Message ID | 1428626238.3789.0.camel@memnix.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Added David Howels and keyrings@linux-nfs.org to Cc Michal On 2015-04-10 02:37, Abelardo Ricart III wrote: > > The module-signing.txt documentation states that the kernel will use an existing > x.509 key pair for module signing should they exist in the root of the source tree. > However, user provided signing keys are unexpectedly overwritten during build if the > last-modified times on the key pair are older than the "x509.genkey" target dependency. > This fix stops this unexpected behavior, and warns if the key pair was not found. > > Signed-off-by: Abelardo Ricart III <aricart@memnix.com> > --- > > diff --git a/kernel/Makefile b/kernel/Makefile > index 1408b33..10c8df0 100644 > --- a/kernel/Makefile > +++ b/kernel/Makefile > @@ -168,7 +168,8 @@ ifndef CONFIG_MODULE_SIG_HASH > $(error Could not determine digest type to use from kernel config) > endif > > -signing_key.priv signing_key.x509: x509.genkey > +signing_key.priv signing_key.x509: | x509.genkey > + $(warning *** X.509 module signing key pair not found in root of source tree ***) > @echo "###" > @echo "### Now generating an X.509 key pair to be used for signing modules." > @echo "###" > -- To unsubscribe from this list: send the line "unsubscribe linux-kbuild" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
What's the word on this? On Mon, 2015-04-13 at 15:16 +0200, Michal Marek wrote: > Added David Howels and keyrings@linux-nfs.org to Cc > > Michal > > On 2015-04-10 02:37, Abelardo Ricart III wrote: > > > > The module-signing.txt documentation states that the kernel will use an > > existing > > x.509 key pair for module signing should they exist in the root of the > > source tree. > > However, user provided signing keys are unexpectedly overwritten during > > build if the > > last-modified times on the key pair are older than the "x509.genkey" target > > dependency. > > This fix stops this unexpected behavior, and warns if the key pair was not > > found. > > > > Signed-off-by: Abelardo Ricart III <aricart@memnix.com> > > --- > > > > diff --git a/kernel/Makefile b/kernel/Makefile > > index 1408b33..10c8df0 100644 > > --- a/kernel/Makefile > > +++ b/kernel/Makefile > > @@ -168,7 +168,8 @@ ifndef CONFIG_MODULE_SIG_HASH > > $(error Could not determine digest type to use from kernel config) > > endif > > > > -signing_key.priv signing_key.x509: x509.genkey > > +signing_key.priv signing_key.x509: | x509.genkey > > + $(warning *** X.509 module signing key pair not found in root of > > source tree ***) > > @echo "###" > > @echo "### Now generating an X.509 key pair to be used for signing > > modules." > > @echo "###" > > > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kbuild" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-kbuild" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/kernel/Makefile b/kernel/Makefile index 1408b33..10c8df0 100644 --- a/kernel/Makefile +++ b/kernel/Makefile @@ -168,7 +168,8 @@ ifndef CONFIG_MODULE_SIG_HASH $(error Could not determine digest type to use from kernel config) endif -signing_key.priv signing_key.x509: x509.genkey +signing_key.priv signing_key.x509: | x509.genkey + $(warning *** X.509 module signing key pair not found in root of source tree ***) @echo "###" @echo "### Now generating an X.509 key pair to be used for signing modules." @echo "###"
The module-signing.txt documentation states that the kernel will use an existing x.509 key pair for module signing should they exist in the root of the source tree. However, user provided signing keys are unexpectedly overwritten during build if the last-modified times on the key pair are older than the "x509.genkey" target dependency. This fix stops this unexpected behavior, and warns if the key pair was not found. Signed-off-by: Abelardo Ricart III <aricart@memnix.com> --- -- To unsubscribe from this list: send the line "unsubscribe linux-kbuild" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html