From patchwork Thu May 28 15:48:15 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: David Howells X-Patchwork-Id: 6499811 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: X-Original-To: patchwork-linux-wireless@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id B4A5FC0020 for ; Thu, 28 May 2015 15:51:12 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id A31B620647 for ; Thu, 28 May 2015 15:51:11 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 7371320645 for ; Thu, 28 May 2015 15:51:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932305AbbE1PvH (ORCPT ); Thu, 28 May 2015 11:51:07 -0400 Received: from mx1.redhat.com ([209.132.183.28]:39019 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754470AbbE1PsX (ORCPT ); Thu, 28 May 2015 11:48:23 -0400 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (Postfix) with ESMTPS id 7899BBF9F7; Thu, 28 May 2015 15:48:22 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-112-71.phx2.redhat.com [10.3.112.71]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t4SFmGfU010851; Thu, 28 May 2015 11:48:17 -0400 Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 Subject: [PATCH 14/20] modsign: Use single PEM file for autogenerated key [ver #5] From: David Howells To: mcgrof@gmail.com Cc: mjg59@srcf.ucam.org, keyrings@linux-nfs.org, gregkh@linuxfoundation.org, kyle@kernel.org, linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, seth.forshee@canonical.com, linux-security-module@vger.kernel.org, zohar@linux.vnet.ibm.com, dwmw2@infradead.org Date: Thu, 28 May 2015 16:48:15 +0100 Message-ID: <20150528154815.1259.19533.stgit@warthog.procyon.org.uk> In-Reply-To: <20150528154605.1259.42518.stgit@warthog.procyon.org.uk> References: <20150528154605.1259.42518.stgit@warthog.procyon.org.uk> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: David Woodhouse The current rule for generating signing_key.priv and signing_key.x509 is a classic example of a bad rule which has a tendency to break parallel make. When invoked to create *either* target, it generates the other target as a side-effect that make didn't predict. So let's switch to using a single file signing_key.pem which contains both key and certificate. That matches what we do in the case of an external key specified by CONFIG_MODULE_SIG_KEY anyway, so it's also slightly cleaner. Signed-off-by: David Woodhouse Signed-off-by: David Howells --- .gitignore | 1 + Documentation/module-signing.txt | 9 ++++----- Makefile | 4 ++-- init/Kconfig | 4 ++-- kernel/Makefile | 15 +++++++-------- 5 files changed, 16 insertions(+), 17 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/.gitignore b/.gitignore index 4ad4a98b884b..17fa24dd7e46 100644 --- a/.gitignore +++ b/.gitignore @@ -97,6 +97,7 @@ GTAGS # Leavings from module signing # extra_certificates +signing_key.pem signing_key.priv signing_key.x509 x509.genkey diff --git a/Documentation/module-signing.txt b/Documentation/module-signing.txt index 693001920890..5d5e4e32dc26 100644 --- a/Documentation/module-signing.txt +++ b/Documentation/module-signing.txt @@ -91,7 +91,7 @@ This has a number of options available: (4) "File name or PKCS#11 URI of module signing key" (CONFIG_MODULE_SIG_KEY) Setting this option to something other than its default of - "signing_key.priv" will disable the autogeneration of signing keys and + "signing_key.pem" will disable the autogeneration of signing keys and allow the kernel modules to be signed with a key of your choosing. The string provided should identify a file containing both a private key and its corresponding X.509 certificate in PEM form, or — on @@ -116,11 +116,10 @@ kernel so that it can be used to check the signatures as the modules are loaded. Under normal conditions, when CONFIG_MODULE_SIG_KEY is unchanged from its -default of "signing_key.priv", the kernel build will automatically generate -a new keypair using openssl if one does not exist in the files: +default, the kernel build will automatically generate a new keypair using +openssl if one does not exist in the file: - signing_key.priv - signing_key.x509 + signing_key.pem during the building of vmlinux (the public part of the key needs to be built into vmlinux) using parameters in the: diff --git a/Makefile b/Makefile index 9590e67c2094..ce2f4682a37a 100644 --- a/Makefile +++ b/Makefile @@ -1175,8 +1175,8 @@ MRPROPER_DIRS += include/config usr/include include/generated \ arch/*/include/generated .tmp_objdiff MRPROPER_FILES += .config .config.old .version .old_version \ Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \ - signing_key.priv signing_key.x509 x509.genkey \ - extra_certificates signing_key.x509.keyid \ + signing_key.pem signing_key.priv signing_key.x509 \ + x509.genkey extra_certificates signing_key.x509.keyid \ signing_key.x509.signer vmlinux-gdb.py # clean - Delete most, but leave enough to build external modules diff --git a/init/Kconfig b/init/Kconfig index a4b4f390d8f2..a52935338419 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1956,7 +1956,7 @@ config MODULE_SIG_HASH config MODULE_SIG_KEY string "File name or PKCS#11 URI of module signing key" - default "signing_key.priv" + default "signing_key.pem" depends on MODULE_SIG help Provide the file name of a private key/certificate in PEM format, @@ -1964,7 +1964,7 @@ config MODULE_SIG_KEY the URI should identify, both the certificate and its corresponding private key. - If this option is unchanged from its default "signing_key.priv", + If this option is unchanged from its default "signing_key.pem", then the kernel will automatically generate the private key and certificate as described in Documentation/module-signing.txt diff --git a/kernel/Makefile b/kernel/Makefile index 9fb259d0383c..541e1e89e90c 100644 --- a/kernel/Makefile +++ b/kernel/Makefile @@ -173,8 +173,8 @@ endif # We do it this way rather than having a boolean option for enabling an # external private key, because 'make randconfig' might enable such a # boolean option and we unfortunately can't make it depend on !RANDCONFIG. -ifeq ($(CONFIG_MODULE_SIG_KEY),"signing_key.priv") -signing_key.priv signing_key.x509: x509.genkey +ifeq ($(CONFIG_MODULE_SIG_KEY),"signing_key.pem") +signing_key.pem: x509.genkey @echo "###" @echo "### Now generating an X.509 key pair to be used for signing modules." @echo "###" @@ -185,8 +185,8 @@ signing_key.priv signing_key.x509: x509.genkey @echo "###" openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \ -batch -x509 -config x509.genkey \ - -outform DER -out signing_key.x509 \ - -keyout signing_key.priv 2>&1 + -outform PEM -out signing_key.pem \ + -keyout signing_key.pem 2>&1 @echo "###" @echo "### Key pair generated." @echo "###" @@ -210,9 +210,9 @@ x509.genkey: @echo >>x509.genkey "keyUsage=digitalSignature" @echo >>x509.genkey "subjectKeyIdentifier=hash" @echo >>x509.genkey "authorityKeyIdentifier=keyid" -else -# For external (PKCS#11 or PEM) key, we need to obtain the certificate from -# CONFIG_MODULE_SIG_KEY automatically. +endif + +# We need to obtain the certificate from CONFIG_MODULE_SIG_KEY. quiet_cmd_extract_der = CERT_DER $(2) cmd_extract_der = scripts/extract-cert "$(2)" signing_key.x509 @@ -249,4 +249,3 @@ endif signing_key.x509: scripts/extract-cert include/config/module/sig/key.h $(X509_DEP) $(call cmd,extract_der,$(X509_SOURCE)) endif -endif