I was attempting to create a Yocto Linux (poky) for an Intel Edison board that with signed kernel modules enabled. I set up a VM running Debian 8.2 and followed the instructions found in the BSP users guide http://www.intel.com/content/dam/support/us/en/documents/edison/sb/edisonbsp_ug_331188007.pdf http://www.intel.com/content/dam/support/us/en/documents/edison/sb/edisonbsp_ug_331188007.pdf to get the environment up and running. Everything worked fine; at the end I was able to successfully flash my Intel Edison with a working unmodified version of the Yocto build. Next, I tried to enable signed kernel modules following the instructions in section 5.
Everything completed successfully and I proceeded to flash the Edison and test. Everything came up, and; however, when I went to check the modules (running a hexdump -C *.ko | tail) I discovered that they were not signed! I also tried another forum posters suggestion to run bitbake -c compile_kernelmodules virtual/image with no success.
I also tried to move the .config file as described in section 5; however, I found the linux/files directory and linux/files/defconfig did not exist. When I tried to create, I got an error related to linux-externalsrc.bb being unable to do_configure().
At this point, I believe that the signed kernel has been successfully created, but I am uncertain as to why it is not being included as a part of my build? Any suggestions would be appreciated!
I would like to know more information regarding this:
1. Which BSP are you using?
2. Are you sure that the VM has the enough resources for building the image and running all the steps? Did you checked the available space in the VM?
3. What is the content of the folder: //meta-intel-edison/meta-intel-edison-bsp/recipes-kernel/linux/files?
4. Are you saving the changes you do after using the menuconfig?
I have some suggestions that may be helpful for you:
1. Give more resources to the VM
2. Every time, start building the image from scratch or clean the image in order to build again.
3. Edit the defconfig file manually, this file must be located in /meta-intel-edison/meta-intel-edisonbsp/recipes-kernel/linux/files/
Please try with these and also let us know about the questions above.
To answer your questions:
- Which BSP are you using? I am using the BSP package should be the default from edison-src: should be pocky linux 3.10.17-yocto-standard
- Are you sure that the VM has the enough resources for building the image and running all the steps? Did you checked the available space in the VM? I have two VMs: First was running Debian 8.2 with 200 GB of HD space and I believe 1GB of RAM. I also created a 2nd VM running Ubuntu 14.04 LTS x86_64 with 50 GB of space and 4 GB of RAM. Both were running on i7 Core processors
- What is the content of the folder: //meta-intel-edison/meta-intel-edison-bsp/recipes-kernel/linux/files? On the Debian 8.2 VM this directory does not exist. On the Ubuntu 14.04 VM the contents are defconfig and upstream_to_edison.patch
- Are you saving the changes you do after using the menuconfig? Yes. I always explicitly save the changes to a file named .config. This file is stored in /out/linux64/build/tmp/work/edison-poky-linux/linux-yocto/3.10.17-r0/linux-edison-standard-build/.config The timestamp on the file matches the time I saved the file on the menuconfig
Per your suggestions:
- Give more resources to the VM: New Ubuntu VM has more resources. I can try to make this even larger if you think this would assist.
- Every time, start building the image from scratch or clean the image in order to build again: I have tried two separate builds on two separate VMs. I will try a clean build again to validate I did not make any mistakes.
- Edit the defconfig file manually, this file must be located in /meta-intel-edison/meta-intel-edisonbsp/recipes-kernel/linux/files/: The defconfig file has CONFIG_MODULE_SIG=y && CONFIG_MODULE_SIG_ALL=y as both uncommented and set; to my understanding these are the key variables for enabling kernel module signing.
I set up a build environment just a few days ago, following the instructions of the Board Support Package:
I included a different kernel module and it worked fine. But my file structure looks a bit different to yours...(maybe just a naming thing)
The steps I did to build the custom image:
(1) Build standard image
(2) source poky/oe-init-buid-env (step 4 in the Board support package on page 7)
(3) bitbake virtual/kernel -c menuconfig (step 1 in the Board support package on page 14)
(4) include your stuff
(5) do the copying ... (see page 14)
(6) source poky/oe-init-buid-env (step 4 in the Board support package on page 7)
(7) bitbake virutal/kernel -c configure -f -v (see page 14)
(8) bitbake edison-image
(9) postBuild.sh (last step in the Board support package on page 7)
flash new image to intel edison and have fun :-)
I tried your step-by-step instructions.
First, I created a new Ubuntu 14.04 VM with 4 cores, 2GB of RAM, and 50 GB of HD space. I than downloaded the latest edison-src-www25.5.15.tgz from Intel Edison support pages. I followed the Instructions in the Intel BSP PDF to set up and flash the default build. So far so good. I than followed the instructions to turn on module signing (COMPUTE_MODULE_SIG, COMPUTE_MODULE_SIG_ALL, and COMPUTE_MODULE_SIG_SHA512). I ran all the step and everything compile with one warning that /edison-src/out/linux64/poky/meta/recipes-kernel/linux/linux-yocto_3.10.bb.do_configure is tainted from a force run. I than created the post and flashed to the Edison. However, when I checked the /proc/keys I saw .module_sign: empty and hexdump -C *.ko revealed that none of the modules were signed. Finally, I tried to use COMPUTE_MODULE_SIG_SHA1 in case the key size was the issue, but got the same results. I am definitely stumped why it refuses to sign the kernel modules. I have included my defconfig below in the hopes it might shed some light on the issue:
# Automatically generated file; DO NOT EDIT.
# Linux/x86 3.10.17 Kernel Configuration
# CONFIG_64BIT is not set
# CONFIG_ZONE_DMA32 is not set
# CONFIG_AUDIT_ARCH is not set
# General setup
# CONFIG_LOCALVERSION_AUTO is not set
# CONFIG_KERNEL_BZIP2 is not set
# CONFIG_KERNEL_LZMA is not set
# CONFIG_KERNEL_XZ is not set
# CONFIG_KERNEL_LZO is not set
# CONFIG_SWAP is not set
# CONFIG_AUDIT_LOGINUID_IMMUTABLE is not set
# IRQ subsystem
# CONFIG_IRQ_DOMAIN_DEBUG is not set
# Timers subsystem
# CONFIG_HZ_PERIODIC is not set
# CPU/Task time and stats accounting
# CONFIG_TICK_CPU_ACCOUNTING is not set
# RCU Subsystem
# CONFIG_RCU_FANOUT_EXACT is not set
# CONFIG_RCU_FAST_NO_HZ is not set
# CONFIG_TREE_RCU_TRACE is not set
# CONFIG_RCU_BOOST is not set
# CONFIG_RCU_NOCB_CPU is not set
# CONFIG_IKCONFIG is not set
# CONFIG_CGROUP_DEBUG is not set
# CONFIG_MEMCG is not set
# CONFIG_CFS_BANDWIDTH is not set
# CONFIG_DEBUG_BLK_CGROUP is not set
# CONFIG_CHECKPOINT_RESTORE is not set
# CONFIG_UTS_NS is not set
# CONFIG_IPC_NS is not set
# CONFIG_USER_NS is not set
# CONFIG_PID_NS is not set
# CONFIG_UIDGID_STRICT_TYPE_CHECKS is not set
# CONFIG_SYSFS_DEPRECATED_V2 is not set
# CONFIG_RD_BZIP2 is not set
# CONFIG_RD_LZMA is not set
# CONFIG_RD_XZ is not set
# CONFIG_RD_LZO is not set
# CONFIG_CC_OPTIMIZE_FOR_SIZE is not set
# CONFIG_UPTIME_LIMITED_KERNEL is n...
Did you successfully include any other stuff?
Maybe you should try that.
Can you tell me where I can find the COMPUTE_MODULE_SIG, COMPUTE_MODULE_SIG_ALL, and COMPUTE_MODULE_SIG_SHA512 in the menuconfig?
Btw. I found out I used older source files: https://downloadcenter.intel.com/download/24271 Download Intel® Edison software package 1.0.3 (edison-src-weekly-68.tgz)
I don't know why the new files are so much bigger (33MB vs. 140MB?!)
I tried to remove support for ext2 and vfat, but did not see any change (might not have done it right). The parameters to turn on module signing can be found in
menuconfig -> Loadable Module support
All Modules signed
(OPTIONAL) Change the algorithm used for signing to SHA512 (I believe the default is SHA1)
Also, I believe I mis-typed the module names (my apologies). They should be:
CONFIG_MODULE_SIG, CONFIG_MODULE_SIG_ALL, CONFIG_MODULE_SIG_SHA512.
You can just enable these in defconfig manually if you prefer (I believe there is a commented out entry for CONFIG_MODULE_SIG):
I tried running edison-src-weekly-68.tgz; however, I ran into the following error:
ERROR: Task 535 (/home/msiadmin/Documents/edison-src/device-software/meta-edison-distro/recipes-connectivity/libwebsockets/libwebsockets_1.23.bb, do_compile) failed with exit code '1'
This seems to be the result of the file
NOT being present. I will try to clean everything and try again.
I rebuilt my VM from the ground up, and rebuilt the image ( edison-src-weekly-68.tgz). I was able to successfully build the base image and flash to the Intel Edison board. I than followed the same step-by-step check list from you earlier post to enable signing of all kernel modules. When I tried running the postBuild.sh script I got the following warnings:
cp: cannot stat '/home/msiadmin/edison-src/build/tmp/deploy/images/edison/vmlinux': No such file or directory
./postBuild.sh: line 64: /home/msiadmin/edison-src/u-boot/tools/mkimage: No such file or directory
The toFlash directory created fine, so I tried flashing the Edison board; however, I saw the same behavior:
- /proc/keys contains a new entry for modules, but this entry is empty
- hexdump -C *.ko | tail shows none of the modules have been signed
A bit of a long shot, but is there a technical support number for the Intel Edison?
Thanks for the assistance!
I don't know if there is a support number...
last days I tried to build an image based on the newest source files and got several errors... --> this helped: http://hobby.farit.ru/building-yocto-linux-for-intel-edison/ Building Yocto Linux for Intel Edison | Hobby
I tried to look up your modules, but I i did not find them, I chose the modules I thought you mean...
The image building is still in progress, should be finished next time...
I always get some warnings ^^
I will post updates soon...
It also includes the driver for Lan9512, so the boot up without the device may take a while...
Everything should be included, but I don't know if it does what you want to do
On the Intel Edison I get:
root@edison:~# cat /proc/keys
009171bf I------ 1 perm 1f030000 0 0 keyring .dns_resolver: empty
09b97bf2 I------ 1 perm 1f030000 0 0 keyring .module_sign: empty
17ad40dc I------ 1 perm 1f030000 0 0 keyring .id_resolver: empty
If this is still not what you want, maybe the build sequence must be customized for using signed modules, but I don't know how to do this...
Sorry for the late reply (I was traveling last week and was unable to try your solution). I downloaded the file you posted on zippyshare.com and tested it on the Edison, but unfortunately it has the kernel signing stripped from the modules:
- .module_sign: empty indicates that there is no key to validate the signed kernel modules. In my experience, this key only exist if the kernel signing is enabled. Not sure why the process does not include the key...
- If you perform a hexdump -C *.ko | tail on any kernel module you should see a message indicating that the module is signed. I check 2-3 kernel modules and did not see this.
Will continue to comb through bitbake log files to see what the source of the issue might be.
How are you flashing the image from Flo1991? Are you using the flashall script? Are you having error messages while running the script?
Regarding the bitbake problems, I suggest you to always clean the image or start from scratch after every try, there could be some files that may causing the problems and the only way to remove them or recover them is to clean it or starting again.
Are you always replacing the .config with the defconfig file?
Please let me know if you have updates from checking the bitbake log files.
Yes, I used the flashall.sh script. I preformed the flash from a Macintosh OSX machine. I did not have see any messages.
I do try to clean between every build (can't remember if I did for all build attempts).
I always replace the defconfig with the .config (I have even tried modified the defconfig by hand).
I will try digging through the bitbake log files.
Just thought I would let you know that a colleague helped me resolve the issue.
Apparently, the yocto process compiles and creates the signed kernel modules and places them into a modules.tar.gz. However, during the flashall.sh process the signing and keys are stripped (don't know why). The solution was to overwrite (or add separately) the existing /lib/modules with the signed modules in the modules.tar.gz. If this is of interest to anyone, I can write another response and include more detailed information, but that is the general idea.
I'm glad to know that you have been able to solve this. Thank you very much for the update regarding the solution you used. I think that another post/response with more detailed steps of what you have done is a great idea, this will help other developers/makers that would like to do something similar, so if you have time for it I encourage you to post it.