From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6821118203682357248 Date: Wed, 29 Apr 2020 14:04:38 -0700 (PDT) From: =?UTF-8?Q?Mustafa_Y=C3=BCcel?= To: isar-users Message-Id: In-Reply-To: <20200429221517.2187f4da@md1za8fc.ad001.siemens.net> References: <9a590808-34da-493f-9ea2-219d17cd87c9@googlegroups.com> <9d4818d5-e884-a600-0504-996042f31e3b@siemens.com> <3a5d776b-3cce-ba0f-cf37-f4e2a0afc65a@gmail.com> <20200429221517.2187f4da@md1za8fc.ad001.siemens.net> Subject: Re: signing support for (in-tree and external) kernel modules MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_26_1471926212.1588194278364" X-Google-Token: EObXp_UFx1HVH9sQjW40 X-Google-IP: 185.96.76.65 X-TUID: xfjwGl6O7BnL ------=_Part_26_1471926212.1588194278364 Content-Type: multipart/alternative; boundary="----=_Part_27_1827978294.1588194278365" ------=_Part_27_1827978294.1588194278365 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit > > > >> from where you got CONFIG_MODULE_SIG_FORMAT? CONFIG_MODULE_SIG is > > >> the trigger to create this binary: > > >> > > >> scripts/Makefile:hostprogs-$(CONFIG_MODULE_SIG)+= sign-file > > >> > > > > > > I was looking at kernel 5.6. > > > > > > Then we likely need multiple condition when to run sign-file while > > > building an external module. > > > > > > And we also need some idea how to deploy the shared keys to all > > > recipes. If we only talk about two or three, the kernel recipe > > > could carry the keys as artifacts, and other recipes would simply > > > link them. But that is not really nice to maintain. We could, of > > > course, package the keys into linux-headers. Downside: Someone may > > > then accidentally ship them on a device. > > > > maybe we can use a separate package? e.g. kernel-module-signkeys? > > > > normally this package will be only used for building, we can output > > an error during isar build when someone installs this package to the > > image (prevents "accidentally ship them on a device") > > > > next point: can we avoid somehow with isar that this package is > > showing up in some apt repo (outside isar build system)? > > All packages isar builds for an image show up in a repo called > "isar-apt" that is strictly internal. > > If you choose to make use of the rebuild cache that will be another > repo - "base-apt". "base-apt" can be published and used for consecutive > (re-)builds. > > Isar does not publish anything on its own, nothing to be afraid of. > ok my misunderstanding, because "isar-apt" resides in the deploy subdirectory, I was assuming it may get published at some point (openembedded/poky had also an ipk subdirectory in deploy which could serve as an external ipk repo). means this "base-apt" gets only generated when I was using "-c cache_base_repo"? about this directory I am not afraid, it contains no self-built packages. kernel-headers-cip resides in "isar-apt", so I was more worried about this apt repo. ------=_Part_27_1827978294.1588194278365 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
> >> from where you g= ot CONFIG_MODULE_SIG_FORMAT? CONFIG_MODULE_SIG is
> >> the trigger to create this binary:
> >>
> >> scripts/Makefile:hostprogs-$(CONFIG_MODULE_SIG)+=3D = sign-file
> >> =C2=A0
> >
> > I was looking at kernel 5.6.
> >
> > Then we likely need multiple condition when to run sign-file = while=20
> > building an external module.
> >
> > And we also need some idea how to deploy the shared keys to a= ll=20
> > recipes. If we only talk about two or three, the kernel recip= e
> > could carry the keys as artifacts, and other recipes would si= mply
> > link them. But that is not really nice to maintain. We could,= of
> > course, package the keys into linux-headers. Downside: Someon= e may
> > then accidentally ship them on a device. =C2=A0
>=20
> maybe we can use a separate package? e.g. kernel-module-signkeys?
>=20
> normally this package will be only used for building, we can outpu= t
> an error during isar build when someone installs this package to t= he
> image (prevents "accidentally ship them on a device")
>=20
> next point: can we avoid somehow with isar that this package is
> showing up in some apt repo (outside isar build system)?

All packages isar builds for an image show up in a repo called
"isar-apt" that is strictly internal.

If you choose to make use of the rebuild cache that will be another
repo - "base-apt". "base-apt" can be published and = used for consecutive
(re-)builds.

Isar does not publish anything on its own, nothing to be afraid of.

ok my misunderstanding, because "= isar-apt" resides in the deploy subdirectory, I was assuming it may ge= t published at some point (openembedded/poky had also an ipk subdirectory i= n deploy which could serve as an external ipk repo).

means this "base-apt" gets only generated when I was using &qu= ot;-c cache_base_repo"? about this directory I am not afraid, it conta= ins no self-built packages.

kernel-headers-cip res= ides in "isar-apt", so I was more worried about this apt repo.

------=_Part_27_1827978294.1588194278365-- ------=_Part_26_1471926212.1588194278364--