If CONFIG_MODULE_SIG is set, and 'make modules_sign' is called then this
patch will cause the modules to get a signature appended. The make target
is intended to be run after 'make modules_install', and will modify the
modules in-place in the installed location. It can be used to produce
signed modules after they have been processed by distribution build
scripts.
Signed-off-by: Josh Boyer <[email protected]>
---
v2: Not word-wrapped this time (hopefully)
Makefile | 6 ++++++
scripts/Makefile.modsign | 32 ++++++++++++++++++++++++++++++++
2 files changed, 38 insertions(+)
create mode 100644 scripts/Makefile.modsign
diff --git a/Makefile b/Makefile
index 3d10a87..3c3ece7 100644
--- a/Makefile
+++ b/Makefile
@@ -985,6 +985,12 @@ _modinst_post: _modinst_
$(Q)$(MAKE) -f $(srctree)/scripts/Makefile.fwinst obj=firmware __fw_modinst
$(call cmd,depmod)
+ifeq ($(CONFIG_MODULE_SIG), y)
+PHONY += modules_sign
+modules_sign:
+ $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modsign
+endif
+
else # CONFIG_MODULES
# Modules not configured
diff --git a/scripts/Makefile.modsign b/scripts/Makefile.modsign
new file mode 100644
index 0000000..670d5dc
--- /dev/null
+++ b/scripts/Makefile.modsign
@@ -0,0 +1,32 @@
+# ==========================================================================
+# Signing modules
+# ==========================================================================
+
+PHONY := __modsign
+__modsign:
+
+include scripts/Kbuild.include
+
+__modules := $(sort $(shell grep -h '\.ko' /dev/null $(wildcard $(MODVERDIR)/*.mod)))
+modules := $(patsubst %.o,%.ko,$(wildcard $(__modules:.ko=.o)))
+
+PHONY += $(modules)
+__modsign: $(modules)
+ @:
+
+quiet_cmd_sign_ko = SIGN [M] $(2)/$(notdir $@)
+ cmd_sign_ko = $(mod_sign_cmd) $(2)/$(notdir $@)
+
+# Modules built outside the kernel source tree go into extra by default
+INSTALL_MOD_DIR ?= extra
+ext-mod-dir = $(INSTALL_MOD_DIR)$(subst $(patsubst %/,%,$(KBUILD_EXTMOD)),,$(@D))
+
+modinst_dir = $(if $(KBUILD_EXTMOD),$(ext-mod-dir),kernel/$(@D))
+
+$(modules):
+ $(call cmd,sign_ko,$(MODLIB)/$(modinst_dir))
+
+# Declare the contents of the .PHONY variable as phony. We keep that
+# # information in a variable se we can use it in if_changed and friends.
+
+.PHONY: $(PHONY)
--
1.7.12.1
Josh Boyer <[email protected]> writes:
> If CONFIG_MODULE_SIG is set, and 'make modules_sign' is called then this
> patch will cause the modules to get a signature appended. The make target
> is intended to be run after 'make modules_install', and will modify the
> modules in-place in the installed location. It can be used to produce
> signed modules after they have been processed by distribution build
> scripts.
>
> Signed-off-by: Josh Boyer <[email protected]>
It's a bit of a niche case, but applied.
Cheers,
Rusty.
On Thu, Nov 01, 2012 at 06:03:18PM +1030, Rusty Russell wrote:
> Josh Boyer <[email protected]> writes:
>
> > If CONFIG_MODULE_SIG is set, and 'make modules_sign' is called then this
> > patch will cause the modules to get a signature appended. The make target
> > is intended to be run after 'make modules_install', and will modify the
> > modules in-place in the installed location. It can be used to produce
> > signed modules after they have been processed by distribution build
> > scripts.
> >
> > Signed-off-by: Josh Boyer <[email protected]>
>
> It's a bit of a niche case, but applied.
Thanks. Whether you consider RPM built kernels niche or not doesn't
matter to me. Having this upstream is one less patch we have to carry
so I appreciate it a lot.
josh
Josh Boyer <[email protected]> writes:
> On Thu, Nov 01, 2012 at 06:03:18PM +1030, Rusty Russell wrote:
>> Josh Boyer <[email protected]> writes:
>>
>> > If CONFIG_MODULE_SIG is set, and 'make modules_sign' is called then this
>> > patch will cause the modules to get a signature appended. The make target
>> > is intended to be run after 'make modules_install', and will modify the
>> > modules in-place in the installed location. It can be used to produce
>> > signed modules after they have been processed by distribution build
>> > scripts.
>> >
>> > Signed-off-by: Josh Boyer <[email protected]>
>>
>> It's a bit of a niche case, but applied.
>
> Thanks. Whether you consider RPM built kernels niche or not doesn't
> matter to me. Having this upstream is one less patch we have to carry
> so I appreciate it a lot.
My comment was more that this relies on eu-strip, because we always
sign modules on installation, so you need eu-strip to *unsign* them
(strip won't do it, BTW).
More general would be a modules_install_unsigned target to match this,
but since noone would use it, let's not write it :)
Cheers,
Rusty.
On Fri, Nov 02, 2012 at 01:49:14PM +1030, Rusty Russell wrote:
> Josh Boyer <[email protected]> writes:
>
> > On Thu, Nov 01, 2012 at 06:03:18PM +1030, Rusty Russell wrote:
> >> Josh Boyer <[email protected]> writes:
> >>
> >> > If CONFIG_MODULE_SIG is set, and 'make modules_sign' is called then this
> >> > patch will cause the modules to get a signature appended. The make target
> >> > is intended to be run after 'make modules_install', and will modify the
> >> > modules in-place in the installed location. It can be used to produce
> >> > signed modules after they have been processed by distribution build
> >> > scripts.
> >> >
> >> > Signed-off-by: Josh Boyer <[email protected]>
> >>
> >> It's a bit of a niche case, but applied.
> >
> > Thanks. Whether you consider RPM built kernels niche or not doesn't
> > matter to me. Having this upstream is one less patch we have to carry
> > so I appreciate it a lot.
>
> My comment was more that this relies on eu-strip, because we always
> sign modules on installation, so you need eu-strip to *unsign* them
> (strip won't do it, BTW).
Really? Which version of binutils are you using? The strip I have here
seems to have no qualms about stripping off the signatures:
[jwboyer@localhost crypto]$ hexdump -C blowfish-x86_64.ko | tail -5
000315d0 29 a3 6d 5e 38 01 23 b5 d8 53 cf db 01 04 01 1e |).m^8.#..S......|
000315e0 14 00 00 00 00 00 02 02 7e 4d 6f 64 75 6c 65 20 |........~Module |
000315f0 73 69 67 6e 61 74 75 72 65 20 61 70 70 65 6e 64 |signature append|
00031600 65 64 7e 0a |ed~.|
00031604
[jwboyer@localhost crypto]$ strip --strip-debug blowfish-x86_64.ko
[jwboyer@localhost crypto]$ hexdump -C blowfish-x86_64.ko | tail -5
00004c20 01 00 00 00 2b 00 00 00 00 00 00 00 00 00 00 00 |....+...........|
00004c30 50 01 00 00 00 00 00 00 01 00 00 00 33 00 00 00 |P...........3...|
00004c40 00 00 00 00 00 00 00 00 50 02 00 00 00 00 00 00 |........P.......|
00004c50 01 00 00 00 2f 00 00 00 00 00 00 00 00 00 00 00 |..../...........|
00004c60
[jwboyer@localhost crypto]$ rpm -qf `which strip`
binutils-2.23.51.0.1-3.fc18.x86_64
[jwboyer@localhost crypto]$
So that makes me very curious.
> More general would be a modules_install_unsigned target to match this,
> but since noone would use it, let's not write it :)
Deal.
josh
Josh Boyer <[email protected]> writes:
> On Fri, Nov 02, 2012 at 01:49:14PM +1030, Rusty Russell wrote:
>> My comment was more that this relies on eu-strip, because we always
>> sign modules on installation, so you need eu-strip to *unsign* them
>> (strip won't do it, BTW).
>
> Really? Which version of binutils are you using? The strip I have here
> seems to have no qualms about stripping off the signatures:
...
> So that makes me very curious.
Hmm, Works For Me too. Searches for evidence...
Nope, I'm completely off-base here. I wrote the exact opposite last
year:
On Sat, 10 Dec 2011 17:31:15 +1030 I wrote:
> But objdump doesn't care about appended data.
> objcopy and strip will remove it, of course, but without complaining.
Sorry for the noise,
Rusty.