Re: MODSIGN without RTC? - Alexander Holler

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Alexander Holler <holler@ahsoftware.de>
To: linux-kernel@vger.kernel.org
Subject: Re: MODSIGN without RTC?
Date: Thu, 07 Feb 2013 02:06:41 +0100	[thread overview]
Message-ID: <5112FE21.4020404@ahsoftware.de> (raw)
In-Reply-To: <5112EA69.6010100@ahsoftware.de>

Am 07.02.2013 00:42, schrieb Alexander Holler:
> Hello,
>
> I wanted to try out MODSIGN with kernel 3.7.6 and I've just got hit by:
>
> [    1.346445] X.509: Cert 6a23533cec71c4c52a1618fb4d830e06aa90474e is
> not yet valid
>
> The reason is likely that the (ARM) device in question doesn't have a
> RTC (oh, that topic again ;) ) and gets it's time on boot through NTP.
>
> The used certificate was generated automatically. Having a look at it,
> the following is shown:
>
>         Validity
>              Not Before: Feb  6 02:56:46 2013 GMT
>              Not After : Jan 13 02:56:46 2113 GMT
>
> Without having thought about possible security problems, my first idea
> would be to let the validity start at 1970. As I never did such I never
> had thought about possible implications when doing such (e.g. I don't
> know if someone checks the start date for plausabilitiy)
>
> Another solution would be to retry loading of the certificate if the
> time gets set (and e.g. differs more than a year).
>
> Has someone already thought about how to solve that problem? Or did
> everyone use sane systems which have a (working) RTC?

Another option would be to make a configure option to just ignore the 
date. I'm not sure if I would like to use MODSIGN when I have to fear 
that the machine wouldn't start when the RTC fails or got set to a wrong 
date.

Regards,

Alexander

next prev parent reply	other threads:[~2013-02-07  1:07 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-02-06 23:42 MODSIGN without RTC? Alexander Holler
2013-02-07  1:06 ` Alexander Holler [this message]
2013-02-07  6:42   ` Geert Uytterhoeven
2013-02-07  7:01     ` Alexander Holler
2013-02-07 10:54       ` Alexander Holler
2013-02-13  9:30       ` Alexander Holler
2013-02-07 18:44   ` Olaf Titz
2013-02-11 19:44     ` Alexander Holler
2013-02-12 13:00       ` Alexander Holler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5112FE21.4020404@ahsoftware.de \
    --to=holler@ahsoftware.de \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.