Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fb117949 authored by David Woodhouse's avatar David Woodhouse Committed by David Howells
Browse files

modsign: Use single PEM file for autogenerated key 



The current rule for generating signing_key.priv and signing_key.x509 is
a classic example of a bad rule which has a tendency to break parallel
make. When invoked to create *either* target, it generates the other
target as a side-effect that make didn't predict.

So let's switch to using a single file signing_key.pem which contains
both key and certificate. That matches what we do in the case of an
external key specified by CONFIG_MODULE_SIG_KEY anyway, so it's also
slightly cleaner.

Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
parent 1329e8cc

.gitignore

+1 −0
Original line number Diff line number Diff line
@@ -97,6 +97,7 @@ GTAGS 
# Leavings from module signing

#

extra_certificates

signing_key.pem

signing_key.priv

signing_key.x509

x509.genkey

Documentation/module-signing.txt

+4 −5
Original line number Diff line number Diff line
@@ -91,7 +91,7 @@ This has a number of options available: 
 (4) "File name or PKCS#11 URI of module signing key" (CONFIG_MODULE_SIG_KEY)



     Setting this option to something other than its default of

     "signing_key.priv" will disable the autogeneration of signing keys and

     "signing_key.pem" will disable the autogeneration of signing keys and

     allow the kernel modules to be signed with a key of your choosing.

     The string provided should identify a file containing both a private

     key and its corresponding X.509 certificate in PEM form, or — on
@@ -116,11 +116,10 @@ kernel so that it can be used to check the signatures as the modules are 
loaded.



Under normal conditions, when CONFIG_MODULE_SIG_KEY is unchanged from its

default of "signing_key.priv", the kernel build will automatically generate

a new keypair using openssl if one does not exist in the files:

default, the kernel build will automatically generate a new keypair using

openssl if one does not exist in the file:



	signing_key.priv

	signing_key.x509

	signing_key.pem



during the building of vmlinux (the public part of the key needs to be built

into vmlinux) using parameters in the:

Makefile

+2 −2
Original line number Diff line number Diff line
@@ -1173,8 +1173,8 @@ MRPROPER_DIRS += include/config usr/include include/generated \ 
		  arch/*/include/generated .tmp_objdiff

MRPROPER_FILES += .config .config.old .version .old_version \

		  Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \

		  signing_key.priv signing_key.x509 x509.genkey		\

		  extra_certificates signing_key.x509.keyid		\

		  signing_key.pem signing_key.priv signing_key.x509	\

		  x509.genkey extra_certificates signing_key.x509.keyid	\

		  signing_key.x509.signer vmlinux-gdb.py



# clean - Delete most, but leave enough to build external modules

init/Kconfig

+2 −2
Original line number Diff line number Diff line
@@ -1950,7 +1950,7 @@ config MODULE_SIG_HASH 


config MODULE_SIG_KEY

	string "File name or PKCS#11 URI of module signing key"

	default "signing_key.priv"

	default "signing_key.pem"

	depends on MODULE_SIG

	help

         Provide the file name of a private key/certificate in PEM format,
@@ -1958,7 +1958,7 @@ config MODULE_SIG_KEY 
         the URI should identify, both the certificate and its corresponding

         private key.



         If this option is unchanged from its default "signing_key.priv",

         If this option is unchanged from its default "signing_key.pem",

         then the kernel will automatically generate the private key and

         certificate as described in Documentation/module-signing.txt

kernel/Makefile

+7 −8
Original line number Diff line number Diff line
@@ -173,8 +173,8 @@ endif 
# We do it this way rather than having a boolean option for enabling an

# external private key, because 'make randconfig' might enable such a

# boolean option and we unfortunately can't make it depend on !RANDCONFIG.

ifeq ($(CONFIG_MODULE_SIG_KEY),"signing_key.priv")

signing_key.priv signing_key.x509: x509.genkey

ifeq ($(CONFIG_MODULE_SIG_KEY),"signing_key.pem")

signing_key.pem: x509.genkey

	@echo "###"

	@echo "### Now generating an X.509 key pair to be used for signing modules."

	@echo "###"
@@ -185,8 +185,8 @@ signing_key.priv signing_key.x509: x509.genkey 
	@echo "###"

	openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \

		-batch -x509 -config x509.genkey \

		-outform DER -out signing_key.x509 \

		-keyout signing_key.priv 2>&1

		-outform PEM -out signing_key.pem \

		-keyout signing_key.pem 2>&1

	@echo "###"

	@echo "### Key pair generated."

	@echo "###"
@@ -210,9 +210,9 @@ x509.genkey: 
	@echo >>x509.genkey "keyUsage=digitalSignature"

	@echo >>x509.genkey "subjectKeyIdentifier=hash"

	@echo >>x509.genkey "authorityKeyIdentifier=keyid"

else

# For external (PKCS#11 or PEM) key, we need to obtain the certificate from

# CONFIG_MODULE_SIG_KEY automatically.

endif



# We need to obtain the certificate from CONFIG_MODULE_SIG_KEY.

quiet_cmd_extract_der = CERT_DER $(2)

      cmd_extract_der = scripts/extract-cert "$(2)" signing_key.x509
@@ -249,4 +249,3 @@ endif 
signing_key.x509: scripts/extract-cert include/config/module/sig/key.h $(X509_DEP)

	$(call cmd,extract_der,$(X509_SOURCE))

endif
 
endif