Re: RFC: sign the modules at install time

From: Josh Boyer
Date: Wed Oct 17 2012 - 20:13:25 EST


On Wed, Oct 17, 2012 at 7:21 PM, Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
> On Wed, Oct 17, 2012 at 4:07 PM, Linus Torvalds
> <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
>>
>> Hmm. It *should* work for them too, because the debuginfo modules stay
>> around in the object tree, and never get stripped there. None of this
>> is different from what we used to do before: we stripped the modules
>> as we copied them to /lib/modules (where the RPM build obviously would
>> have that $RPM_BUILD_ROOT prefix on the module install path).
>
> Ok, I read your description of the odd way fedora builds debuginfo kernels.
>
> I actually think that works fine too. I do agree with adding a "make
> sign_modules" target, but it would *re-sign* them after "make
> modules_install" has already signed them once.
>
> Why?
>
> What you'd do for your debuginfo requirements is:
>
> - do the normal kernel build, and install modules (with *my* patch,
> which does signing at install time)
>
> This does the normal (conditionally stripped - you just wouldn't
> strip them, but you cannot have done that before either) modules,
> installs them, and signs then.
>
> Ta-daa, you have your debuginfo modules installed, and they are
> signed. Create the debuginfo rpm.
>
> - now, strip the modules. This obviously destroys the signatures

find-debuginfo.sh is what creates the debuginfo RPM. It strips the
module debug symbols (and the signature), so there's no need to further
strip things at this point.

> - do the extra "make sign_modules" that you added, that re-signs the
> already installed modules, and now you can create the non-debuginfo
> rpm.

OK, sounds sane at first glance.

> Voila. "make modules_install" does the right thing for everybody -
> including normal users. And it does so without the incredible baroque
> code. And no normal user is expected to ever use the new "make
> sign_modules", but it allows for the Fedora "we'll want to sign them
> again".
>
> That said, you could even just do "make sign-modules" on your own
> without any makefile targets. After all, it would just be something
> like
>
> find $MODULEDIR --name '*.ko | while read i; do script/sign-file
> keyfile x509file $i; done
>
> so it could even be done in that rpm script directly.

Sure, as long as the script is in the kernel tree (or at least I would
like it to be). When I wrote the patch, _none_ of the modsign stuff was
in-tree at the time so I had to carry and adapt things as the code
changed along the way. In my defense, I did say I have to clean it up
still. :)

josh
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/