From: Rusty Russell <rusty@rustcorp.com.au>
To: Josh Boyer <jwboyer@redhat.com>
Cc: Bruno Wolff III <bruno@wolff.to>,
dhowells@redhat.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] MODSIGN: Only sign modules if built in-tree
Date: Thu, 01 Nov 2012 17:38:15 +1030 [thread overview]
Message-ID: <87390t6bs0.fsf@rustcorp.com.au> (raw)
In-Reply-To: <20121031132749.GH6627@hansolo.jdub.homelinux.org>
Josh Boyer <jwboyer@redhat.com> writes:
> When building out-of-tree modules, the current modules_install target
> will attempt to sign them if module signing is enabled. This will only
> work if the signing keys are present in the build tree. That will
> often not be the case for modules that are built out-of-tree against
> distribution kernel development packages. This distros will not include
> the signing keys, and build errors such as:
>
> INSTALL /home/bruno/rpmbuild/BUILD/dahdi-linux-2.6.1/drivers/dahdi/dahdi_dyamic_eth.ko
> Can't read private key
> make[2]: *** [/home/bruno/rpmbuild/BUILD/dahdi-linux-2.6.1/drivers/dahdi/dahdi_dynamic.ko] Error 2
>
> will prevent such modules from successfully being installed. This changes
> the mod_sign_cmd to only sign the modules if they are built in-tree. Those
> built externally can sign them manually.
I prefer something like this (untested):
diff --git a/Makefile b/Makefile
index 42d0e56..cb66c8d 100644
--- a/Makefile
+++ b/Makefile
@@ -722,8 +722,14 @@ export mod_strip_cmd
ifeq ($(CONFIG_MODULE_SIG),y)
MODSECKEY = ./signing_key.priv
MODPUBKEY = ./signing_key.x509
+ifeq ($(KBUILD_EXTMOD),)
+SIGNFAIL = false
+else
+# External builds might not have a signing key, don't break module_install.
+SIGNFAIL = true
+endif # KBUILD_EXTMOD
export MODPUBKEY
-mod_sign_cmd = perl $(srctree)/scripts/sign-file $(MODSECKEY) $(MODPUBKEY)
+mod_sign_cmd = perl $(srctree)/scripts/sign-file $(MODSECKEY) $(MODPUBKEY) || $(SIGNFAIL)
else
mod_sign_cmd = true
endif
next prev parent reply other threads:[~2012-11-01 7:43 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-31 13:27 [PATCH] MODSIGN: Only sign modules if built in-tree Josh Boyer
2012-11-01 7:08 ` Rusty Russell [this message]
2012-11-01 11:26 ` Josh Boyer
2012-11-01 14:50 ` Josh Boyer
2012-11-02 3:17 ` Rusty Russell
2012-11-02 12:34 ` [PATCH v2] " Josh Boyer
2012-11-05 2:01 ` Rusty Russell
2012-11-05 13:24 ` Josh Boyer
2012-11-05 19:19 ` Josh Boyer
2012-11-06 1:34 ` Rusty Russell
2012-11-06 12:54 ` Josh Boyer
2012-11-07 19:21 ` Bruno Wolff III
2012-11-08 3:18 ` Bruno Wolff III
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87390t6bs0.fsf@rustcorp.com.au \
--to=rusty@rustcorp.com.au \
--cc=bruno@wolff.to \
--cc=dhowells@redhat.com \
--cc=jwboyer@redhat.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.