From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id D9D73158094 for ; Tue, 5 Jul 2022 20:11:36 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 393E8E0F85; Tue, 5 Jul 2022 20:11:33 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C403DE0F7C for ; Tue, 5 Jul 2022 20:11:32 +0000 (UTC) Received: by mail-yw1-f179.google.com with SMTP id 00721157ae682-31c89653790so69260127b3.13 for ; Tue, 05 Jul 2022 13:11:32 -0700 (PDT) X-Gm-Message-State: AJIora9fWTi6+duefnesgHrGMrGONsU16BfYIoEmnnA5i5oRhnFzrvja f6SFQIRy6NMB2iKVPeu9rL8+3qDLYOzgTwUIJjk= X-Google-Smtp-Source: AGRyM1ugoFsXbIsvHAY4e3glG1StpkkVqcOeG3bENzDrg7iQCCncraf7HAad3cfw5cifLsa249rS+PccNvZgunajq30= X-Received: by 2002:a81:f12:0:b0:31c:d032:b79 with SMTP id 18-20020a810f12000000b0031cd0320b79mr4477127ywp.406.1657051890152; Tue, 05 Jul 2022 13:11:30 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 References: <20220621181959.920941-1-concord@gentoo.org> <84e99a74d64f0d9dd326af0f2c54b9d5717b2f8d.camel@gentoo.org> <9317f3aa1815d9ef219625794c06a8fb3057d707.camel@gentoo.org> <20220627183531.palnmdpvgzf44ssk@fuuko> <7311bbf9de54e3fb08953a40a9cd03df61f4dd00.camel@gentoo.org> <0f4a80cb6ee817dc015c1791960df032ae528ea4.camel@gentoo.org> <3e82436e9883431e59daf011b60deaffae1a3268.camel@gentoo.org> In-Reply-To: <3e82436e9883431e59daf011b60deaffae1a3268.camel@gentoo.org> From: Mike Gilbert Date: Tue, 5 Jul 2022 16:11:18 -0400 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing To: Gentoo Dev Content-Type: text/plain; charset="UTF-8" X-Archives-Salt: 3eaea6db-0a4c-4e49-8dbd-880a2e31bc56 X-Archives-Hash: e7e209a5cdb145d1cacf30eb7f02fbcf On Tue, Jul 5, 2022 at 3:02 PM Georgy Yakovlev wrote: > > ...snip > > > > > In that case, I think the only viable way to make this work is to > > > disable automatic stripping and handle stripping via custom code in > > > the ebuild/eclass. > > > > > might work indeed if we do something like (pseudo-bash) > > > > if [[ module_sign == yes ]]; then > > dostrip -x /lib/modules # to stop portage stripping .ko objects > > manual-strip-respecting-features-nostrip -r /lib/modules > > sign-all-modules -r /lib/modules > > fi > > [[ compress_modules == yes ]] && compress-modules -r /lib/modules > > > > > > this will equire eapi-bumping couple of packages > > https://qa-reports.gentoo.org/output/eapi-per-eclass/linux-mod.eclass/6.txt > > and restricting linux-mod.eclass to eapi7 or later. > > > > > > > started playing with my old code and got blocked right away: > > looks like dostrip just creates a list of files/directories to strip > and processed at the very end of install phase. > > so skipping strip and doing manual one might be problematic. > internally portage uses estrip > https://github.com/gentoo/portage/blob/master/bin/estrip > which contains quite a lot of logic and code and I don't think > partially re-implementing this in eclass code is appropriate. > Looking at the kernel build system, it looks like modules don't get stripped by default anyway: you have to explicitly pass INSTALL_MOD_STRIP=1 to make modules_install. I don't think it would be a major problem to just disable stripping entirely for out-of-tree modules when module signing is enabled. Alternatively, forget about trying to reimplement estrip and just strip the files by calling ${STRIP} --strip-debug, as is done in scripts/Makefile.modinst in the kernel sources. That will conflict with FEATURES=splitdebug, but I doubt that's very useful for kernel developers anyway.