From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx1.redhat.com ([209.132.183.28]:39527 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752303AbbBMMPz (ORCPT ); Fri, 13 Feb 2015 07:15:55 -0500 From: David Howells In-Reply-To: References: Subject: Re: Still some race in X509 certificates handling MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <416.1423829747.1@warthog.procyon.org.uk> Date: Fri, 13 Feb 2015 12:15:47 +0000 Message-ID: <417.1423829747@warthog.procyon.org.uk> Sender: linux-kbuild-owner@vger.kernel.org List-ID: To: Linus Torvalds Cc: dhowells@redhat.com, Michal Marek , Linux Kbuild mailing list Linus Torvalds wrote: > When it happens, I can do a rebuild, and the build will say > > X.509 certificate list changed > > which is kind of odd, since the list should *always* be just that > single key for me (ie "./signing_key.509"). Did you by any chance set aside a build tree that went wrong? If so, could you have a look to see what's in: /kernel/.x509.list /kernel/x509_certificate_list (note this is binary) /x509.genkey and make sure that: /signing_key.priv /signing_key.x509 both exist. I wonder if the problem might perhaps be due to one of signing_key.priv or signing_key.x509 getting removed somehow - but not both. Make seems a bit weird on targets that produce two files, one of which isn't depended on (it might remove it under some circumstances, I think). Btw, do you use O= when you're building? That causes a certain amount of pain to get right because: (1) the auto-generated keys have to be placed into the build dir, not the source dir; (2) we still need to scrape extra X.509 certs from the source dir; and (3) we don't want to see the autogenerated X.509 certificate twice if the build dir is the same as the source dir. Actually, we could simplify the makefile a bit and waive (3) if we weeded out duplicate X.509 certs by X.509 parameter value rather than by filename before adding them into the kernel. > (Side note: the HHGTTG references are cute, but I suspect we should > rename the key so that it just says something boring like "build-time > autogenerated kernel key" instead. Just so that the error messages are > a bit more readable to people who aren't kernel engineers) Awww... My main point was to try and encourage distributions to supply an x509.genkey with fields filled in with appropriate info. I guess that's probably achieved by now, so I could make it something else. It has to be specified by an X.400/X.500 DN, though, so maybe: @echo >>x509.genkey "O = Your company name" @echo >>x509.genkey "CN = Build time autogenerated kernel key" @echo >>x509.genkey "emailAddress = you@your.company" I would really like to leave O, CN and emailAddress in here because these are the fields that x509_fabricate_name() uses in the kernel. David