| Message ID | 20250516113854.1515596-1-florian.bezdeka@siemens.com |
|---|---|
| State | Accepted, archived |
| Headers | show |
| Series | linux-custom: Fix module signing in combination with compression | expand |
On Fri, 2025-05-16 at 13:38 +0200, Florian Bezdeka wrote: > The right order for each non-debug module is INSTALL, STRIP, SIGN, > COMPRESS. > > As "make modules_sign" is a subset of "make modules_install" the order > was different, basically trying to re-sign after COMPRESS already > happended, which triggered a build failure like > > + kmods_sign > + '[' -n y ']' > + /usr/bin/make O=/<<PKGBUILDDIR>>/build-full INSTALL_MOD_PATH=/<<PKGBUILDDIR>>/debian/linux-image-stable-rt modules_sign > make[2]: Entering directory '/<<PKGBUILDDIR>>' > make[3]: Entering directory '/<<PKGBUILDDIR>>/build-full' > SIGN /<<PKGBUILDDIR>>/debian/linux-image-stable-rt/lib/modules/6.14.0/kernel/arch/x86/events/amd/power.ko > At main.c:302: > - SSL error:FFFFFFFF80000002:system library::No such file or directory: ../crypto/bio/bss_file.c:67 > - SSL error:10000080:BIO routines::no such file: ../crypto/bio/bss_file.c:75 > sign-file: /<<PKGBUILDDIR>>/debian/linux-image-stable-rt/lib/modules/6.14.0/kernel/arch/x86/events/amd/power.ko > > Align the installation of the debug version of modules with the build > process of Debian by using modules_install again, with a different > installation directory and signing and compression disabled. > > Signed-off-by: Florian Bezdeka <florian.bezdeka@siemens.com> > --- > Baurzhan, any reason why this patch has not been merged after a couple of weeks pending on the list? Best regards, Florian
On 2025-06-16 17:49, Florian Bezdeka wrote: > Baurzhan, any reason why this patch has not been merged after a couple > of weeks pending on the list? Thanks Florian for pinging, the reason is the same as for some other recent patches -- the patch touches a corner case which is easily broken during trivial actions like kernel upgrade, so we wanted to check whether it's possible to have a meaningful testcase for this but haven't really come to it. I wouldn't like to delay this anymore, so this has now been merged. Please let me know if you would like to work on a testcase. With kind regards, Baurzhan
diff --git a/meta/recipes-kernel/linux/files/debian/isar/install.tmpl b/meta/recipes-kernel/linux/files/debian/isar/install.tmpl index 00011517..818da49c 100644 --- a/meta/recipes-kernel/linux/files/debian/isar/install.tmpl +++ b/meta/recipes-kernel/linux/files/debian/isar/install.tmpl @@ -129,34 +129,26 @@ install_dtbs() { install_kmods() { [ -n "${CONFIG_MODULES}" ] || return 0 - ${MAKE} O=${O} INSTALL_MOD_PATH=${deb_img_dir} modules_install + ${MAKE} O=${O} modules_install \ + INSTALL_MOD_PATH=${deb_img_dir} \ + INSTALL_MOD_STRIP=1 touch ${deb_img_dir}/lib/modules/${krel}/.fresh-install rm -fv ${deb_img_dir}/lib/modules/${krel}/build rm -fv ${deb_img_dir}/lib/modules/${krel}/source install_kmods_debug } -kmods_sign() { - [ -n "${CONFIG_MODULE_SIG_ALL}" ] || return 0 - ${MAKE} O=${O} INSTALL_MOD_PATH=${deb_img_dir} modules_sign -} - install_kmods_debug() { [ -n "${CONFIG_DEBUG_INFO}" ] || return 0 - kmod_inst_dir=${deb_img_dir}/lib/modules - kmod_debug_dir=${deb_dbg_dir}/usr/lib/debug - - # copy kernels modules to usr/lib/debug - mkdir -p ${kmod_debug_dir} - tar -C ${kmod_inst_dir}/ -cO --exclude='modules.*' . | tar -C ${kmod_debug_dir}/ -xf - - # strip everything but debug sections for modules in usr/lib/debug - find ${kmod_debug_dir} -name *.ko -exec ${CROSS_COMPILE}objcopy --only-keep-debug {} \; - # and strip debug sections from modules in lib/modules - find ${kmod_inst_dir} -name *.ko -exec ${CROSS_COMPILE}objcopy --strip-debug {} \; + kmod_inst_dir=${deb_dbg_dir}/usr/lib/debug - # re-sign stripped kernel modules - kmods_sign + # cmd_sign=: Don't sign modules + # suffix-y=: Don't compress modules + ${MAKE} O=${O} modules_install \ + INSTALL_MOD_PATH=${kmod_inst_dir} \ + cmd_sign= \ + suffix-y= } headers_check() {
The right order for each non-debug module is INSTALL, STRIP, SIGN, COMPRESS. As "make modules_sign" is a subset of "make modules_install" the order was different, basically trying to re-sign after COMPRESS already happended, which triggered a build failure like + kmods_sign + '[' -n y ']' + /usr/bin/make O=/<<PKGBUILDDIR>>/build-full INSTALL_MOD_PATH=/<<PKGBUILDDIR>>/debian/linux-image-stable-rt modules_sign make[2]: Entering directory '/<<PKGBUILDDIR>>' make[3]: Entering directory '/<<PKGBUILDDIR>>/build-full' SIGN /<<PKGBUILDDIR>>/debian/linux-image-stable-rt/lib/modules/6.14.0/kernel/arch/x86/events/amd/power.ko At main.c:302: - SSL error:FFFFFFFF80000002:system library::No such file or directory: ../crypto/bio/bss_file.c:67 - SSL error:10000080:BIO routines::no such file: ../crypto/bio/bss_file.c:75 sign-file: /<<PKGBUILDDIR>>/debian/linux-image-stable-rt/lib/modules/6.14.0/kernel/arch/x86/events/amd/power.ko Align the installation of the debug version of modules with the build process of Debian by using modules_install again, with a different installation directory and signing and compression disabled. Signed-off-by: Florian Bezdeka <florian.bezdeka@siemens.com> --- Hi all, this has been tested with Linux 6.14 and 6.12. Older versions should work as well, more testing highly recommended. Best regards, Florian .../linux/files/debian/isar/install.tmpl | 28 +++++++------------ 1 file changed, 10 insertions(+), 18 deletions(-)