Bug#852715: marked as done (linux: building with CONFIG_DEBUG_INFO strips embedded modules signatures)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 01 Jul 2018 02:02:44 +0100
with message-id <12d146c5d46c834df8a150ce87b196e98d8f169a.camel@decadent.org.uk>
and subject line Re: linux: building with CONFIG_DEBUG_INFO strips embedded modules signatures
has caused the Debian Bug report #852715,
regarding linux: building with CONFIG_DEBUG_INFO strips embedded modules signatures
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
852715: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852715
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: "submit@bugs.debian.org" <submit@bugs.debian.org>
• Subject: linux: building with CONFIG_DEBUG_INFO strips embedded modules signatures
• From: Luca Boccassi <luca.boccassi@gmail.com>
• Date: Thu, 26 Jan 2017 18:07:13 +0000
• Message-id: <1485454033.15017.9.camel@gmail.com>

Source: linux
Version: 4.9.2-2
Severity: normal
Tags: patch

Dear maintainer,

If building with CONFIG_MODULE_SIG_ALL and CONFIG_DEBUG_INFO the objcopy
call that adds the debuglink has the side-effect of removing the
signature added to the kernel module, which breaks booting if the option
to enforce module signatures is also enabled.

The fix is to explicitly sign the installed modules again in that case.
A small patch from my colleague Jan Blunck is attached.

Thank you!

Kind regards,
Luca Boccassi

From 9e6f694354d25f47b4bcb6656d3eb05fc3351a13 Mon Sep 17 00:00:00 2001
From: Jan Blunck <jblunck@infradead.org>
Date: Thu, 26 Jan 2017 17:04:11 +0100
Subject: [PATCH] Fix stripped module signatures if CONFIG_DEBUG_INFO

If building with CONFIG_MODULE_SIG_ALL and CONFIG_DEBUG_INFO the
objcopy call that adds the debuglink has the side-effect of removing
the signature added to the kernel module. Let's explicitly sign the
installed modules again in that case.
---
 debian/rules.real | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/debian/rules.real b/debian/rules.real
index 868efa3..b818c35 100644
--- a/debian/rules.real
+++ b/debian/rules.real
@@ -417,6 +417,9 @@ ifeq ($(DEBUG),True)
 	find $(PACKAGE_DIR) -name '*.ko' | sed 's|$(PACKAGE_DIR)/lib/modules/$(REAL_VERSION)/kernel/||' | while read module ; do \
 	  $(CROSS_COMPILE)objcopy --add-gnu-debuglink=$(DIR)/$$module $(PACKAGE_DIR)/lib/modules/$(REAL_VERSION)/kernel/$$module || exit; \
 	done
+	+if grep -qs '^CONFIG_MODULE_SIG_ALL=y' $(DIR)/.config; then \
+		$(MAKE_CLEAN) -C $(DIR) modules_sign INSTALL_MOD_PATH='$(CURDIR)'/$(PACKAGE_DIR); \
+	fi
 endif
 	cp $(DIR)/.config $(PACKAGE_DIR)/boot/config-$(REAL_VERSION)
 	cp $(DIR)/System.map $(PACKAGE_DIR)/boot/System.map-$(REAL_VERSION)
-- 
2.1.4

Attachment: signature.asc
Description: This is a digitally signed message part

--- End Message ---

--- Begin Message ---

• To: 852715-done@bugs.debian.org
• Subject: Re: linux: building with CONFIG_DEBUG_INFO strips embedded modules signatures
• From: Ben Hutchings <ben@decadent.org.uk>
• Date: Sun, 01 Jul 2018 02:02:44 +0100
• Message-id: <12d146c5d46c834df8a150ce87b196e98d8f169a.camel@decadent.org.uk>
• In-reply-to: <1485454033.15017.9.camel@gmail.com>
• References: <1485454033.15017.9.camel@gmail.com>

Version: 4.17~rc3-1~exp1

An updated version of this patch was included in the above version.

Ben.
 
-- 
Ben Hutchings
Q.  Which is the greater problem in the world today,
    ignorance or apathy?
A.  I don't know and I couldn't care less.

Attachment: signature.asc
Description: This is a digitally signed message part

--- End Message ---