Don't brp-strip .ko files #1744

dmnks · 2021-07-12T11:25:21Z

Otherwise SecureBoot signatures may be stripped too.

We used to exclude shared libraries from this strip as they were
supposed to be covered by another brp script (brp-strip-shared), however
it turned out the latter was never really used, so we removed the
exclusion in commit 0ab151a.

As it turns out, that was a little too ambitious, since we may now
inadvertently strip SecureBoot signatures from kernel modules too,
provided that they're made during the build, prior to the invocation of
brp-strip.

Note that this regression currently does not affect the following two
cases on Fedora/RHEL systems with redhat-rpm-config installed:

in-tree modules; these are built from kernel.spec which already
contains a hack ensuring that module signing only happens after
any stripping (see %__modsign_install_post in kernel.spec)
out-of-tree modules built with debuginfo enabled; this is because
brp-strip is only called when %debug_package is set to %{nil}

Any other combinations may be affected, depending on the macros and
.spec files used, so let's fix this by effectively "reverting" said
commit for .ko files only.

Fixes: rhbz#1967291

Otherwise SecureBoot signatures may be stripped too. We used to exclude shared libraries from this strip as they were supposed to be covered by another brp script (brp-strip-shared), however it turned out the latter was never really used, so we removed the exclusion in commit 0ab151a. As it turns out, that was a little too ambitious, since we may now inadvertently strip SecureBoot signatures from kernel modules too, provided that they're made during the build, prior to the invocation of brp-strip. Note that this regression currently does *not* affect the following two cases on Fedora/RHEL systems with redhat-rpm-config installed: - in-tree kernel modules; these are built from kernel.spec which already contains a hack ensuring that module signing only happens *after* any stripping (see %__modsign_install_post in kernel.spec) - out-of-tree kernel modules built with debuginfo enabled; this is because brp-strip is only called when %debug_package is set to %{nil} Any other combinations may be affected, depending on the macros and .spec files used, so let's fix this by effectively "reverting" said commit for .ko files only. Fixes: rhbz#1967291

mikhailnov · 2021-07-12T15:39:26Z

Kernel modules may be *.ko.xz, *.ko.zst, *.ko.gz

mikhailnov · 2021-07-12T15:40:08Z

Ah, sorry, such files probably will not be detected as ELFs

dmnks · 2021-07-12T15:46:25Z

Yup, that's correct - they would be skipped by the loop anyway (and calling strip(1) on them would have no effect either).

Conan-Kudo · 2021-07-12T17:16:11Z

scripts/brp-strip

@@ -13,5 +13,5 @@ Darwin*) exit 0 ;;
 esac

 # Strip ELF binaries
-find "$RPM_BUILD_ROOT" -type f \! -regex "${RPM_BUILD_ROOT}/*usr/lib/debug.*" -print0 | \
+find "$RPM_BUILD_ROOT" -type f \! -regex "${RPM_BUILD_ROOT}/*usr/lib/debug.*" \! -name "*.ko" -print0 | \


This should cover *.ko.(gz,xz,zst) too, shouldn't it?

blah, I get it now and I didn't see the comments earlier...

dmnks force-pushed the no-kmod-sig-strip branch from 91704fb to 72377db Compare July 12, 2021 11:29

ffesti merged commit cfdb830 into rpm-software-management:master Jul 12, 2021

Conan-Kudo reviewed Jul 12, 2021

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Don't brp-strip .ko files #1744

Don't brp-strip .ko files #1744

dmnks commented Jul 12, 2021

mikhailnov commented Jul 12, 2021

mikhailnov commented Jul 12, 2021

dmnks commented Jul 12, 2021

Conan-Kudo Jul 12, 2021

Conan-Kudo Jul 12, 2021

Don't brp-strip .ko files #1744

Don't brp-strip .ko files #1744

Conversation

dmnks commented Jul 12, 2021

mikhailnov commented Jul 12, 2021

mikhailnov commented Jul 12, 2021

dmnks commented Jul 12, 2021

Conan-Kudo Jul 12, 2021

Choose a reason for hiding this comment

Conan-Kudo Jul 12, 2021

Choose a reason for hiding this comment