Re: [PATCH] Restrict read access to private module signing key

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* Re: [PATCH] Restrict read access to private module signing key
       [not found] <1451747630-15940-1-git-send-email-aranea@aixah.de>
@ 2016-01-16 23:02 ` Luis Ressel
  0 siblings, 0 replies; 2+ messages in thread
From: Luis Ressel @ 2016-01-16 23:02 UTC (permalink / raw)
  To: keyrings; +Cc: linux-kernel, David Howells, David Woodhouse, James Morris

On Sat,  2 Jan 2016 16:13:50 +0100
Luis Ressel <aranea@aixah.de> wrote:

> The autogenerated module signing key shouldn't be world-readable.
> 
> Signed-off-by: Luis Ressel <aranea@aixah.de>
> ---
>  certs/Makefile | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/certs/Makefile b/certs/Makefile
> index 28ac694..7f1f082 100644
> --- a/certs/Makefile
> +++ b/certs/Makefile
> @@ -49,6 +49,8 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey
>  	@echo "### needs to be run as root, and uses a hardware
> random" @echo "### number generator if one is available."
>  	@echo "###"
> +	touch $(obj)/signing_key.pem
> +	chmod 0600 $(obj)/signing_key.pem
>  	openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH)
> -days 36500 \ -batch -x509 -config $(obj)/x509.genkey \
>  		-outform PEM -out $(obj)/signing_key.pem \

I've contributed this patch two weeks ago, but there hasn't been any
feedback and it hasn't been merged, either. It's the first kernel patch
I've submitted, so I don't know much about the procedures here. Could
someone please merge the patch or point out any problems with it?

Regards,
Luis Ressel

^ permalink raw reply	[flat|nested] 2+ messages in thread

* [PATCH] Restrict read access to private module signing key
@ 2016-01-30 13:27 Luis Ressel
  0 siblings, 0 replies; 2+ messages in thread
From: Luis Ressel @ 2016-01-30 13:27 UTC (permalink / raw)
  To: David Howells, David Woodhouse, keyrings, linux-kernel

The autogenerated module signing key shouldn't be world-readable.

Signed-off-by: Luis Ressel <aranea@aixah.de>
---
 certs/Makefile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/certs/Makefile b/certs/Makefile
index 28ac694..7f1f082 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -49,6 +49,8 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey
 	@echo "### needs to be run as root, and uses a hardware random"
 	@echo "### number generator if one is available."
 	@echo "###"
+	touch $(obj)/signing_key.pem
+	chmod 0600 $(obj)/signing_key.pem
 	openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
 		-batch -x509 -config $(obj)/x509.genkey \
 		-outform PEM -out $(obj)/signing_key.pem \
-- 
2.7.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2016-01-30 13:28 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <1451747630-15940-1-git-send-email-aranea@aixah.de>
2016-01-16 23:02 ` [PATCH] Restrict read access to private module signing key Luis Ressel
2016-01-30 13:27 Luis Ressel

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox