[PATCH] linux-custom: Fix module signing in combination with compression
11 views
Skip to first unread message
Florian Bezdeka
May 16, 2025, 7:39:22 AMMay 16
to isar-...@googlegroups.com, Florian Bezdeka
The right order for each non-debug module is INSTALL, STRIP, SIGN,
COMPRESS.
As "make modules_sign" is a subset of "make modules_install" the order
was different, basically trying to re-sign after COMPRESS already
happended, which triggered a build failure like
+ kmods_sign
+ '[' -n y ']'
+ /usr/bin/make O=/<<PKGBUILDDIR>>/build-full INSTALL_MOD_PATH=/<<PKGBUILDDIR>>/debian/linux-image-stable-rt modules_sign
make[2]: Entering directory '/<<PKGBUILDDIR>>'
make[3]: Entering directory '/<<PKGBUILDDIR>>/build-full'
SIGN /<<PKGBUILDDIR>>/debian/linux-image-stable-rt/lib/modules/6.14.0/kernel/arch/x86/events/amd/power.ko
At main.c:302:
- SSL error:FFFFFFFF80000002:system library::No such file or directory: ../crypto/bio/bss_file.c:67
- SSL error:10000080:BIO routines::no such file: ../crypto/bio/bss_file.c:75
sign-file: /<<PKGBUILDDIR>>/debian/linux-image-stable-rt/lib/modules/6.14.0/kernel/arch/x86/events/amd/power.ko
Align the installation of the debug version of modules with the build
process of Debian by using modules_install again, with a different
installation directory and signing and compression disabled.
Signed-off-by: Florian Bezdeka <florian...@siemens.com>
---
Hi all,
this has been tested with Linux 6.14 and 6.12. Older versions should
work as well, more testing highly recommended.
Best regards,
Florian
.../linux/files/debian/isar/install.tmpl | 28 +++++++------------
1 file changed, 10 insertions(+), 18 deletions(-)
diff --git a/meta/recipes-kernel/linux/files/debian/isar/install.tmpl b/meta/recipes-kernel/linux/files/debian/isar/install.tmpl
index 00011517..818da49c 100644
--- a/meta/recipes-kernel/linux/files/debian/isar/install.tmpl
+++ b/meta/recipes-kernel/linux/files/debian/isar/install.tmpl
@@ -129,34 +129,26 @@ install_dtbs() {
install_kmods() {
[ -n "${CONFIG_MODULES}" ] || return 0
- ${MAKE} O=${O} INSTALL_MOD_PATH=${deb_img_dir} modules_install
+ ${MAKE} O=${O} modules_install \
+ INSTALL_MOD_PATH=${deb_img_dir} \
+ INSTALL_MOD_STRIP=1
touch ${deb_img_dir}/lib/modules/${krel}/.fresh-install
rm -fv ${deb_img_dir}/lib/modules/${krel}/build
rm -fv ${deb_img_dir}/lib/modules/${krel}/source
install_kmods_debug
}
-kmods_sign() {
- [ -n "${CONFIG_MODULE_SIG_ALL}" ] || return 0
- ${MAKE} O=${O} INSTALL_MOD_PATH=${deb_img_dir} modules_sign
-}
-
install_kmods_debug() {
[ -n "${CONFIG_DEBUG_INFO}" ] || return 0
- kmod_inst_dir=${deb_img_dir}/lib/modules
- kmod_debug_dir=${deb_dbg_dir}/usr/lib/debug
-
- # copy kernels modules to usr/lib/debug
- mkdir -p ${kmod_debug_dir}
- tar -C ${kmod_inst_dir}/ -cO --exclude='modules.*' . | tar -C ${kmod_debug_dir}/ -xf -
- # strip everything but debug sections for modules in usr/lib/debug
- find ${kmod_debug_dir} -name *.ko -exec ${CROSS_COMPILE}objcopy --only-keep-debug {} \;
- # and strip debug sections from modules in lib/modules
- find ${kmod_inst_dir} -name *.ko -exec ${CROSS_COMPILE}objcopy --strip-debug {} \;
+ kmod_inst_dir=${deb_dbg_dir}/usr/lib/debug
- # re-sign stripped kernel modules
- kmods_sign
+ # cmd_sign=: Don't sign modules
+ # suffix-y=: Don't compress modules
+ ${MAKE} O=${O} modules_install \
+ INSTALL_MOD_PATH=${kmod_inst_dir} \
+ cmd_sign= \
+ suffix-y=
}
headers_check() {
--
2.39.5
COMPRESS.
As "make modules_sign" is a subset of "make modules_install" the order
was different, basically trying to re-sign after COMPRESS already
happended, which triggered a build failure like
+ kmods_sign
+ '[' -n y ']'
+ /usr/bin/make O=/<<PKGBUILDDIR>>/build-full INSTALL_MOD_PATH=/<<PKGBUILDDIR>>/debian/linux-image-stable-rt modules_sign
make[2]: Entering directory '/<<PKGBUILDDIR>>'
make[3]: Entering directory '/<<PKGBUILDDIR>>/build-full'
SIGN /<<PKGBUILDDIR>>/debian/linux-image-stable-rt/lib/modules/6.14.0/kernel/arch/x86/events/amd/power.ko
At main.c:302:
- SSL error:FFFFFFFF80000002:system library::No such file or directory: ../crypto/bio/bss_file.c:67
- SSL error:10000080:BIO routines::no such file: ../crypto/bio/bss_file.c:75
sign-file: /<<PKGBUILDDIR>>/debian/linux-image-stable-rt/lib/modules/6.14.0/kernel/arch/x86/events/amd/power.ko
Align the installation of the debug version of modules with the build
process of Debian by using modules_install again, with a different
installation directory and signing and compression disabled.
Signed-off-by: Florian Bezdeka <florian...@siemens.com>
---
Hi all,
this has been tested with Linux 6.14 and 6.12. Older versions should
work as well, more testing highly recommended.
Best regards,
Florian
.../linux/files/debian/isar/install.tmpl | 28 +++++++------------
1 file changed, 10 insertions(+), 18 deletions(-)
diff --git a/meta/recipes-kernel/linux/files/debian/isar/install.tmpl b/meta/recipes-kernel/linux/files/debian/isar/install.tmpl
index 00011517..818da49c 100644
--- a/meta/recipes-kernel/linux/files/debian/isar/install.tmpl
+++ b/meta/recipes-kernel/linux/files/debian/isar/install.tmpl
@@ -129,34 +129,26 @@ install_dtbs() {
install_kmods() {
[ -n "${CONFIG_MODULES}" ] || return 0
- ${MAKE} O=${O} INSTALL_MOD_PATH=${deb_img_dir} modules_install
+ ${MAKE} O=${O} modules_install \
+ INSTALL_MOD_PATH=${deb_img_dir} \
+ INSTALL_MOD_STRIP=1
touch ${deb_img_dir}/lib/modules/${krel}/.fresh-install
rm -fv ${deb_img_dir}/lib/modules/${krel}/build
rm -fv ${deb_img_dir}/lib/modules/${krel}/source
install_kmods_debug
}
-kmods_sign() {
- [ -n "${CONFIG_MODULE_SIG_ALL}" ] || return 0
- ${MAKE} O=${O} INSTALL_MOD_PATH=${deb_img_dir} modules_sign
-}
-
install_kmods_debug() {
[ -n "${CONFIG_DEBUG_INFO}" ] || return 0
- kmod_inst_dir=${deb_img_dir}/lib/modules
- kmod_debug_dir=${deb_dbg_dir}/usr/lib/debug
-
- # copy kernels modules to usr/lib/debug
- mkdir -p ${kmod_debug_dir}
- tar -C ${kmod_inst_dir}/ -cO --exclude='modules.*' . | tar -C ${kmod_debug_dir}/ -xf -
- # strip everything but debug sections for modules in usr/lib/debug
- find ${kmod_debug_dir} -name *.ko -exec ${CROSS_COMPILE}objcopy --only-keep-debug {} \;
- # and strip debug sections from modules in lib/modules
- find ${kmod_inst_dir} -name *.ko -exec ${CROSS_COMPILE}objcopy --strip-debug {} \;
+ kmod_inst_dir=${deb_dbg_dir}/usr/lib/debug
- # re-sign stripped kernel modules
- kmods_sign
+ # cmd_sign=: Don't sign modules
+ # suffix-y=: Don't compress modules
+ ${MAKE} O=${O} modules_install \
+ INSTALL_MOD_PATH=${kmod_inst_dir} \
+ cmd_sign= \
+ suffix-y=
}
headers_check() {
--
2.39.5
Florian Bezdeka
Jun 16, 2025, 11:49:07 AMJun 16
to isar-...@googlegroups.com, Baurzhan Ismagulov
On Fri, 2025-05-16 at 13:38 +0200, Florian Bezdeka wrote:
> The right order for each non-debug module is INSTALL, STRIP, SIGN,
> COMPRESS.
>
> As "make modules_sign" is a subset of "make modules_install" the order
> was different, basically trying to re-sign after COMPRESS already
> happended, which triggered a build failure like
>
> + kmods_sign
> + '[' -n y ']'
> + /usr/bin/make O=/<<PKGBUILDDIR>>/build-full INSTALL_MOD_PATH=/<<PKGBUILDDIR>>/debian/linux-image-stable-rt modules_sign
> make[2]: Entering directory '/<<PKGBUILDDIR>>'
> make[3]: Entering directory '/<<PKGBUILDDIR>>/build-full'
> SIGN /<<PKGBUILDDIR>>/debian/linux-image-stable-rt/lib/modules/6.14.0/kernel/arch/x86/events/amd/power.ko
> At main.c:302:
> - SSL error:FFFFFFFF80000002:system library::No such file or directory: ../crypto/bio/bss_file.c:67
> - SSL error:10000080:BIO routines::no such file: ../crypto/bio/bss_file.c:75
> sign-file: /<<PKGBUILDDIR>>/debian/linux-image-stable-rt/lib/modules/6.14.0/kernel/arch/x86/events/amd/power.ko
>
> Align the installation of the debug version of modules with the build
> process of Debian by using modules_install again, with a different
> installation directory and signing and compression disabled.
>
> Signed-off-by: Florian Bezdeka <florian...@siemens.com>
> ---
>
Baurzhan, any reason why this patch has not been merged after a couple
> The right order for each non-debug module is INSTALL, STRIP, SIGN,
> COMPRESS.
>
> As "make modules_sign" is a subset of "make modules_install" the order
> was different, basically trying to re-sign after COMPRESS already
> happended, which triggered a build failure like
>
> + kmods_sign
> + '[' -n y ']'
> + /usr/bin/make O=/<<PKGBUILDDIR>>/build-full INSTALL_MOD_PATH=/<<PKGBUILDDIR>>/debian/linux-image-stable-rt modules_sign
> make[2]: Entering directory '/<<PKGBUILDDIR>>'
> make[3]: Entering directory '/<<PKGBUILDDIR>>/build-full'
> SIGN /<<PKGBUILDDIR>>/debian/linux-image-stable-rt/lib/modules/6.14.0/kernel/arch/x86/events/amd/power.ko
> At main.c:302:
> - SSL error:FFFFFFFF80000002:system library::No such file or directory: ../crypto/bio/bss_file.c:67
> - SSL error:10000080:BIO routines::no such file: ../crypto/bio/bss_file.c:75
> sign-file: /<<PKGBUILDDIR>>/debian/linux-image-stable-rt/lib/modules/6.14.0/kernel/arch/x86/events/amd/power.ko
>
> Align the installation of the debug version of modules with the build
> process of Debian by using modules_install again, with a different
> installation directory and signing and compression disabled.
>
> Signed-off-by: Florian Bezdeka <florian...@siemens.com>
> ---
>
of weeks pending on the list?
Best regards,
Florian
Baurzhan Ismagulov
Jun 17, 2025, 12:16:36 PMJun 17
to isar-...@googlegroups.com, Florian Bezdeka
On 2025-06-16 17:49, Florian Bezdeka wrote:
> Baurzhan, any reason why this patch has not been merged after a couple
> of weeks pending on the list?
Thanks Florian for pinging,
> Baurzhan, any reason why this patch has not been merged after a couple
> of weeks pending on the list?
the reason is the same as for some other recent patches -- the patch touches a
corner case which is easily broken during trivial actions like kernel upgrade,
so we wanted to check whether it's possible to have a meaningful testcase for
this but haven't really come to it.
I wouldn't like to delay this anymore, so this has now been merged.
Please let me know if you would like to work on a testcase.
With kind regards,
Baurzhan
Reply all
Reply to author
Forward
0 new messages