Skip to content

module-signing: amend build errors and dependency tracking #1401

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jandryuk merged 4 commits into from
May 10, 2021
Merged

module-signing: amend build errors and dependency tracking #1401

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
1ca2f68
layer: require out-of-tree signing key for modules
Apr 26, 2021
457d297
layer: log module signing
Apr 28, 2021
5f44fce
layer: quote bbfatal string
Apr 28, 2021
890bfd9
layer: use STAGING_KERNEL_BUILDDIR for defconfig
Apr 28, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 14 additions & 13 deletions classes/kernel-module-signing.bbclass
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,19 +7,20 @@ SIGN_FILE = "${B}/scripts/sign-file"
export KERNEL_MODULE_SIG_CERT

do_configure_append() {
if [ -n "${KERNEL_MODULE_SIG_CERT}" ] &&
grep -q '^CONFIG_MODULE_SIG=y' ${B}/.config ; then
sed -i -e '/CONFIG_MODULE_SIG_KEY[ =]/d' ${B}/.config
echo "CONFIG_MODULE_SIG_KEY=\"${KERNEL_MODULE_SIG_CERT}\"" >> \
${B}/.config
sed -i -e '/CONFIG_MODULE_SIG_ALL[ =]/d' ${B}/.config
echo "# CONFIG_MODULE_SIG_ALL is not set" >> \
${B}/.config
if ! grep -q '^CONFIG_MODULE_SIG=y' ${B}/.config ; then
return
fi
if [ -z "${KERNEL_MODULE_SIG_CERT}" ]; then
bbfatal "Kernel module signing should only be used when setting \
Copy link
Copy Markdown
Contributor

@jandryuk jandryuk Apr 30, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Something to note here. The bbfatal message is printed and then bitbake prints the contents of log.do_configure, which is quite long with all the make oldconfig output. All you see at the end of it is:

make[1]: Entering directory '.../build'
  GEN     Makefile
# 
# No change to .config
# 
make[1]: Leaving directory '.../build'
make: Leaving directory '/home/build/openxt/build-201218/tmp-glibc/work-shared/usbvm/kernel-source'
WARNING: .../temp/run.do_configure.7382:1 exit 1 from 'exit 1'

ERROR: Logfile of failure stored in: .../temp/log.do_configure.7382

If you look back far enough you see the message. It's on line 2299 of the 4596 line log.do_configure. Not a blocker, but something I noticed.

Copy link
Copy Markdown
Contributor Author

@eric-ch eric-ch Apr 30, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could just bberror and exit 1 I guess.

Copy link
Copy Markdown
Contributor

@jandryuk jandryuk May 3, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That didn't change the output :/

KERNEL_MODULE_SIG_CERT in local.conf."
fi
}

def get_signing_key(d):
path = d.getVar("KERNEL_MODULE_SIG_CERT") or os.path.join(d.getVar("STAGING_KERNEL_BUILDDIR"),"certs","signing_key.x509")
return path + ":" + str(os.path.exists(path))
sed -i -e '/CONFIG_MODULE_SIG_KEY[ =]/d' ${B}/.config
echo "CONFIG_MODULE_SIG_KEY=\"${KERNEL_MODULE_SIG_CERT}\"" >> \
${B}/.config
sed -i -e '/CONFIG_MODULE_SIG_ALL[ =]/d' ${B}/.config
echo "# CONFIG_MODULE_SIG_ALL is not set" >> \
${B}/.config
}

do_shared_workdir[file-checksums] = "${@get_signing_key(d)}"
do_configure[file-checksums] += "${@get_signing_cert(d)}"
38 changes: 31 additions & 7 deletions classes/module-signing.bbclass
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,30 +10,51 @@ INHIBIT_PACKAGE_STRIP = "1"
export HOST_EXTRACFLAGS = "${BUILD_CFLAGS} ${BUILD_LDFLAGS}"

# Set KERNEL_MODULE_SIG_KEY in local.conf to the filepath of a private key
# for signing kernel modules. If unset, signing can be done offline.
# for signing kernel modules. If unset, signing can be done offline.
export KERNEL_MODULE_SIG_KEY
# Set KERNEL_MODULE_SIG_CERT in local.conf to the filepath of the corresponging
# public key to verify the signed modules. If unset, an autogenerated
# build-time keypair will be generated and used for signing and embedding.
# public key to verify the signed modules.
export KERNEL_MODULE_SIG_CERT

def get_signing_cert(d):
path = d.getVar("KERNEL_MODULE_SIG_CERT")
if path:
return path + ":" + str(os.path.exists(path))
return ""

def get_signing_key(d):
path = d.getVar("KERNEL_MODULE_SIG_KEY")
if path:
return path + ":" + str(os.path.exists(path))
return ""

# Kernel builds will override this with ${B}/scripts/sign-file
SIGN_FILE = "${STAGING_KERNEL_BUILDDIR}/scripts/sign-file"

fakeroot do_sign_modules() {
if [ -n "${KERNEL_MODULE_SIG_KEY}" ] &&
grep -q '^CONFIG_MODULE_SIG=y' ${STAGING_KERNEL_BUILDDIR}/.config; then
if ! grep -q '^CONFIG_MODULE_SIG=y' "${STAGING_KERNEL_BUILDDIR}/.config"; then
bbnote "Kernel module signing deactivated in kernel configuration ${STAGING_KERNEL_BUILDDIR}/.config."
return
fi
if [ -z "${KERNEL_MODULE_SIG_CERT}" ]; then
bbfatal "Kernel module signing should only be used when setting \
KERNEL_MODULE_SIG_CERT in local.conf."
fi

if [ -n "${KERNEL_MODULE_SIG_KEY}" ]; then
SIG_HASH=$( grep CONFIG_MODULE_SIG_HASH= \
${STAGING_KERNEL_BUILDDIR}/.config | \
cut -d '"' -f 2 )
[ -z "$SIG_HASH" ] && bbfatal CONFIG_MODULE_SIG_HASH is not set in .config
[ -z "$SIG_HASH" ] && bbfatal "CONFIG_MODULE_SIG_HASH is not set in .config"

[ -x "${SIGN_FILE}" ] || bbfatal "Cannot find scripts/sign-file"

find ${D} -name "*.ko" -print0 | \
xargs --no-run-if-empty -0 -n 1 \
xargs -t --no-run-if-empty -0 -n 1 \
${SIGN_FILE} $SIG_HASH ${KERNEL_MODULE_SIG_KEY} \
${KERNEL_MODULE_SIG_CERT}
else
bbnote "Kernel module offline signing enabled, modules still need to be signed."
fi
}

Expand All @@ -44,3 +65,6 @@ addtask sign_modules after do_install before do_package
do_install[lockfiles] = "${TMPDIR}/kernel-scripts.lock"
# Explicit keys sign modules in do_sign_modules
do_sign_modules[lockfiles] = "${TMPDIR}/kernel-scripts.lock"

do_sign_modules[depends] += "virtual/kernel:do_shared_workdir"
Comment thread
eric-ch marked this conversation as resolved.
do_sign_modules[file-checksums] += "${@get_signing_key(d)} ${@get_signing_cert(d)}"