Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

modsign: Use single PEM file for autogenerated key

The current rule for generating signing_key.priv and signing_key.x509 is
a classic example of a bad rule which has a tendency to break parallel
make. When invoked to create *either* target, it generates the other
target as a side-effect that make didn't predict.

So let's switch to using a single file signing_key.pem which contains
both key and certificate. That matches what we do in the case of an
external key specified by CONFIG_MODULE_SIG_KEY anyway, so it's also
slightly cleaner.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: David Howells <dhowells@redhat.com>
David Woodhouse 10 years ago
parent
1329e8cc69
commit
fb11794991
5 changed files with 16 additions and 17 deletions
Split View Show Diff Stats
  1. 1 0
      .gitignore
  2. 4 5
      Documentation/module-signing.txt
  3. 2 2
      Makefile
  4. 2 2
      init/Kconfig
  5. 7 8
      kernel/Makefile

+ 1 - 0
.gitignore
View File 

@@ -97,6 +97,7 @@ GTAGS
 
 # Leavings from module signing
 
 #
 
 extra_certificates
 
+signing_key.pem
 
 signing_key.priv
 
 signing_key.x509
 
 x509.genkey

+ 4 - 5
Documentation/module-signing.txt
View File 

@@ -91,7 +91,7 @@ This has a number of options available:
 
  (4) "File name or PKCS#11 URI of module signing key" (CONFIG_MODULE_SIG_KEY)
 
 
      Setting this option to something other than its default of
 
-     "signing_key.priv" will disable the autogeneration of signing keys and
 
+     "signing_key.pem" will disable the autogeneration of signing keys and
 
      allow the kernel modules to be signed with a key of your choosing.
 
      The string provided should identify a file containing both a private
 
      key and its corresponding X.509 certificate in PEM form, or — on
 
@@ -116,11 +116,10 @@ kernel so that it can be used to check the signatures as the modules are
 
 loaded.
 
 
 Under normal conditions, when CONFIG_MODULE_SIG_KEY is unchanged from its
 
-default of "signing_key.priv", the kernel build will automatically generate
 
-a new keypair using openssl if one does not exist in the files:
 
+default, the kernel build will automatically generate a new keypair using
 
+openssl if one does not exist in the file:
 
 
-	signing_key.priv
 
-	signing_key.x509
 
+	signing_key.pem
 
 
 during the building of vmlinux (the public part of the key needs to be built
 
 into vmlinux) using parameters in the:

+ 2 - 2
Makefile
View File 

@@ -1173,8 +1173,8 @@ MRPROPER_DIRS  += include/config usr/include include/generated          \
 
 		  arch/*/include/generated .tmp_objdiff
 
 MRPROPER_FILES += .config .config.old .version .old_version \
 
 		  Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \
 
-		  signing_key.priv signing_key.x509 x509.genkey		\
 
-		  extra_certificates signing_key.x509.keyid		\
 
+		  signing_key.pem signing_key.priv signing_key.x509	\
 
+		  x509.genkey extra_certificates signing_key.x509.keyid	\
 
 		  signing_key.x509.signer vmlinux-gdb.py
 
 
 # clean - Delete most, but leave enough to build external modules

+ 2 - 2
init/Kconfig
View File 

@@ -1950,7 +1950,7 @@ config MODULE_SIG_HASH
 
 
 config MODULE_SIG_KEY
 
 	string "File name or PKCS#11 URI of module signing key"
 
-	default "signing_key.priv"
 
+	default "signing_key.pem"
 
 	depends on MODULE_SIG
 
 	help
 
          Provide the file name of a private key/certificate in PEM format,
 
@@ -1958,7 +1958,7 @@ config MODULE_SIG_KEY
 
          the URI should identify, both the certificate and its corresponding
 
          private key.
 
 
-         If this option is unchanged from its default "signing_key.priv",
 
+         If this option is unchanged from its default "signing_key.pem",
 
          then the kernel will automatically generate the private key and
 
          certificate as described in Documentation/module-signing.txt

+ 7 - 8
kernel/Makefile
View File 

@@ -173,8 +173,8 @@ endif
 
 # We do it this way rather than having a boolean option for enabling an
 
 # external private key, because 'make randconfig' might enable such a
 
 # boolean option and we unfortunately can't make it depend on !RANDCONFIG.
 
-ifeq ($(CONFIG_MODULE_SIG_KEY),"signing_key.priv")
 
-signing_key.priv signing_key.x509: x509.genkey
 
+ifeq ($(CONFIG_MODULE_SIG_KEY),"signing_key.pem")
 
+signing_key.pem: x509.genkey
 
 	@echo "###"
 
 	@echo "### Now generating an X.509 key pair to be used for signing modules."
 
 	@echo "###"
 
@@ -185,8 +185,8 @@ signing_key.priv signing_key.x509: x509.genkey
 
 	@echo "###"
 
 	openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
 
 		-batch -x509 -config x509.genkey \
 
-		-outform DER -out signing_key.x509 \
 
-		-keyout signing_key.priv 2>&1
 
+		-outform PEM -out signing_key.pem \
 
+		-keyout signing_key.pem 2>&1
 
 	@echo "###"
 
 	@echo "### Key pair generated."
 
 	@echo "###"
 
@@ -210,9 +210,9 @@ x509.genkey:
 
 	@echo >>x509.genkey "keyUsage=digitalSignature"
 
 	@echo >>x509.genkey "subjectKeyIdentifier=hash"
 
 	@echo >>x509.genkey "authorityKeyIdentifier=keyid"
 
-else
 
-# For external (PKCS#11 or PEM) key, we need to obtain the certificate from
 
-# CONFIG_MODULE_SIG_KEY automatically.
 
+endif
 
+
 
+# We need to obtain the certificate from CONFIG_MODULE_SIG_KEY.
 
 quiet_cmd_extract_der = CERT_DER $(2)
 
       cmd_extract_der = scripts/extract-cert "$(2)" signing_key.x509
 
 
@@ -249,4 +249,3 @@ endif
 
 signing_key.x509: scripts/extract-cert include/config/module/sig/key.h $(X509_DEP)
 
 	$(call cmd,extract_der,$(X509_SOURCE))
 
 endif
 
-endif