Gentoo Archives: gentoo-dev

From: Mike Gilbert <floppym@g.o>
To: Gentoo Dev <gentoo-dev@l.g.o>
Subject: Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing
Date: Tue, 05 Jul 2022 20:11:36
Message-Id: CAJ0EP40XwpPS2gMo7cMa+d962+ntoLsLN2Y-Fp+4L1MeshNYfg@mail.gmail.com
In Reply to: Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing by Georgy Yakovlev
1 On Tue, Jul 5, 2022 at 3:02 PM Georgy Yakovlev <gyakovlev@g.o> wrote:
2 >
3 > ...snip
4 > >
5 > > > In that case, I think the only viable way to make this work is to
6 > > > disable automatic stripping and handle stripping via custom code in
7 > > > the ebuild/eclass.
8 > > >
9 > > might work indeed if we do something like (pseudo-bash)
10 > >
11 > > if [[ module_sign == yes ]]; then
12 > > dostrip -x /lib/modules # to stop portage stripping .ko objects
13 > > manual-strip-respecting-features-nostrip -r /lib/modules
14 > > sign-all-modules -r /lib/modules
15 > > fi
16 > > [[ compress_modules == yes ]] && compress-modules -r /lib/modules
17 > >
18 > >
19 > > this will equire eapi-bumping couple of packages
20 > > https://qa-reports.gentoo.org/output/eapi-per-eclass/linux-mod.eclass/6.txt
21 > > and restricting linux-mod.eclass to eapi7 or later.
22 > >
23 > >
24 > >
25 > started playing with my old code and got blocked right away:
26 >
27 > looks like dostrip just creates a list of files/directories to strip
28 > and processed at the very end of install phase.
29 >
30 > so skipping strip and doing manual one might be problematic.
31 > internally portage uses estrip
32 > https://github.com/gentoo/portage/blob/master/bin/estrip
33 > which contains quite a lot of logic and code and I don't think
34 > partially re-implementing this in eclass code is appropriate.
35 >
36
37 Looking at the kernel build system, it looks like modules don't get
38 stripped by default anyway: you have to explicitly pass
39 INSTALL_MOD_STRIP=1 to make modules_install.
40
41 I don't think it would be a major problem to just disable stripping
42 entirely for out-of-tree modules when module signing is enabled.
43
44 Alternatively, forget about trying to reimplement estrip and just
45 strip the files by calling ${STRIP} --strip-debug, as is done in
46 scripts/Makefile.modinst in the kernel sources. That will conflict
47 with FEATURES=splitdebug, but I doubt that's very useful for kernel
48 developers anyway.