From: Michal Marek <mmarek@suse.cz>
To: Emily Maier <emilymaier@mykolab.com>
Cc: lkml <linux-kernel@vger.kernel.org>,
linux-kbuild <linux-kbuild@vger.kernel.org>
Subject: Re: [PATCH RFC] kernel build: enable use of password-protected signing keys
Date: Thu, 13 Feb 2014 11:21:49 +0100 [thread overview]
Message-ID: <52FC9CBD.5010702@suse.cz> (raw)
In-Reply-To: <52FBF8A8.1010304@mykolab.com>
On 2014-02-12 23:41, Emily Maier wrote:
> On 02/10/2014 08:51 AM, Michal Marek wrote:
>> On 9.2.2014 23:38, Emily Maier wrote:
>>> Currently, the module signing script assumes that the private key is
>>> not password-protected. This patch makes it slightly more secure by
>>> allowing it to be passed in on the command line as "make
>>> modules_install MOD_PASSWORD=abc". It's vulnerable to snooping during
>>> the build of course, but so is an unprotected signing key.
>>
>> The key's permissions can be set to 0600, while the make commandline is
>> visible in ps.
>
> Ok, I'll change it to that and look into other options as well. I think
> there may be a way to pass it to OpenSSL off disk and the command line
> entirely.
>
> Would it be appropriate to add Kconfig options for this or try to
> autodetect the password file?
What some vendors do is that they have the modules signed by a signing
machine that is separated from the build farm. So they typically unset
MODULE_SIG_ALL and handle the signing outside kbuild. The other option
is to have a wrapper for the openssl command, not sure if anybody is
doing that.
Michal
prev parent reply other threads:[~2014-02-13 10:21 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-09 22:38 [PATCH RFC] kernel build: enable use of password-protected signing keys Emily Maier
2014-02-10 13:51 ` Michal Marek
[not found] ` <52FBF8A8.1010304@mykolab.com>
2014-02-13 10:21 ` Michal Marek [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52FC9CBD.5010702@suse.cz \
--to=mmarek@suse.cz \
--cc=emilymaier@mykolab.com \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox