2015-04-21 13:58:52

by Michal Marek

[permalink] [raw]
Subject: Re: [PATCH] builddeb: fix stripped module signatures if CONFIG_DEBUG_INFO and CONFIG_MODULE_SIG_ALL are set

(added Max to Cc)

On 2015-03-16 09:20, Andrey Skvortsov wrote:
> If CONFIG_MODULE_SIG_ALL is set, then user expects that all modules are
> automatically signed in the result package, as it's for rpm-pkg, binrpm-pkg,
> tar, tar-*. For deb-pkg this is correct only if CONFIG_DEBUG_INFO
> is NOT set. In that case deb-package contains signed modules.
>
> But if CONFIG_DEBUG_INFO is set, builddeb creates separate package with
> debug information. To do that, debug information from all modules
> is copied into separate files by objcopy. And loadable kernel modules are
> stripped afterwards. Stripping removes previously (during modules_install)
> added signatures from loadable kernel modules. Therefore final deb-package
> contains unsigned modules despite of set option CONFIG_MODULE_SIG_ALL.
>
> This patch resigns all stripped modules if CONFIG_MODULE_SIG_ALL is set
> to solve this problem.
>
> Signed-off-by: Andrey Skvortsov <[email protected]>

Max, Ben, are you fine with this patch? It looks OK to me, the
modules_sign target has been added for this very purpose.

Thanks,
Michal

> ---
> scripts/package/builddeb | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/scripts/package/builddeb b/scripts/package/builddeb
> index 88dbf23..977c4d7 100755
> --- a/scripts/package/builddeb
> +++ b/scripts/package/builddeb
> @@ -162,6 +162,12 @@ if grep -q '^CONFIG_MODULES=y' $KCONFIG_CONFIG ; then
> # then add a link to those
> $OBJCOPY --add-gnu-debuglink=$dbg_dir/usr/lib/debug/$module $tmpdir/$module
> done
> +
> + # resign stripped modules
> + MODULE_SIG_ALL="$(grep -s '^CONFIG_MODULE_SIG_ALL=y' $KCONFIG_CONFIG || true)"
> + if [ -n "$MODULE_SIG_ALL" ]; then
> + INSTALL_MOD_PATH="$tmpdir" $MAKE KBUILD_SRC= modules_sign
> + fi
> fi
> fi
>
>


2015-04-22 16:06:32

by maximilian attems

[permalink] [raw]
Subject: Re: [PATCH] builddeb: fix stripped module signatures if CONFIG_DEBUG_INFO and CONFIG_MODULE_SIG_ALL are set

On Tue, Apr 21, 2015 at 03:58:48PM +0200, Michal Marek wrote:
> (added Max to Cc)
>
> On 2015-03-16 09:20, Andrey Skvortsov wrote:
> > If CONFIG_MODULE_SIG_ALL is set, then user expects that all modules are
> > automatically signed in the result package, as it's for rpm-pkg, binrpm-pkg,
> > tar, tar-*. For deb-pkg this is correct only if CONFIG_DEBUG_INFO
> > is NOT set. In that case deb-package contains signed modules.
> >
> > But if CONFIG_DEBUG_INFO is set, builddeb creates separate package with
> > debug information. To do that, debug information from all modules
> > is copied into separate files by objcopy. And loadable kernel modules are
> > stripped afterwards. Stripping removes previously (during modules_install)
> > added signatures from loadable kernel modules. Therefore final deb-package
> > contains unsigned modules despite of set option CONFIG_MODULE_SIG_ALL.
> >
> > This patch resigns all stripped modules if CONFIG_MODULE_SIG_ALL is set
> > to solve this problem.
> >
> > Signed-off-by: Andrey Skvortsov <[email protected]>
>
> Max, Ben, are you fine with this patch? It looks OK to me, the
> modules_sign target has been added for this very purpose.
>

Ben seems busy with the release, so jumping in. The patch looks
perfect to me.

Acked-by: maximilian attems <[email protected]>

2015-05-04 15:37:36

by Andrey Skvortsov

[permalink] [raw]
Subject: Re: [PATCH] builddeb: fix stripped module signatures if CONFIG_DEBUG_INFO and CONFIG_MODULE_SIG_ALL are set

On 22 Apr, maximilian attems wrote:
> On Tue, Apr 21, 2015 at 03:58:48PM +0200, Michal Marek wrote:
> > (added Max to Cc)
> >
> > On 2015-03-16 09:20, Andrey Skvortsov wrote:
> > > If CONFIG_MODULE_SIG_ALL is set, then user expects that all modules are
> > > automatically signed in the result package, as it's for rpm-pkg, binrpm-pkg,
> > > tar, tar-*. For deb-pkg this is correct only if CONFIG_DEBUG_INFO
> > > is NOT set. In that case deb-package contains signed modules.
> > >
> > > But if CONFIG_DEBUG_INFO is set, builddeb creates separate package with
> > > debug information. To do that, debug information from all modules
> > > is copied into separate files by objcopy. And loadable kernel modules are
> > > stripped afterwards. Stripping removes previously (during modules_install)
> > > added signatures from loadable kernel modules. Therefore final deb-package
> > > contains unsigned modules despite of set option CONFIG_MODULE_SIG_ALL.
> > >
> > > This patch resigns all stripped modules if CONFIG_MODULE_SIG_ALL is set
> > > to solve this problem.
> > >
> > > Signed-off-by: Andrey Skvortsov <[email protected]>
> >
> > Max, Ben, are you fine with this patch? It looks OK to me, the
> > modules_sign target has been added for this very purpose.
> >
>
> Ben seems busy with the release, so jumping in. The patch looks
> perfect to me.
>
> Acked-by: maximilian attems <[email protected]>
>
Maximilian, thanks for the review.

Michal, are we waiting for Ben's acknowledge too?

--
Best regards,
Andrey Skvortsov

Secure e-mail with gnupg: See http://www.gnupg.org/
PGP Key ID: 0x57A3AEAD



Attachments:
(No filename) (1.58 kB)
signature.asc (819.00 B)
Digital signature
Download all attachments

2015-05-04 18:23:07

by Ben Hutchings

[permalink] [raw]
Subject: Re: [PATCH] builddeb: fix stripped module signatures if CONFIG_DEBUG_INFO and CONFIG_MODULE_SIG_ALL are set

On Mon, 2015-05-04 at 18:37 +0300, Andrey Skvortsov wrote:
> On 22 Apr, maximilian attems wrote:
> > On Tue, Apr 21, 2015 at 03:58:48PM +0200, Michal Marek wrote:
> > > (added Max to Cc)
> > >
> > > On 2015-03-16 09:20, Andrey Skvortsov wrote:
> > > > If CONFIG_MODULE_SIG_ALL is set, then user expects that all modules are
> > > > automatically signed in the result package, as it's for rpm-pkg, binrpm-pkg,
> > > > tar, tar-*. For deb-pkg this is correct only if CONFIG_DEBUG_INFO
> > > > is NOT set. In that case deb-package contains signed modules.
> > > >
> > > > But if CONFIG_DEBUG_INFO is set, builddeb creates separate package with
> > > > debug information. To do that, debug information from all modules
> > > > is copied into separate files by objcopy. And loadable kernel modules are
> > > > stripped afterwards. Stripping removes previously (during modules_install)
> > > > added signatures from loadable kernel modules. Therefore final deb-package
> > > > contains unsigned modules despite of set option CONFIG_MODULE_SIG_ALL.
> > > >
> > > > This patch resigns all stripped modules if CONFIG_MODULE_SIG_ALL is set
> > > > to solve this problem.
> > > >
> > > > Signed-off-by: Andrey Skvortsov <[email protected]>
> > >
> > > Max, Ben, are you fine with this patch? It looks OK to me, the
> > > modules_sign target has been added for this very purpose.
> > >
> >
> > Ben seems busy with the release, so jumping in. The patch looks
> > perfect to me.
> >
> > Acked-by: maximilian attems <[email protected]>
> >
> Maximilian, thanks for the review.
>
> Michal, are we waiting for Ben's acknowledge too?

Don't wait for me.

Ben.

--
Ben Hutchings
If you seem to know what you are doing, you'll be given more to do.


Attachments:
signature.asc (811.00 B)
This is a digitally signed message part

2015-05-06 13:30:32

by Michal Marek

[permalink] [raw]
Subject: Re: [PATCH] builddeb: fix stripped module signatures if CONFIG_DEBUG_INFO and CONFIG_MODULE_SIG_ALL are set

On 2015-05-04 17:37, Andrey Skvortsov wrote:
> On 22 Apr, maximilian attems wrote:
>> On Tue, Apr 21, 2015 at 03:58:48PM +0200, Michal Marek wrote:
>>> (added Max to Cc)
>>>
>>> On 2015-03-16 09:20, Andrey Skvortsov wrote:
>>>> If CONFIG_MODULE_SIG_ALL is set, then user expects that all modules are
>>>> automatically signed in the result package, as it's for rpm-pkg, binrpm-pkg,
>>>> tar, tar-*. For deb-pkg this is correct only if CONFIG_DEBUG_INFO
>>>> is NOT set. In that case deb-package contains signed modules.
>>>>
>>>> But if CONFIG_DEBUG_INFO is set, builddeb creates separate package with
>>>> debug information. To do that, debug information from all modules
>>>> is copied into separate files by objcopy. And loadable kernel modules are
>>>> stripped afterwards. Stripping removes previously (during modules_install)
>>>> added signatures from loadable kernel modules. Therefore final deb-package
>>>> contains unsigned modules despite of set option CONFIG_MODULE_SIG_ALL.
>>>>
>>>> This patch resigns all stripped modules if CONFIG_MODULE_SIG_ALL is set
>>>> to solve this problem.
>>>>
>>>> Signed-off-by: Andrey Skvortsov <[email protected]>
>>>
>>> Max, Ben, are you fine with this patch? It looks OK to me, the
>>> modules_sign target has been added for this very purpose.
>>>
>>
>> Ben seems busy with the release, so jumping in. The patch looks
>> perfect to me.
>>
>> Acked-by: maximilian attems <[email protected]>
>>
> Maximilian, thanks for the review.
>
> Michal, are we waiting for Ben's acknowledge too?

I applied the patch to kbuild.git#misc now, after fixing the whitespace.
Andrey, please use tabs for indentation, especially when the surrounding
code is already using this style.

Michal

2015-05-08 11:11:36

by Andrey Skvortsov

[permalink] [raw]
Subject: Re: [PATCH] builddeb: fix stripped module signatures if CONFIG_DEBUG_INFO and CONFIG_MODULE_SIG_ALL are set

On 06 May, Michal Marek wrote:
> On 2015-05-04 17:37, Andrey Skvortsov wrote:
> > On 22 Apr, maximilian attems wrote:
> >> On Tue, Apr 21, 2015 at 03:58:48PM +0200, Michal Marek wrote:
> >>> (added Max to Cc)
> >>>
> >>> On 2015-03-16 09:20, Andrey Skvortsov wrote:
> >>>> If CONFIG_MODULE_SIG_ALL is set, then user expects that all modules are
> >>>> automatically signed in the result package, as it's for rpm-pkg, binrpm-pkg,
> >>>> tar, tar-*. For deb-pkg this is correct only if CONFIG_DEBUG_INFO
> >>>> is NOT set. In that case deb-package contains signed modules.
> >>>>
> >>>> But if CONFIG_DEBUG_INFO is set, builddeb creates separate package with
> >>>> debug information. To do that, debug information from all modules
> >>>> is copied into separate files by objcopy. And loadable kernel modules are
> >>>> stripped afterwards. Stripping removes previously (during modules_install)
> >>>> added signatures from loadable kernel modules. Therefore final deb-package
> >>>> contains unsigned modules despite of set option CONFIG_MODULE_SIG_ALL.
> >>>>
> >>>> This patch resigns all stripped modules if CONFIG_MODULE_SIG_ALL is set
> >>>> to solve this problem.
> >>>>
> >>>> Signed-off-by: Andrey Skvortsov <[email protected]>
> >>>
> >>> Max, Ben, are you fine with this patch? It looks OK to me, the
> >>> modules_sign target has been added for this very purpose.
> >>>
> >>
> >> Ben seems busy with the release, so jumping in. The patch looks
> >> perfect to me.
> >>
> >> Acked-by: maximilian attems <[email protected]>
> >>
> > Maximilian, thanks for the review.
> >
> > Michal, are we waiting for Ben's acknowledge too?
>
> I applied the patch to kbuild.git#misc now, after fixing the whitespace.
> Andrey, please use tabs for indentation, especially when the surrounding
> code is already using this style.

Thanks, Michal.

Sorry about whitespaces. I checked the patch with
checkpatch.pl before posting and it did not complain. I'll pay more
attention to patches for non-[ch] files.

--
Best regards,
Andrey Skvortsov

Secure eMail with gnupg: See http://www.gnupg.org/
PGP Key ID: 0x57A3AEAD


Attachments:
(No filename) (2.07 kB)
signature.asc (836.00 B)
Digital signature
Download all attachments

2015-05-08 13:48:01

by maximilian attems

[permalink] [raw]
Subject: Re: [PATCH] builddeb: fix stripped module signatures if CONFIG_DEBUG_INFO and CONFIG_MODULE_SIG_ALL are set

Hello Michal,

On Wed, May 06, 2015 at 03:30:28PM +0200, Michal Marek wrote:
>
> I applied the patch to kbuild.git#misc now, after fixing the whitespace.
> Andrey, please use tabs for indentation, especially when the surrounding
> code is already using this style.

please apply this arm thingy too:

- [PATCHv4 1/1] deb-pkg: Add device tree blobs to the package
reviewed by ben and acked by me.
[email protected]


thanks,

--
maks