(added Max to Cc)
On 2015-03-16 09:20, Andrey Skvortsov wrote:
> If CONFIG_MODULE_SIG_ALL is set, then user expects that all modules are
> automatically signed in the result package, as it's for rpm-pkg, binrpm-pkg,
> tar, tar-*. For deb-pkg this is correct only if CONFIG_DEBUG_INFO
> is NOT set. In that case deb-package contains signed modules.
>
> But if CONFIG_DEBUG_INFO is set, builddeb creates separate package with
> debug information. To do that, debug information from all modules
> is copied into separate files by objcopy. And loadable kernel modules are
> stripped afterwards. Stripping removes previously (during modules_install)
> added signatures from loadable kernel modules. Therefore final deb-package
> contains unsigned modules despite of set option CONFIG_MODULE_SIG_ALL.
>
> This patch resigns all stripped modules if CONFIG_MODULE_SIG_ALL is set
> to solve this problem.
>
> Signed-off-by: Andrey Skvortsov <[email protected]>
Max, Ben, are you fine with this patch? It looks OK to me, the
modules_sign target has been added for this very purpose.
Thanks,
Michal
> ---
> scripts/package/builddeb | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/scripts/package/builddeb b/scripts/package/builddeb
> index 88dbf23..977c4d7 100755
> --- a/scripts/package/builddeb
> +++ b/scripts/package/builddeb
> @@ -162,6 +162,12 @@ if grep -q '^CONFIG_MODULES=y' $KCONFIG_CONFIG ; then
> # then add a link to those
> $OBJCOPY --add-gnu-debuglink=$dbg_dir/usr/lib/debug/$module $tmpdir/$module
> done
> +
> + # resign stripped modules
> + MODULE_SIG_ALL="$(grep -s '^CONFIG_MODULE_SIG_ALL=y' $KCONFIG_CONFIG || true)"
> + if [ -n "$MODULE_SIG_ALL" ]; then
> + INSTALL_MOD_PATH="$tmpdir" $MAKE KBUILD_SRC= modules_sign
> + fi
> fi
> fi
>
>
On Tue, Apr 21, 2015 at 03:58:48PM +0200, Michal Marek wrote:
> (added Max to Cc)
>
> On 2015-03-16 09:20, Andrey Skvortsov wrote:
> > If CONFIG_MODULE_SIG_ALL is set, then user expects that all modules are
> > automatically signed in the result package, as it's for rpm-pkg, binrpm-pkg,
> > tar, tar-*. For deb-pkg this is correct only if CONFIG_DEBUG_INFO
> > is NOT set. In that case deb-package contains signed modules.
> >
> > But if CONFIG_DEBUG_INFO is set, builddeb creates separate package with
> > debug information. To do that, debug information from all modules
> > is copied into separate files by objcopy. And loadable kernel modules are
> > stripped afterwards. Stripping removes previously (during modules_install)
> > added signatures from loadable kernel modules. Therefore final deb-package
> > contains unsigned modules despite of set option CONFIG_MODULE_SIG_ALL.
> >
> > This patch resigns all stripped modules if CONFIG_MODULE_SIG_ALL is set
> > to solve this problem.
> >
> > Signed-off-by: Andrey Skvortsov <[email protected]>
>
> Max, Ben, are you fine with this patch? It looks OK to me, the
> modules_sign target has been added for this very purpose.
>
Ben seems busy with the release, so jumping in. The patch looks
perfect to me.
Acked-by: maximilian attems <[email protected]>
On 22 Apr, maximilian attems wrote:
> On Tue, Apr 21, 2015 at 03:58:48PM +0200, Michal Marek wrote:
> > (added Max to Cc)
> >
> > On 2015-03-16 09:20, Andrey Skvortsov wrote:
> > > If CONFIG_MODULE_SIG_ALL is set, then user expects that all modules are
> > > automatically signed in the result package, as it's for rpm-pkg, binrpm-pkg,
> > > tar, tar-*. For deb-pkg this is correct only if CONFIG_DEBUG_INFO
> > > is NOT set. In that case deb-package contains signed modules.
> > >
> > > But if CONFIG_DEBUG_INFO is set, builddeb creates separate package with
> > > debug information. To do that, debug information from all modules
> > > is copied into separate files by objcopy. And loadable kernel modules are
> > > stripped afterwards. Stripping removes previously (during modules_install)
> > > added signatures from loadable kernel modules. Therefore final deb-package
> > > contains unsigned modules despite of set option CONFIG_MODULE_SIG_ALL.
> > >
> > > This patch resigns all stripped modules if CONFIG_MODULE_SIG_ALL is set
> > > to solve this problem.
> > >
> > > Signed-off-by: Andrey Skvortsov <[email protected]>
> >
> > Max, Ben, are you fine with this patch? It looks OK to me, the
> > modules_sign target has been added for this very purpose.
> >
>
> Ben seems busy with the release, so jumping in. The patch looks
> perfect to me.
>
> Acked-by: maximilian attems <[email protected]>
>
Maximilian, thanks for the review.
Michal, are we waiting for Ben's acknowledge too?
--
Best regards,
Andrey Skvortsov
Secure e-mail with gnupg: See http://www.gnupg.org/
PGP Key ID: 0x57A3AEAD
On Mon, 2015-05-04 at 18:37 +0300, Andrey Skvortsov wrote:
> On 22 Apr, maximilian attems wrote:
> > On Tue, Apr 21, 2015 at 03:58:48PM +0200, Michal Marek wrote:
> > > (added Max to Cc)
> > >
> > > On 2015-03-16 09:20, Andrey Skvortsov wrote:
> > > > If CONFIG_MODULE_SIG_ALL is set, then user expects that all modules are
> > > > automatically signed in the result package, as it's for rpm-pkg, binrpm-pkg,
> > > > tar, tar-*. For deb-pkg this is correct only if CONFIG_DEBUG_INFO
> > > > is NOT set. In that case deb-package contains signed modules.
> > > >
> > > > But if CONFIG_DEBUG_INFO is set, builddeb creates separate package with
> > > > debug information. To do that, debug information from all modules
> > > > is copied into separate files by objcopy. And loadable kernel modules are
> > > > stripped afterwards. Stripping removes previously (during modules_install)
> > > > added signatures from loadable kernel modules. Therefore final deb-package
> > > > contains unsigned modules despite of set option CONFIG_MODULE_SIG_ALL.
> > > >
> > > > This patch resigns all stripped modules if CONFIG_MODULE_SIG_ALL is set
> > > > to solve this problem.
> > > >
> > > > Signed-off-by: Andrey Skvortsov <[email protected]>
> > >
> > > Max, Ben, are you fine with this patch? It looks OK to me, the
> > > modules_sign target has been added for this very purpose.
> > >
> >
> > Ben seems busy with the release, so jumping in. The patch looks
> > perfect to me.
> >
> > Acked-by: maximilian attems <[email protected]>
> >
> Maximilian, thanks for the review.
>
> Michal, are we waiting for Ben's acknowledge too?
Don't wait for me.
Ben.
--
Ben Hutchings
If you seem to know what you are doing, you'll be given more to do.
On 2015-05-04 17:37, Andrey Skvortsov wrote:
> On 22 Apr, maximilian attems wrote:
>> On Tue, Apr 21, 2015 at 03:58:48PM +0200, Michal Marek wrote:
>>> (added Max to Cc)
>>>
>>> On 2015-03-16 09:20, Andrey Skvortsov wrote:
>>>> If CONFIG_MODULE_SIG_ALL is set, then user expects that all modules are
>>>> automatically signed in the result package, as it's for rpm-pkg, binrpm-pkg,
>>>> tar, tar-*. For deb-pkg this is correct only if CONFIG_DEBUG_INFO
>>>> is NOT set. In that case deb-package contains signed modules.
>>>>
>>>> But if CONFIG_DEBUG_INFO is set, builddeb creates separate package with
>>>> debug information. To do that, debug information from all modules
>>>> is copied into separate files by objcopy. And loadable kernel modules are
>>>> stripped afterwards. Stripping removes previously (during modules_install)
>>>> added signatures from loadable kernel modules. Therefore final deb-package
>>>> contains unsigned modules despite of set option CONFIG_MODULE_SIG_ALL.
>>>>
>>>> This patch resigns all stripped modules if CONFIG_MODULE_SIG_ALL is set
>>>> to solve this problem.
>>>>
>>>> Signed-off-by: Andrey Skvortsov <[email protected]>
>>>
>>> Max, Ben, are you fine with this patch? It looks OK to me, the
>>> modules_sign target has been added for this very purpose.
>>>
>>
>> Ben seems busy with the release, so jumping in. The patch looks
>> perfect to me.
>>
>> Acked-by: maximilian attems <[email protected]>
>>
> Maximilian, thanks for the review.
>
> Michal, are we waiting for Ben's acknowledge too?
I applied the patch to kbuild.git#misc now, after fixing the whitespace.
Andrey, please use tabs for indentation, especially when the surrounding
code is already using this style.
Michal
On 06 May, Michal Marek wrote:
> On 2015-05-04 17:37, Andrey Skvortsov wrote:
> > On 22 Apr, maximilian attems wrote:
> >> On Tue, Apr 21, 2015 at 03:58:48PM +0200, Michal Marek wrote:
> >>> (added Max to Cc)
> >>>
> >>> On 2015-03-16 09:20, Andrey Skvortsov wrote:
> >>>> If CONFIG_MODULE_SIG_ALL is set, then user expects that all modules are
> >>>> automatically signed in the result package, as it's for rpm-pkg, binrpm-pkg,
> >>>> tar, tar-*. For deb-pkg this is correct only if CONFIG_DEBUG_INFO
> >>>> is NOT set. In that case deb-package contains signed modules.
> >>>>
> >>>> But if CONFIG_DEBUG_INFO is set, builddeb creates separate package with
> >>>> debug information. To do that, debug information from all modules
> >>>> is copied into separate files by objcopy. And loadable kernel modules are
> >>>> stripped afterwards. Stripping removes previously (during modules_install)
> >>>> added signatures from loadable kernel modules. Therefore final deb-package
> >>>> contains unsigned modules despite of set option CONFIG_MODULE_SIG_ALL.
> >>>>
> >>>> This patch resigns all stripped modules if CONFIG_MODULE_SIG_ALL is set
> >>>> to solve this problem.
> >>>>
> >>>> Signed-off-by: Andrey Skvortsov <[email protected]>
> >>>
> >>> Max, Ben, are you fine with this patch? It looks OK to me, the
> >>> modules_sign target has been added for this very purpose.
> >>>
> >>
> >> Ben seems busy with the release, so jumping in. The patch looks
> >> perfect to me.
> >>
> >> Acked-by: maximilian attems <[email protected]>
> >>
> > Maximilian, thanks for the review.
> >
> > Michal, are we waiting for Ben's acknowledge too?
>
> I applied the patch to kbuild.git#misc now, after fixing the whitespace.
> Andrey, please use tabs for indentation, especially when the surrounding
> code is already using this style.
Thanks, Michal.
Sorry about whitespaces. I checked the patch with
checkpatch.pl before posting and it did not complain. I'll pay more
attention to patches for non-[ch] files.
--
Best regards,
Andrey Skvortsov
Secure eMail with gnupg: See http://www.gnupg.org/
PGP Key ID: 0x57A3AEAD
Hello Michal,
On Wed, May 06, 2015 at 03:30:28PM +0200, Michal Marek wrote:
>
> I applied the patch to kbuild.git#misc now, after fixing the whitespace.
> Andrey, please use tabs for indentation, especially when the surrounding
> code is already using this style.
please apply this arm thingy too:
- [PATCHv4 1/1] deb-pkg: Add device tree blobs to the package
reviewed by ben and acked by me.
[email protected]
thanks,
--
maks