[yocto] How to package the signed kernel modules into the filesystem ?

Nicolas ADELL nicolas.adell at actia.fr
Mon Jun 12 03:00:15 PDT 2017


I am working with kernel 3.10.17 and poky daisy.

The kernel was patched to support certificates list & trusted keyring.

I managed to build the kernel both with an own keypair (signature done manually post-build) and with the CONFIG_MODULE_SIG_ALL option enabled.

In the second case, I noticed that signed modules are not included in the /lib/modules directory of the filesystem image, although the variable MACHINE_EXTRA_RRECOMMENDS contains "kernel-modules" into the machine configuration.

All modules integrated inside the filesystem remained unsigned. They do not include the digital signature normally appended at their end.

Once flashed with the rootfs, the proper certificate is loaded on the device, but 'lsmod' command returns an empty list of loaded modules.

However, signed modules are packaged into the modules.tgz file. That's why modules are loaded as expected if I untar the archive's content on the device.

It might be possible to run a custom command by overloading the ROOTFS_POSTPROCESS_COMMAND variable but is there a more appropriate way to proceed ?

Best regards,


More information about the yocto mailing list