All of lore.kernel.org
 help / color / mirror / Atom feed
From: Bruce Ashfield <bruce.ashfield@gmail.com>
To: Richard Purdie <richard.purdie@linuxfoundation.org>
Cc: Jose Quaresma <quaresma.jose@gmail.com>,
	Christoph Lauer <christoph.lauer@email.de>,
	 openembedded-core@lists.openembedded.org,
	 Christoph Lauer <christoph.lauer@xtronic.de>
Subject: Re: [OE-core] [PATCH] make-mod-scripts: preserve libraries when rm_work is used
Date: Tue, 18 Apr 2023 17:12:20 -0400	[thread overview]
Message-ID: <CADkTA4MBh46pqJoQjW4dhOc3Sw-4+rr-u4d48OPSs9eC1VPx8A@mail.gmail.com> (raw)
In-Reply-To: <652908a6640ffc911d46613cb99159086131416f.camel@linuxfoundation.org>

On Tue, Apr 18, 2023 at 5:04 PM Richard Purdie
<richard.purdie@linuxfoundation.org> wrote:
>
> On Tue, 2023-04-18 at 16:25 -0400, Bruce Ashfield wrote:
> > On Mon, Apr 17, 2023 at 6:31 PM Jose Quaresma <quaresma.jose@gmail.com> wrote:
> > >
> > >
> > >
> > > Richard Purdie <richard.purdie@linuxfoundation.org> escreveu no dia segunda, 17/04/2023 à(s) 20:51:
> > > >
> > > > On Sun, 2023-04-16 at 12:30 +0200, Christoph Lauer wrote:
> > > > > From: Christoph Lauer <christoph.lauer@xtronic.de>
> > > > >
> > > > > With rm_work active, external module signing throws an error:
> > > > > scripts/sign-file: error while loading shared libraries: libcrypto.so.3: cannot open shared object file: No such file or directory
> > > > > Preserve libraries that sign-file script needs during runtime.
> > > > >
> > > > > Signed-off-by: Christoph Lauer <christoph.lauer@xtronic.de>
> > > > > ---
> > > > >  meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb | 3 +++
> > > > >  1 file changed, 3 insertions(+)
> > > > >
> > > > > diff --git a/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb b/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb
> > > > > index 28e0807d1d..0e24efc597 100644
> > > > > --- a/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb
> > > > > +++ b/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb
> > > > > @@ -32,3 +32,6 @@ do_configure() {
> > > > >               -C ${STAGING_KERNEL_DIR} O=${STAGING_KERNEL_BUILDDIR} $t
> > > > >       done
> > > > >  }
> > > > > +
> > > > > +# keep native libraries required for module signing
> > > > > +RM_WORK_EXCLUDE_ITEMS += "recipe-sysroot-native"
> > > >
> > > > I'm really reluctant to take this change as it isn't the way
> > > > dependencies are meant to work.
> > > >
> > > > It sounds like something in a shared workdir is depending on something
> > > > in a recipe workdir and we simply don't support that. Everything needed
> > > > should be in the shared workdir. At best this is a bandaid and there
> > > > will be other ways to make this fail such as cleaning make-mod-scripts.
> > >
> > >
> > > The problem is because for signing the kernel modules the sign-file.c [1] is linked dynamically with openssl-native.
> > > This works when building the in tree kernel modules but will fail when we try to sing any out of tree kernel module.
> > > To sign the out of tree kernel we will use the binaries from the shared workdir but the native libcrypto.so.3 is removed by
> > > the rm_work bbclass. We need to link the sign-file statically otherwise it will not work with the rm_work bbclass.
> > >
> > > [1] https://github.com/torvalds/linux/blob/master/scripts/sign-file.c
> > >
> > > Another solution for this problem can be changing the make-mod-scripts to be a native tool and in this way
> > > they will be installed and the dependencies will be handled correctly.
> >
> > There would very likely be different issues if the scripts were
> > generated and then packaged as a native tool / package. Since they are
> > so tightly coupled to the kernel. We'd just trade one set of issues
> > for another (out of sync artifacts, etc).
> >
> > I'm going to hack on this a bit.
> >
> > That being said, I've never done any module signing .. since I don't
> > need it in my development workflow.
> >
> > Is there a canonical guide to getting it setup so I can test my static
> > link and relocated artifacts fixes ? is it with meta-integrity and the
> > kernel-modsign bbclass ?
>
> I did think about this a bit more. It does likely depend on the version
> of libcrypto from the host system as to whether it reproduces or not.
> The possible solution ideas I came up with are:
>
> a) statically link sign-file so we don't need libcrypto
> b) copy the libcrypto.so into a known location in the shared workdir
> (probably some new path) and then adding an RPATH/RUNPATH using chrpath
> to the binary.

Agreed. I have sign-file statically building here, and it works, but
objtool is blowing up under static linking.

If I can't break the tools into separate bits, or fix that static link
.. My other idea is the same as yours, if we copy out the .so and make
sure it is in a recognized location in the artifacts dir, we are good
to go.

Bruce

>
> Cheers,
>
> Richard
>
>


-- 
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II


  reply	other threads:[~2023-04-18 21:12 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-04-16 10:30 [PATCH] make-mod-scripts: preserve libraries when rm_work is used Christoph Lauer
2023-04-17 10:19 ` [OE-core] " Jose Quaresma
2023-04-17 17:54   ` Christoph Lauer
2023-04-17 18:31 ` Bruce Ashfield
2023-04-17 19:51 ` Richard Purdie
2023-04-17 22:31   ` Jose Quaresma
2023-04-18 20:25     ` Bruce Ashfield
2023-04-18 21:04       ` Richard Purdie
2023-04-18 21:12         ` Bruce Ashfield [this message]
2023-04-19 13:52           ` Jose Quaresma
2023-04-19 13:59             ` Bruce Ashfield
2023-04-19 22:34               ` Jose Quaresma
2023-04-19 22:54                 ` Richard Purdie
2023-04-20  3:03                   ` Bruce Ashfield
     [not found]                   ` <175785898B60CE37.9727@lists.openembedded.org>
2023-04-21 20:28                     ` Bruce Ashfield
2023-04-22 13:06                       ` Christoph Lauer
2023-04-23 19:55                         ` Bruce Ashfield
2023-04-24 10:30                           ` Jose Quaresma
2023-04-24 19:25                             ` Bruce Ashfield
2023-04-27 22:32                               ` Jose Quaresma
2023-04-28  1:26                                 ` Bruce Ashfield
     [not found]                                 ` <1759F4E68EA4E1CC.26969@lists.openembedded.org>
2023-05-02 21:11                                   ` Bruce Ashfield
2023-05-03 10:08                                     ` Jose Quaresma
     [not found]                                     ` <175B9A4D7B213CC1.28444@lists.openembedded.org>
2023-05-05 10:23                                       ` Jose Quaresma
2023-05-05 17:32                                         ` Bruce Ashfield
     [not found]     ` <175721425ED7411C.26280@lists.openembedded.org>
2023-04-18 20:29       ` Bruce Ashfield

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CADkTA4MBh46pqJoQjW4dhOc3Sw-4+rr-u4d48OPSs9eC1VPx8A@mail.gmail.com \
    --to=bruce.ashfield@gmail.com \
    --cc=christoph.lauer@email.de \
    --cc=christoph.lauer@xtronic.de \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=quaresma.jose@gmail.com \
    --cc=richard.purdie@linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.