* [PATCH] linux-custom: Fix module signing in combination with compression
@ 2025-05-16 11:38 'Florian Bezdeka' via isar-users
2025-06-16 15:49 ` 'Florian Bezdeka' via isar-users
0 siblings, 1 reply; 3+ messages in thread
From: 'Florian Bezdeka' via isar-users @ 2025-05-16 11:38 UTC (permalink / raw)
To: isar-users; +Cc: Florian Bezdeka
The right order for each non-debug module is INSTALL, STRIP, SIGN,
COMPRESS.
As "make modules_sign" is a subset of "make modules_install" the order
was different, basically trying to re-sign after COMPRESS already
happended, which triggered a build failure like
+ kmods_sign
+ '[' -n y ']'
+ /usr/bin/make O=/<<PKGBUILDDIR>>/build-full INSTALL_MOD_PATH=/<<PKGBUILDDIR>>/debian/linux-image-stable-rt modules_sign
make[2]: Entering directory '/<<PKGBUILDDIR>>'
make[3]: Entering directory '/<<PKGBUILDDIR>>/build-full'
SIGN /<<PKGBUILDDIR>>/debian/linux-image-stable-rt/lib/modules/6.14.0/kernel/arch/x86/events/amd/power.ko
At main.c:302:
- SSL error:FFFFFFFF80000002:system library::No such file or directory: ../crypto/bio/bss_file.c:67
- SSL error:10000080:BIO routines::no such file: ../crypto/bio/bss_file.c:75
sign-file: /<<PKGBUILDDIR>>/debian/linux-image-stable-rt/lib/modules/6.14.0/kernel/arch/x86/events/amd/power.ko
Align the installation of the debug version of modules with the build
process of Debian by using modules_install again, with a different
installation directory and signing and compression disabled.
Signed-off-by: Florian Bezdeka <florian.bezdeka@siemens.com>
---
Hi all,
this has been tested with Linux 6.14 and 6.12. Older versions should
work as well, more testing highly recommended.
Best regards,
Florian
.../linux/files/debian/isar/install.tmpl | 28 +++++++------------
1 file changed, 10 insertions(+), 18 deletions(-)
diff --git a/meta/recipes-kernel/linux/files/debian/isar/install.tmpl b/meta/recipes-kernel/linux/files/debian/isar/install.tmpl
index 00011517..818da49c 100644
--- a/meta/recipes-kernel/linux/files/debian/isar/install.tmpl
+++ b/meta/recipes-kernel/linux/files/debian/isar/install.tmpl
@@ -129,34 +129,26 @@ install_dtbs() {
install_kmods() {
[ -n "${CONFIG_MODULES}" ] || return 0
- ${MAKE} O=${O} INSTALL_MOD_PATH=${deb_img_dir} modules_install
+ ${MAKE} O=${O} modules_install \
+ INSTALL_MOD_PATH=${deb_img_dir} \
+ INSTALL_MOD_STRIP=1
touch ${deb_img_dir}/lib/modules/${krel}/.fresh-install
rm -fv ${deb_img_dir}/lib/modules/${krel}/build
rm -fv ${deb_img_dir}/lib/modules/${krel}/source
install_kmods_debug
}
-kmods_sign() {
- [ -n "${CONFIG_MODULE_SIG_ALL}" ] || return 0
- ${MAKE} O=${O} INSTALL_MOD_PATH=${deb_img_dir} modules_sign
-}
-
install_kmods_debug() {
[ -n "${CONFIG_DEBUG_INFO}" ] || return 0
- kmod_inst_dir=${deb_img_dir}/lib/modules
- kmod_debug_dir=${deb_dbg_dir}/usr/lib/debug
-
- # copy kernels modules to usr/lib/debug
- mkdir -p ${kmod_debug_dir}
- tar -C ${kmod_inst_dir}/ -cO --exclude='modules.*' . | tar -C ${kmod_debug_dir}/ -xf -
- # strip everything but debug sections for modules in usr/lib/debug
- find ${kmod_debug_dir} -name *.ko -exec ${CROSS_COMPILE}objcopy --only-keep-debug {} \;
- # and strip debug sections from modules in lib/modules
- find ${kmod_inst_dir} -name *.ko -exec ${CROSS_COMPILE}objcopy --strip-debug {} \;
+ kmod_inst_dir=${deb_dbg_dir}/usr/lib/debug
- # re-sign stripped kernel modules
- kmods_sign
+ # cmd_sign=: Don't sign modules
+ # suffix-y=: Don't compress modules
+ ${MAKE} O=${O} modules_install \
+ INSTALL_MOD_PATH=${kmod_inst_dir} \
+ cmd_sign= \
+ suffix-y=
}
headers_check() {
--
2.39.5
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250516113854.1515596-1-florian.bezdeka%40siemens.com.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] linux-custom: Fix module signing in combination with compression
2025-05-16 11:38 [PATCH] linux-custom: Fix module signing in combination with compression 'Florian Bezdeka' via isar-users
@ 2025-06-16 15:49 ` 'Florian Bezdeka' via isar-users
2025-06-17 16:16 ` Baurzhan Ismagulov
0 siblings, 1 reply; 3+ messages in thread
From: 'Florian Bezdeka' via isar-users @ 2025-06-16 15:49 UTC (permalink / raw)
To: isar-users, Baurzhan Ismagulov
On Fri, 2025-05-16 at 13:38 +0200, Florian Bezdeka wrote:
> The right order for each non-debug module is INSTALL, STRIP, SIGN,
> COMPRESS.
>
> As "make modules_sign" is a subset of "make modules_install" the order
> was different, basically trying to re-sign after COMPRESS already
> happended, which triggered a build failure like
>
> + kmods_sign
> + '[' -n y ']'
> + /usr/bin/make O=/<<PKGBUILDDIR>>/build-full INSTALL_MOD_PATH=/<<PKGBUILDDIR>>/debian/linux-image-stable-rt modules_sign
> make[2]: Entering directory '/<<PKGBUILDDIR>>'
> make[3]: Entering directory '/<<PKGBUILDDIR>>/build-full'
> SIGN /<<PKGBUILDDIR>>/debian/linux-image-stable-rt/lib/modules/6.14.0/kernel/arch/x86/events/amd/power.ko
> At main.c:302:
> - SSL error:FFFFFFFF80000002:system library::No such file or directory: ../crypto/bio/bss_file.c:67
> - SSL error:10000080:BIO routines::no such file: ../crypto/bio/bss_file.c:75
> sign-file: /<<PKGBUILDDIR>>/debian/linux-image-stable-rt/lib/modules/6.14.0/kernel/arch/x86/events/amd/power.ko
>
> Align the installation of the debug version of modules with the build
> process of Debian by using modules_install again, with a different
> installation directory and signing and compression disabled.
>
> Signed-off-by: Florian Bezdeka <florian.bezdeka@siemens.com>
> ---
>
Baurzhan, any reason why this patch has not been merged after a couple
of weeks pending on the list?
Best regards,
Florian
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/d891f0737595a8af495b43460c77b67963ead982.camel%40siemens.com.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] linux-custom: Fix module signing in combination with compression
2025-06-16 15:49 ` 'Florian Bezdeka' via isar-users
@ 2025-06-17 16:16 ` Baurzhan Ismagulov
0 siblings, 0 replies; 3+ messages in thread
From: Baurzhan Ismagulov @ 2025-06-17 16:16 UTC (permalink / raw)
To: isar-users; +Cc: Florian Bezdeka
On 2025-06-16 17:49, Florian Bezdeka wrote:
> Baurzhan, any reason why this patch has not been merged after a couple
> of weeks pending on the list?
Thanks Florian for pinging,
the reason is the same as for some other recent patches -- the patch touches a
corner case which is easily broken during trivial actions like kernel upgrade,
so we wanted to check whether it's possible to have a meaningful testcase for
this but haven't really come to it.
I wouldn't like to delay this anymore, so this has now been merged.
Please let me know if you would like to work on a testcase.
With kind regards,
Baurzhan
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/aFGU30Ft4XzwCLlS%40abai.de.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-06-17 16:16 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-05-16 11:38 [PATCH] linux-custom: Fix module signing in combination with compression 'Florian Bezdeka' via isar-users
2025-06-16 15:49 ` 'Florian Bezdeka' via isar-users
2025-06-17 16:16 ` Baurzhan Ismagulov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox