From: David Howells <dhowells@redhat.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: dhowells@redhat.com, Michal Marek <mmarek@suse.cz>,
Linux Kbuild mailing list <linux-kbuild@vger.kernel.org>
Subject: Re: Still some race in X509 certificates handling
Date: Fri, 13 Feb 2015 12:15:47 +0000 [thread overview]
Message-ID: <417.1423829747@warthog.procyon.org.uk> (raw)
In-Reply-To: <CA+55aFzgR3BaK4ihHmToZrft4=7NktH1nmi3tV0QMR4Y3QU4Kg@mail.gmail.com>
Linus Torvalds <torvalds@linux-foundation.org> wrote:
> When it happens, I can do a rebuild, and the build will say
>
> X.509 certificate list changed
>
> which is kind of odd, since the list should *always* be just that
> single key for me (ie "./signing_key.509").
Did you by any chance set aside a build tree that went wrong? If so, could
you have a look to see what's in:
<builddir>/kernel/.x509.list
<builddir>/kernel/x509_certificate_list (note this is binary)
<builddir>/x509.genkey
and make sure that:
<builddir>/signing_key.priv
<builddir>/signing_key.x509
both exist. I wonder if the problem might perhaps be due to one of
signing_key.priv or signing_key.x509 getting removed somehow - but not both.
Make seems a bit weird on targets that produce two files, one of which isn't
depended on (it might remove it under some circumstances, I think).
Btw, do you use O=<builddir> when you're building? That causes a certain
amount of pain to get right because:
(1) the auto-generated keys have to be placed into the build dir, not the
source dir;
(2) we still need to scrape extra X.509 certs from the source dir; and
(3) we don't want to see the autogenerated X.509 certificate twice if the
build dir is the same as the source dir.
Actually, we could simplify the makefile a bit and waive (3) if we weeded out
duplicate X.509 certs by X.509 parameter value rather than by filename before
adding them into the kernel.
> (Side note: the HHGTTG references are cute, but I suspect we should
> rename the key so that it just says something boring like "build-time
> autogenerated kernel key" instead. Just so that the error messages are
> a bit more readable to people who aren't kernel engineers)
Awww...
My main point was to try and encourage distributions to supply an x509.genkey
with fields filled in with appropriate info. I guess that's probably achieved
by now, so I could make it something else. It has to be specified by an
X.400/X.500 DN, though, so maybe:
@echo >>x509.genkey "O = Your company name"
@echo >>x509.genkey "CN = Build time autogenerated kernel key"
@echo >>x509.genkey "emailAddress = you@your.company"
I would really like to leave O, CN and emailAddress in here because these are
the fields that x509_fabricate_name() uses in the kernel.
David
next prev parent reply other threads:[~2015-02-13 12:15 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-12 18:18 Still some race in X509 certificates handling Linus Torvalds
2015-02-13 12:15 ` David Howells [this message]
2015-02-13 16:56 ` Linus Torvalds
2015-02-18 14:04 ` Michal Marek
2015-02-18 14:36 ` Michal Marek
2015-02-18 18:49 ` Linus Torvalds
2015-02-18 19:44 ` Michal Marek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=417.1423829747@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=linux-kbuild@vger.kernel.org \
--cc=mmarek@suse.cz \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox