From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <mikko.rapeli@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2C44FC4332F
	for <webhook@archiver.kernel.org>; Sat, 26 Nov 2022 10:45:35 +0000 (UTC)
Received: from mail-lf1-f47.google.com (mail-lf1-f47.google.com [209.85.167.47])
 by mx.groups.io with SMTP id smtpd.web11.67819.1669459531336782781
 for <openembedded-core@lists.openembedded.org>;
 Sat, 26 Nov 2022 02:45:31 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=MhbUVuef;
 spf=pass (domain: linaro.org, ip: 209.85.167.47, mailfrom: mikko.rapeli@linaro.org)
Received: by mail-lf1-f47.google.com with SMTP id r12so10383285lfp.1
        for <openembedded-core@lists.openembedded.org>; Sat, 26 Nov 2022 02:45:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=6d0hNrzlh8JUkIiSkq4wQHVRE8zy+KRVkIsLQVJzD84=;
        b=MhbUVuef0Pce19mnIkxCDTfY/lyte59PP5NRg+4D7sJAIQ6pAkFtj8Cj8cOPEfbW7+
         fLlPWlw2lqQXZ8gB4CvN1K2yJ3jCVewRAijvM/vrrOaRR3R1LX6D2D6hmcBn7c+tK6b3
         gh0RapZ9VQO4D4twrWq+suKrWKMIhhT4mIyv0pwT/r+OhiwjNRookNRqQUleRNYrahsz
         c8I1fW43GBQu34dh/WPbjnOKbsQAGAPGrcIQDYXkkUfsFRFDa8sqanVTF37EnsxC93cy
         XU3U5WeFp4OI1jwgJrjFSabaAwAqjH4z4S7OKSZ3Rh9jaPoBok7K9LBIDlrpPrzb03jv
         uMQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=6d0hNrzlh8JUkIiSkq4wQHVRE8zy+KRVkIsLQVJzD84=;
        b=7kYNu/IXt2sk4c8uZP12xV/6TyM03/YkRfVzZBGfIV76emKygA0uEejt5FeVJkG2kL
         iQF6RiGtta3+3YAEy7N5ogds8yVXUin9V3l54VtsEwu/108YDfeATAxrTruScdzCJg+0
         zOQvZY71qKn5Pf6HIdk3XJb8tEZrmyn1cVHQ4BpPiJhWBpfCOzzUYWHiKDyK1qDr6Yzn
         qZ5jWMGuC8zfweX2LSxtrllHfImGZ3jC+OPH8ZXgRA/WukUOwX88rprk7WIxyLFIUbvM
         sf2vIVcpaP1SICgFhBc/FSzs2gGukfeV5zumBVv0KL6JDqG8Emgoxp2Tk7k/eAqff9yL
         uxIg==
X-Gm-Message-State: ANoB5pkwtR8miCdkLi0Sb35atZzv4DdhatfdOGZAkbS2o/szcc/Iso30
	562E9ZHchlL3S9Swd8/WDvbJrQ==
X-Google-Smtp-Source: AA0mqf60A4/VnZw3Wu/i+J5uVPFCowhHrC40jW9T5Uq3dSJ4nTign6wrBrT82YPq0e/OQTFzYnqyug==
X-Received: by 2002:ac2:4d44:0:b0:4b1:2aab:7cc0 with SMTP id 4-20020ac24d44000000b004b12aab7cc0mr9128865lfp.553.1669459529347;
        Sat, 26 Nov 2022 02:45:29 -0800 (PST)
Received: from nuoska (dsl-olubng12-54fa1d-36.dhcp.inet.fi. [84.250.29.36])
        by smtp.gmail.com with ESMTPSA id bj35-20020a2eaaa3000000b0026bf43a4d72sm150599ljb.115.2022.11.26.02.45.28
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 26 Nov 2022 02:45:28 -0800 (PST)
Date: Sat, 26 Nov 2022 12:45:26 +0200
From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: Jack Mitchell <ml@embed.me.uk>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [PATCH] linux-yocto: enable strict kernel module
 signing by default
Message-ID: <Y4HuRpeFLL480ymN@nuoska>
References: <20221125155412.1119701-1-mikko.rapeli@linaro.org>
 <d2cd0198-ac04-159e-f4c3-42811cd677b5@embed.me.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <d2cd0198-ac04-159e-f4c3-42811cd677b5@embed.me.uk>
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Sat, 26 Nov 2022 10:45:35 -0000
X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/173791

Hi,

On Fri, Nov 25, 2022 at 04:11:40PM +0000, Jack Mitchell wrote:
> On 25/11/2022 15:54, Mikko Rapeli wrote:
> > It's a good default and used in many Linux distributions.
> > Did not test out of tree modules if they do correct things but
> > any such failures should be fixed.
> > 
> > One way to verify that kernel module signing also works:
> > 
> > root@qemux86-64:~# dmesg|grep X.509
> > [    1.298936] Loading compiled-in X.509 certificates
> > [    1.328280] Loaded X.509 cert 'Build time autogenerated kernel key: ee1bed6d845358744c764683bf73b4404cc79287'
> > 
> > These logs in dmesg show that signing in kernel is enabled and
> > key is found. Then if any kernel modules load, they were
> > signed correctly. Additionally modinfo tool from kmod shows kernel module
> > signing details:
> 
> Hi Mikko,
> 
> Do the kernel modules get properly stripped, last time I was looking at
> this it was skipped when signed and as such root filesystem sizes
> ballooned with signed modules.

Yes, possibly. Linux kernel build scripts can also do this stripping
though, and they do it correctly for kernel modules wile keeping signing
and other data intact.

We could provide EXTRA_OEMAKE += "INSTALL_MOD_STRIP=1" for kernel and
module builds to strip debug info.

$ cat linux/scripts/Makefile.modinst
...
# Strip
#
# INSTALL_MOD_STRIP, if defined, will cause modules to be stripped after
# they
# are installed. If INSTALL_MOD_STRIP is '1', then the default option
# --strip-debug will be used. Otherwise, INSTALL_MOD_STRIP value will be
# used
# as the options to the strip command.
ifdef INSTALL_MOD_STRIP

ifeq ($(INSTALL_MOD_STRIP),1)
strip-option := --strip-debug
else
strip-option := $(INSTALL_MOD_STRIP)
endif
...

Cheers,

-Mikko