Hi, On Sat, Dec 17, 2022 at 11:27:50AM +0000, Richard Purdie wrote: > On Fri, 2022-11-25 at 17:07 +0200, Mikko Rapeli wrote: > > linux-yocto kernel adds openssl-native dependency by default even > > when module signing is still optional. kmod should enable > > openssl support too. This helps see details of signed kernel > > modules and debug issues with module signing. For small systems > > this can still be disabled. > > This seems like an easy enough change at first glance, my concern is > dependency chain creep. openssl is slower to build and for example may > depend on perl-native so adding this here can cause builds to slow down > quite a bit more than you'd expect.
But even default kernel, linux-yocto, already depends on openssl-native. The dependency is everywhere. Tiny distros with minimal features are another thing. > I've been holding off merging until I could look at the dependency > chain and see how much difference it actually makes. I've not managed > that yet though. > > One option may be to add a "signed-kernel-modules" level distro feature > or perhaps a distro include file, since I suspect this functionality is > going to need other changes to enable and work properly? Signed kernel modules is purely a kernel internal thing. Since kernel already depends on openssl for other reasons signing modules doesn't introduce much new, and all the checks for signatures are done inside the kernel. kmod support for signed modules is just a convenience thing. And signing kernels with default built-time generated keys breaks build reproducibility and sstate caching but that's a separate matter which maybe can't be resolved in side bitbake.. only static keys build outside of bitbake seem to help.. Cheers, -Mikko
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#174810): https://lists.openembedded.org/g/openembedded-core/message/174810 Mute This Topic: https://lists.openembedded.org/mt/95255244/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
