Re: [PATCH RFC] kernel build: enable use of password-protected signing keys

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Michal Marek <mmarek@suse.cz>
To: Emily Maier <emilymaier@mykolab.com>
Cc: lkml <linux-kernel@vger.kernel.org>,
	linux-kbuild <linux-kbuild@vger.kernel.org>
Subject: Re: [PATCH RFC] kernel build: enable use of password-protected signing keys
Date: Thu, 13 Feb 2014 11:21:49 +0100	[thread overview]
Message-ID: <52FC9CBD.5010702@suse.cz> (raw)
In-Reply-To: <52FBF8A8.1010304@mykolab.com>

On 2014-02-12 23:41, Emily Maier wrote:
> On 02/10/2014 08:51 AM, Michal Marek wrote:
>> On 9.2.2014 23:38, Emily Maier wrote:
>>> Currently, the module signing script assumes that the private key is 
>>> not password-protected. This patch makes it slightly more secure by 
>>> allowing it to be passed in on the command line as "make 
>>> modules_install MOD_PASSWORD=abc". It's vulnerable to snooping during 
>>> the build of course, but so is an unprotected signing key.
>>
>> The key's permissions can be set to 0600, while the make commandline is
>> visible in ps.
> 
> Ok, I'll change it to that and look into other options as well. I think
> there may be a way to pass it to OpenSSL off disk and the command line
> entirely.
> 
> Would it be appropriate to add Kconfig options for this or try to
> autodetect the password file?

What some vendors do is that they have the modules signed by a signing
machine that is separated from the build farm. So they typically unset
MODULE_SIG_ALL and handle the signing outside kbuild. The other option
is to have a wrapper for the openssl command, not sure if anybody is
doing that.

Michal

     prev parent reply	other threads:[~2014-02-13 10:21 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-02-09 22:38 [PATCH RFC] kernel build: enable use of password-protected signing keys Emily Maier
2014-02-10 13:51 ` Michal Marek
     [not found]   ` <52FBF8A8.1010304@mykolab.com>
2014-02-13 10:21     ` Michal Marek [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=52FC9CBD.5010702@suse.cz \
    --to=mmarek@suse.cz \
    --cc=emilymaier@mykolab.com \
    --cc=linux-kbuild@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.