[PATCHv2 RFC 1/1] Explicit check for existing X.509 module signing keypair

linux-kbuild.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCHv2 RFC 1/1] Explicit check for existing X.509 module signing keypair
@ 2015-04-10  0:37 Abelardo Ricart III
  2015-04-13 13:16 ` Michal Marek
  0 siblings, 1 reply; 3+ messages in thread
From: Abelardo Ricart III @ 2015-04-10  0:37 UTC (permalink / raw)
  To: linux-kbuild; +Cc: mmarek


The module-signing.txt documentation states that the kernel will use an existing
x.509 key pair for module signing should they exist in the root of the source tree.
However, user provided signing keys are unexpectedly overwritten during build if the 
last-modified times on the key pair are older than the "x509.genkey" target dependency.
This fix stops this unexpected behavior, and warns if the key pair was not found.

Signed-off-by: Abelardo Ricart III <aricart@memnix.com>
---

diff --git a/kernel/Makefile b/kernel/Makefile
index 1408b33..10c8df0 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -168,7 +168,8 @@ ifndef CONFIG_MODULE_SIG_HASH
 $(error Could not determine digest type to use from kernel config)
 endif
 
-signing_key.priv signing_key.x509: x509.genkey
+signing_key.priv signing_key.x509: | x509.genkey
+       $(warning *** X.509 module signing key pair not found in root of source tree ***)
        @echo "###"
        @echo "### Now generating an X.509 key pair to be used for signing modules."
        @echo "###"


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCHv2 RFC 1/1] Explicit check for existing X.509 module signing keypair
  2015-04-10  0:37 [PATCHv2 RFC 1/1] Explicit check for existing X.509 module signing keypair Abelardo Ricart III
@ 2015-04-13 13:16 ` Michal Marek
  2015-04-24 23:04   ` Abelardo Ricart III
  0 siblings, 1 reply; 3+ messages in thread
From: Michal Marek @ 2015-04-13 13:16 UTC (permalink / raw)
  To: Abelardo Ricart III; +Cc: linux-kbuild, David Howells, keyrings

Added David Howels and keyrings@linux-nfs.org to Cc

Michal

On 2015-04-10 02:37, Abelardo Ricart III wrote:
> 
> The module-signing.txt documentation states that the kernel will use an existing
> x.509 key pair for module signing should they exist in the root of the source tree.
> However, user provided signing keys are unexpectedly overwritten during build if the 
> last-modified times on the key pair are older than the "x509.genkey" target dependency.
> This fix stops this unexpected behavior, and warns if the key pair was not found.
> 
> Signed-off-by: Abelardo Ricart III <aricart@memnix.com>
> ---
> 
> diff --git a/kernel/Makefile b/kernel/Makefile
> index 1408b33..10c8df0 100644
> --- a/kernel/Makefile
> +++ b/kernel/Makefile
> @@ -168,7 +168,8 @@ ifndef CONFIG_MODULE_SIG_HASH
>  $(error Could not determine digest type to use from kernel config)
>  endif
>  
> -signing_key.priv signing_key.x509: x509.genkey
> +signing_key.priv signing_key.x509: | x509.genkey
> +       $(warning *** X.509 module signing key pair not found in root of source tree ***)
>         @echo "###"
>         @echo "### Now generating an X.509 key pair to be used for signing modules."
>         @echo "###"
> 


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCHv2 RFC 1/1] Explicit check for existing X.509 module signing keypair
  2015-04-13 13:16 ` Michal Marek
@ 2015-04-24 23:04   ` Abelardo Ricart III
  0 siblings, 0 replies; 3+ messages in thread
From: Abelardo Ricart III @ 2015-04-24 23:04 UTC (permalink / raw)
  To: Michal Marek; +Cc: linux-kbuild, David Howells, keyrings

What's the word on this?

On Mon, 2015-04-13 at 15:16 +0200, Michal Marek wrote:
> Added David Howels and keyrings@linux-nfs.org to Cc
> 
> Michal
> 
> On 2015-04-10 02:37, Abelardo Ricart III wrote:
> > 
> > The module-signing.txt documentation states that the kernel will use an 
> > existing
> > x.509 key pair for module signing should they exist in the root of the 
> > source tree.
> > However, user provided signing keys are unexpectedly overwritten during 
> > build if the 
> > last-modified times on the key pair are older than the "x509.genkey" target 
> > dependency.
> > This fix stops this unexpected behavior, and warns if the key pair was not 
> > found.
> > 
> > Signed-off-by: Abelardo Ricart III <aricart@memnix.com>
> > ---
> > 
> > diff --git a/kernel/Makefile b/kernel/Makefile
> > index 1408b33..10c8df0 100644
> > --- a/kernel/Makefile
> > +++ b/kernel/Makefile
> > @@ -168,7 +168,8 @@ ifndef CONFIG_MODULE_SIG_HASH
> >  $(error Could not determine digest type to use from kernel config)
> >  endif
> >  
> > -signing_key.priv signing_key.x509: x509.genkey
> > +signing_key.priv signing_key.x509: | x509.genkey
> > +       $(warning *** X.509 module signing key pair not found in root of 
> > source tree ***)
> >         @echo "###"
> >         @echo "### Now generating an X.509 key pair to be used for signing 
> > modules."
> >         @echo "###"
> > 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kbuild" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2015-04-24 23:04 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-04-10  0:37 [PATCHv2 RFC 1/1] Explicit check for existing X.509 module signing keypair Abelardo Ricart III
2015-04-13 13:16 ` Michal Marek
2015-04-24 23:04   ` Abelardo Ricart III

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).