Re: signing support for (in-tree and external) kernel modules

[Henning Schild <henning.schild@siemens.com>]

Am Wed, 29 Apr 2020 14:04:38 -0700 (PDT)
schrieb Mustafa Yücel <yuecelm@gmail.com>:

> >  
> > > >> from where you got CONFIG_MODULE_SIG_FORMAT? CONFIG_MODULE_SIG
> > > >> is the trigger to create this binary: 
> > > >> 
> > > >> scripts/Makefile:hostprogs-$(CONFIG_MODULE_SIG)+= sign-file 
> > > >>     
> > > > 
> > > > I was looking at kernel 5.6. 
> > > > 
> > > > Then we likely need multiple condition when to run sign-file
> > > > while building an external module. 
> > > > 
> > > > And we also need some idea how to deploy the shared keys to all 
> > > > recipes. If we only talk about two or three, the kernel recipe 
> > > > could carry the keys as artifacts, and other recipes would
> > > > simply link them. But that is not really nice to maintain. We
> > > > could, of course, package the keys into linux-headers.
> > > > Downside: Someone may then accidentally ship them on a device.
> > > >    
> > > 
> > > maybe we can use a separate package? e.g. kernel-module-signkeys? 
> > > 
> > > normally this package will be only used for building, we can
> > > output an error during isar build when someone installs this
> > > package to the image (prevents "accidentally ship them on a
> > > device") 
> > > 
> > > next point: can we avoid somehow with isar that this package is 
> > > showing up in some apt repo (outside isar build system)?   
> >
> > All packages isar builds for an image show up in a repo called 
> > "isar-apt" that is strictly internal. 
> >
> > If you choose to make use of the rebuild cache that will be another 
> > repo - "base-apt". "base-apt" can be published and used for
> > consecutive (re-)builds. 
> >
> > Isar does not publish anything on its own, nothing to be afraid of. 
> >  
> 
> ok my misunderstanding, because "isar-apt" resides in the deploy 
> subdirectory, I was assuming it may get published at some point 
> (openembedded/poky had also an ipk subdirectory in deploy which could
> serve as an external ipk repo).

Well you can still publish it and "bootstrap" a debian out of it,
together with base-apt. Let us just say nothing is ever published
without you knowing it.

Some people abuse Isar as a build system for debian packages only, they
never even generate an image and they might copy "isar-apt" around and
expect it to be in deploy.
I think that is not "abuse" but in fact a really cool feature that
still needs more users and documentation ;).

> means this "base-apt" gets only generated when I was using "-c 
> cache_base_repo"? about this directory I am not afraid, it contains
> no self-built packages.

That changed between master and next. It used to be an explicit step.
Now this happens along-side and serves as a download-cache for
everything debian fetches.
 
> kernel-headers-cip resides in "isar-apt", so I was more worried about
> this apt repo.

This contains every debian package we build in isar. The other one is a
partial mirror of upstream.

Henning