[RFC] [PATCH] Disable INSTALL_MOD_STRIP when CONFIG_MODULE_SIG set

[RFC] [PATCH] Disable INSTALL_MOD_STRIP when CONFIG_MODULE_SIG set

[Chris Samuel]

[-- Attachment #1: Type: text/plain, Size: 2796 bytes --]

/* Please CC as I am not on LKML */

Allowing the build system to strip modules when CONFIG_MODULE_SIG is
set makes no sense as the modules will fail signature checks and at
best taint the kernel (and appear as if force loaded), and at worst
cause a kernel panic if fips_enabled is set.

So we set mod_strip_cmd to be true to prevent it stripping kernel
modules, just as happens if INSTALL_MOD_STRIP is not passed.

---
  Documentation/kbuild/kbuild.txt    |    3 +++
  Documentation/kbuild/makefiles.txt |    5 +++++
  Makefile                           |    3 +++
  init/Kconfig                       |    2 ++
  4 files changed, 13 insertions(+)

diff --git a/Documentation/kbuild/kbuild.txt 
b/Documentation/kbuild/kbuild.txt
index 6466704..8f2fa5c 100644
--- a/Documentation/kbuild/kbuild.txt
+++ b/Documentation/kbuild/kbuild.txt
@@ -152,6 +152,9 @@ stripped after they are installed.  If 
INSTALL_MOD_STRIP is '1', then
  the default option --strip-debug will be used.  Otherwise,
  INSTALL_MOD_STRIP value will be used as the options to the strip command.
  +A kernel configured with cryptographically signed modules 
(CONFIG_MODULE_SIG)
+will disable this to try and prevent the loss of the appended signatures.
+
  INSTALL_FW_PATH
  --------------------------------------------------
  INSTALL_FW_PATH specifies where to install the firmware blobs.
diff --git a/Documentation/kbuild/makefiles.txt 
b/Documentation/kbuild/makefiles.txt
index 14c3f4f..5b6dad8 100644
--- a/Documentation/kbuild/makefiles.txt
+++ b/Documentation/kbuild/makefiles.txt
@@ -1396,6 +1396,11 @@ The top Makefile exports the following variables:
  	INSTALL_MOD_STRIP value will be used as the option(s) to the strip
  	command.
  +        A kernel configured with cryptographically signed modules
+	(CONFIG_MODULE_SIG) will disable this to try and prevent the loss
+	of the appended signatures.
+
+
   === 9 Makefile language
  diff --git a/Makefile b/Makefile
index a1667c4..b59a39e 100644
--- a/Makefile
+++ b/Makefile
@@ -724,6 +724,9 @@ MODSECKEY = ./signing_key.priv
  MODPUBKEY = ./signing_key.x509
  export MODPUBKEY
  mod_sign_cmd = perl $(srctree)/scripts/sign-file $(MODSECKEY) $(MODPUBKEY)
+# Don't strip modules as it removes the signatures we will add.
+mod_strip_cmd = true
+export mod_strip_cmd
  else
  mod_sign_cmd = true
  endif
diff --git a/init/Kconfig b/init/Kconfig
index 7d30240..1048f93 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1658,6 +1658,8 @@ config MODULE_SIG
  	  debuginfo strip done by some packagers (such as rpmbuild) and
  	  inclusion into an initramfs that wants the module size reduced.
  +	  This option disables the INSTALL_MOD_STRIP option for make.
+
  config MODULE_SIG_FORCE
  	bool "Require modules to be validly signed"
  	depends on MODULE_SIG
-- 
1.7.10.4


[-- Attachment #2: Attached Message Part --]
[-- Type: text/plain, Size: 0 bytes --]

Re: [RFC] [PATCH] Disable INSTALL_MOD_STRIP when CONFIG_MODULE_SIG set

[Chris Samuel]

/* Please CC, not on LKML */

On 15/01/13 07:36, Chris Samuel wrote:

> So we set mod_strip_cmd to be true to prevent it stripping kernel
> modules, just as happens if INSTALL_MOD_STRIP is not passed.

Ignore this patch, sorry for the noise.

I'd tested by comparing the modules produced by the build system in this
patch with the ones produced by make-kpkg and missed the fact that
*after* doing the module install make-kpkg then runs objcopy on the
modules to copy out the debug sections for a debug package and then uses
objcopy to remove the same debug sections (along with the signature)
from the ones in the main package. :-(

I'd also misread the order that the strip and signing happens, so that
the kernel signs after stripping, so there is nothing to fix.

Interestingly stripping them only saves 1MB out of 120MB for me, so it
hardly seems worth doing.

-- 
 Chris Samuel  :  http://www.csamuel.org/  :  Melbourne, VIC