From: "Mustafa Yücel" <yuecelm@gmail.com>
To: isar-users <isar-users@googlegroups.com>
Subject: Re: signing support for (in-tree and external) kernel modules
Date: Wed, 29 Apr 2020 14:04:38 -0700 (PDT) [thread overview]
Message-ID: <ad612f70-ef5a-44fd-832c-8bb5405423de@googlegroups.com> (raw)
In-Reply-To: <20200429221517.2187f4da@md1za8fc.ad001.siemens.net>
[-- Attachment #1.1: Type: text/plain, Size: 2035 bytes --]
>
> > >> from where you got CONFIG_MODULE_SIG_FORMAT? CONFIG_MODULE_SIG is
> > >> the trigger to create this binary:
> > >>
> > >> scripts/Makefile:hostprogs-$(CONFIG_MODULE_SIG)+= sign-file
> > >>
> > >
> > > I was looking at kernel 5.6.
> > >
> > > Then we likely need multiple condition when to run sign-file while
> > > building an external module.
> > >
> > > And we also need some idea how to deploy the shared keys to all
> > > recipes. If we only talk about two or three, the kernel recipe
> > > could carry the keys as artifacts, and other recipes would simply
> > > link them. But that is not really nice to maintain. We could, of
> > > course, package the keys into linux-headers. Downside: Someone may
> > > then accidentally ship them on a device.
> >
> > maybe we can use a separate package? e.g. kernel-module-signkeys?
> >
> > normally this package will be only used for building, we can output
> > an error during isar build when someone installs this package to the
> > image (prevents "accidentally ship them on a device")
> >
> > next point: can we avoid somehow with isar that this package is
> > showing up in some apt repo (outside isar build system)?
>
> All packages isar builds for an image show up in a repo called
> "isar-apt" that is strictly internal.
>
> If you choose to make use of the rebuild cache that will be another
> repo - "base-apt". "base-apt" can be published and used for consecutive
> (re-)builds.
>
> Isar does not publish anything on its own, nothing to be afraid of.
>
ok my misunderstanding, because "isar-apt" resides in the deploy
subdirectory, I was assuming it may get published at some point
(openembedded/poky had also an ipk subdirectory in deploy which could serve
as an external ipk repo).
means this "base-apt" gets only generated when I was using "-c
cache_base_repo"? about this directory I am not afraid, it contains no
self-built packages.
kernel-headers-cip resides in "isar-apt", so I was more worried about this
apt repo.
[-- Attachment #1.2: Type: text/html, Size: 2551 bytes --]
next prev parent reply other threads:[~2020-04-29 21:04 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-29 13:00 yuecelm
2020-04-29 15:35 ` Jan Kiszka
2020-04-29 16:51 ` Mustafa Yücel
2020-04-29 17:38 ` Jan Kiszka
2020-04-29 18:57 ` Mustafa Yücel
2020-04-29 20:15 ` Henning Schild
2020-04-29 21:04 ` Mustafa Yücel [this message]
2020-04-30 10:42 ` Henning Schild
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ad612f70-ef5a-44fd-832c-8bb5405423de@googlegroups.com \
--to=yuecelm@gmail.com \
--cc=isar-users@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox