Message ID | 20210408152403.1189121-2-stefanb@linux.ibm.com (mailing list archive) |
---|---|
State | New |
Headers | show |
Series | Add support for ECDSA-signed kernel modules | expand |
On Thu, 2021-04-08 at 11:24 -0400, Stefan Berger wrote: > Address a kbuild issue where a developer created an ECDSA key for signing > kernel modules and then builds an older version of the kernel, when bi- > secting the kernel for example, that does not support ECDSA keys. > > Trigger the creation of an RSA module signing key if it is not an RSA key. > > Fixes: cfc411e7fff3 ("Move certificate handling to its own directory") > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Thanks, Stefan. Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
On 4/8/21 1:15 PM, Mimi Zohar wrote: > On Thu, 2021-04-08 at 11:24 -0400, Stefan Berger wrote: >> Address a kbuild issue where a developer created an ECDSA key for signing >> kernel modules and then builds an older version of the kernel, when bi- >> secting the kernel for example, that does not support ECDSA keys. >> >> Trigger the creation of an RSA module signing key if it is not an RSA key. >> >> Fixes: cfc411e7fff3 ("Move certificate handling to its own directory") >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > Thanks, Stefan. > > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > Via which tree will this go upstream? keyrings? Stefan
On Thu, 2021-04-08 at 15:19 -0400, Stefan Berger wrote: > On 4/8/21 1:15 PM, Mimi Zohar wrote: > > On Thu, 2021-04-08 at 11:24 -0400, Stefan Berger wrote: > >> Address a kbuild issue where a developer created an ECDSA key for signing > >> kernel modules and then builds an older version of the kernel, when bi- > >> secting the kernel for example, that does not support ECDSA keys. > >> > >> Trigger the creation of an RSA module signing key if it is not an RSA key. > >> > >> Fixes: cfc411e7fff3 ("Move certificate handling to its own directory") > >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > > Thanks, Stefan. > > > > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > > > Via which tree will this go upstream? keyrings? This patch set originally had a dependency on Nayna's v1 & v2 "ima: kernel build support for loading the kernel module signing key" patch set and on Herbert's "ecc" branch. With v3, the dependency on Nayna's patch set is gone. Jarkko, David, Herbert did you want to pick up this patch set or would you prefer that I did? Either way is fine. thanks, Mimi
diff --git a/certs/Makefile b/certs/Makefile index e3185c57fbd8..f64bc89ccbf1 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -59,6 +59,11 @@ silent_redirect_openssl = 2>/dev/null # external private key, because 'make randconfig' might enable such a # boolean option and we unfortunately can't make it depend on !RANDCONFIG. ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem") + +X509TEXT=$(shell openssl x509 -in $(CONFIG_MODULE_SIG_KEY) -text) + +$(if $(findstring rsaEncryption,$(X509TEXT)),,$(shell rm -f $(CONFIG_MODULE_SIG_KEY))) + $(obj)/signing_key.pem: $(obj)/x509.genkey @$(kecho) "###" @$(kecho) "### Now generating an X.509 key pair to be used for signing modules."
Address a kbuild issue where a developer created an ECDSA key for signing kernel modules and then builds an older version of the kernel, when bi- secting the kernel for example, that does not support ECDSA keys. Trigger the creation of an RSA module signing key if it is not an RSA key. Fixes: cfc411e7fff3 ("Move certificate handling to its own directory") Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> --- certs/Makefile | 5 +++++ 1 file changed, 5 insertions(+)