From: Greg KH <gregkh@linuxfoundation.org>
To: Rusty Russell <rusty@rustcorp.com.au>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
David Howells <dhowells@redhat.com>,
David Miller <davem@davemloft.net>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
jwboyer@redhat.com, pjones@redhat.com
Subject: Re: RFC: sign the modules at install time
Date: Thu, 18 Oct 2012 10:16:28 -0700 [thread overview]
Message-ID: <20121018171628.GD23278@kroah.com> (raw)
In-Reply-To: <877gqoo0tp.fsf@rustcorp.com.au>
On Thu, Oct 18, 2012 at 03:04:26PM +1030, Rusty Russell wrote:
> Linus Torvalds <torvalds@linux-foundation.org> writes:
> > On Wed, Oct 17, 2012 at 5:54 PM, Greg KH <gregkh@linuxfoundation.org> wrote:
> >>>
> >>> One of the main sane use-cases for module signing is:
> >>>
> >>> - CONFIG_CHECK_SIGNATURE=y
> >>> - randomly generated one-time key
> >>> - "make modules_install; make install"
> >>> - "make clean" to get rid of the keys.
> >>> - reboot.
> >>
> >> I want that too, but right now 'make clean' leaves the keys around,
> >> which seems a bit dangerous to me.
> >
> > Oh, yes, we should make sure the key file gets cleaned up at "make clean".
>
> I left it at distclean, figuring the temporary key is a bit like the
> .config. But it's trivial to change if people think that's unnatural.
.config is user-generated, while the key is build-generated. I assumed
that 'make clean' would clean up anything the build created, but as
Linus points out, the docs say that we will have enough stuff around to
build a module, so I guess it makes sense in that case.
Oh, along those lines, should the keys really end up in the root of the
kernel source tree? keys/ perhaps? But this is really just
bikesheding, that's up to you and David, it's not my code to maintain :)
thanks,
greg k-h
next prev parent reply other threads:[~2012-10-18 17:16 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-17 20:36 RFC: sign the modules at install time Linus Torvalds
2012-10-17 22:19 ` David Howells
2012-10-17 22:44 ` Linus Torvalds
2012-10-18 0:54 ` Greg KH
2012-10-18 3:14 ` Linus Torvalds
2012-10-18 3:18 ` Linus Torvalds
2012-10-18 4:34 ` Rusty Russell
2012-10-18 17:16 ` Greg KH [this message]
2012-10-18 4:31 ` Rusty Russell
2012-10-18 12:11 ` Josh Boyer
2012-10-18 16:29 ` Linus Torvalds
2012-10-19 0:20 ` Rusty Russell
2012-10-19 11:21 ` David Howells
2012-10-21 23:51 ` Rusty Russell
2012-10-20 16:41 ` Romain Francoise
2012-10-20 16:47 ` Linus Torvalds
2012-10-17 22:26 ` Josh Boyer
2012-10-17 23:07 ` Linus Torvalds
2012-10-17 23:20 ` Josh Boyer
2012-10-17 23:25 ` Linus Torvalds
2012-10-17 23:44 ` Linus Torvalds
2012-10-18 0:06 ` Linus Torvalds
2012-10-17 23:21 ` Linus Torvalds
2012-10-18 0:13 ` Josh Boyer
2012-10-18 4:41 ` Rusty Russell
2012-10-18 1:17 ` Rusty Russell
2012-10-18 3:27 ` Linus Torvalds
2012-10-18 5:34 ` Rusty Russell
2012-10-18 18:46 ` Linus Torvalds
2012-10-18 19:58 ` Josh Boyer
2012-10-19 0:48 ` Rusty Russell
2012-10-19 11:44 ` Josh Boyer
2012-10-19 1:16 ` Rusty Russell
2012-10-19 11:49 ` Josh Boyer
2012-10-19 1:23 ` Rusty Russell
2012-10-19 3:21 ` Stephen Rothwell
2012-10-19 11:25 ` David Howells
2012-10-19 11:30 ` Stephen Rothwell
2012-10-19 11:40 ` Alexander Holler
2012-10-20 3:53 ` Rusty Russell
2012-10-19 19:58 ` Linus Torvalds
2012-10-19 22:04 ` Linus Torvalds
2012-10-22 0:28 ` Rusty Russell
-- strict thread matches above, loose matches on Subject: below --
2012-10-18 21:31 George Spelvin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121018171628.GD23278@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=jwboyer@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pjones@redhat.com \
--cc=rusty@rustcorp.com.au \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.