modsign: Use single PEM file for autogenerated key
The current rule for generating signing_key.priv and signing_key.x509 is a classic example of a bad rule which has a tendency to break parallel make. When invoked to create *either* target, it generates the other target as a side-effect that make didn't predict. So let's switch to using a single file signing_key.pem which contains both key and certificate. That matches what we do in the case of an external key specified by CONFIG_MODULE_SIG_KEY anyway, so it's also slightly cleaner. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Signed-off-by: David Howells <dhowells@redhat.com>
This commit is contained in:
David Woodhouse
David Howells
parent
1329e8cc69
commit
fb11794991
|
|
@ -97,6 +97,7 @@ GTAGS
|
|||
# Leavings from module signing
|
||||
#
|
||||
extra_certificates
|
||||
signing_key.pem
|
||||
signing_key.priv
|
||||
signing_key.x509
|
||||
x509.genkey
|
||||
|
|
|
|||
|
|
@ -91,7 +91,7 @@ This has a number of options available:
|
|||
(4) "File name or PKCS#11 URI of module signing key" (CONFIG_MODULE_SIG_KEY)
|
||||
|
||||
Setting this option to something other than its default of
|
||||
"signing_key.priv" will disable the autogeneration of signing keys and
|
||||
"signing_key.pem" will disable the autogeneration of signing keys and
|
||||
allow the kernel modules to be signed with a key of your choosing.
|
||||
The string provided should identify a file containing both a private
|
||||
key and its corresponding X.509 certificate in PEM form, or — on
|
||||
|
|
@ -116,11 +116,10 @@ kernel so that it can be used to check the signatures as the modules are
|
|||
loaded.
|
||||
|
||||
Under normal conditions, when CONFIG_MODULE_SIG_KEY is unchanged from its
|
||||
default of "signing_key.priv", the kernel build will automatically generate
|
||||
a new keypair using openssl if one does not exist in the files:
|
||||
default, the kernel build will automatically generate a new keypair using
|
||||
openssl if one does not exist in the file:
|
||||
|
||||
signing_key.priv
|
||||
signing_key.x509
|
||||
signing_key.pem
|
||||
|
||||
during the building of vmlinux (the public part of the key needs to be built
|
||||
into vmlinux) using parameters in the:
|
||||
|
|
|
|||
4
Makefile
4
Makefile
|
|
@ -1173,8 +1173,8 @@ MRPROPER_DIRS += include/config usr/include include/generated \
|
|||
arch/*/include/generated .tmp_objdiff
|
||||
MRPROPER_FILES += .config .config.old .version .old_version \
|
||||
Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \
|
||||
signing_key.priv signing_key.x509 x509.genkey \
|
||||
extra_certificates signing_key.x509.keyid \
|
||||
signing_key.pem signing_key.priv signing_key.x509 \
|
||||
x509.genkey extra_certificates signing_key.x509.keyid \
|
||||
signing_key.x509.signer vmlinux-gdb.py
|
||||
|
||||
# clean - Delete most, but leave enough to build external modules
|
||||
|
|
|
|||
|
|
@ -1950,7 +1950,7 @@ config MODULE_SIG_HASH
|
|||
|
||||
config MODULE_SIG_KEY
|
||||
string "File name or PKCS#11 URI of module signing key"
|
||||
default "signing_key.priv"
|
||||
default "signing_key.pem"
|
||||
depends on MODULE_SIG
|
||||
help
|
||||
Provide the file name of a private key/certificate in PEM format,
|
||||
|
|
@ -1958,7 +1958,7 @@ config MODULE_SIG_KEY
|
|||
the URI should identify, both the certificate and its corresponding
|
||||
private key.
|
||||
|
||||
If this option is unchanged from its default "signing_key.priv",
|
||||
If this option is unchanged from its default "signing_key.pem",
|
||||
then the kernel will automatically generate the private key and
|
||||
certificate as described in Documentation/module-signing.txt
|
||||
|
||||
|
|
|
|||
|
|
@ -173,8 +173,8 @@ endif
|
|||
# We do it this way rather than having a boolean option for enabling an
|
||||
# external private key, because 'make randconfig' might enable such a
|
||||
# boolean option and we unfortunately can't make it depend on !RANDCONFIG.
|
||||
ifeq ($(CONFIG_MODULE_SIG_KEY),"signing_key.priv")
|
||||
signing_key.priv signing_key.x509: x509.genkey
|
||||
ifeq ($(CONFIG_MODULE_SIG_KEY),"signing_key.pem")
|
||||
signing_key.pem: x509.genkey
|
||||
@echo "###"
|
||||
@echo "### Now generating an X.509 key pair to be used for signing modules."
|
||||
@echo "###"
|
||||
|
|
@ -185,8 +185,8 @@ signing_key.priv signing_key.x509: x509.genkey
|
|||
@echo "###"
|
||||
openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
|
||||
-batch -x509 -config x509.genkey \
|
||||
-outform DER -out signing_key.x509 \
|
||||
-keyout signing_key.priv 2>&1
|
||||
-outform PEM -out signing_key.pem \
|
||||
-keyout signing_key.pem 2>&1
|
||||
@echo "###"
|
||||
@echo "### Key pair generated."
|
||||
@echo "###"
|
||||
|
|
@ -210,9 +210,9 @@ x509.genkey:
|
|||
@echo >>x509.genkey "keyUsage=digitalSignature"
|
||||
@echo >>x509.genkey "subjectKeyIdentifier=hash"
|
||||
@echo >>x509.genkey "authorityKeyIdentifier=keyid"
|
||||
else
|
||||
# For external (PKCS#11 or PEM) key, we need to obtain the certificate from
|
||||
# CONFIG_MODULE_SIG_KEY automatically.
|
||||
endif
|
||||
|
||||
# We need to obtain the certificate from CONFIG_MODULE_SIG_KEY.
|
||||
quiet_cmd_extract_der = CERT_DER $(2)
|
||||
cmd_extract_der = scripts/extract-cert "$(2)" signing_key.x509
|
||||
|
||||
|
|
@ -249,4 +249,3 @@ endif
|
|||
signing_key.x509: scripts/extract-cert include/config/module/sig/key.h $(X509_DEP)
|
||||
$(call cmd,extract_der,$(X509_SOURCE))
|
||||
endif
|
||||
endif
|
||||
|
|
|
|||
Loading…
Reference in New Issue