1" either on your virtual/kernel bb file or driver bb file. Hope this helps someone in the future when adding signature to files, perhaps including this into the Yocto kernel development manual. Cheers P.S. In a linux-intel kernel (master) without stripped kernel modules the image size increased in 650kb. -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core