Commit fb117949 authored by David Woodhouse's avatar David Woodhouse Committed by David Howells

modsign: Use single PEM file for autogenerated key

The current rule for generating signing_key.priv and signing_key.x509 is
a classic example of a bad rule which has a tendency to break parallel
make. When invoked to create *either* target, it generates the other
target as a side-effect that make didn't predict.

So let's switch to using a single file signing_key.pem which contains
both key and certificate. That matches what we do in the case of an
external key specified by CONFIG_MODULE_SIG_KEY anyway, so it's also
slightly cleaner.
Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
parent 1329e8cc
...@@ -97,6 +97,7 @@ GTAGS ...@@ -97,6 +97,7 @@ GTAGS
# Leavings from module signing # Leavings from module signing
# #
extra_certificates extra_certificates
signing_key.pem
signing_key.priv signing_key.priv
signing_key.x509 signing_key.x509
x509.genkey x509.genkey
......
...@@ -91,7 +91,7 @@ This has a number of options available: ...@@ -91,7 +91,7 @@ This has a number of options available:
(4) "File name or PKCS#11 URI of module signing key" (CONFIG_MODULE_SIG_KEY) (4) "File name or PKCS#11 URI of module signing key" (CONFIG_MODULE_SIG_KEY)
Setting this option to something other than its default of Setting this option to something other than its default of
"signing_key.priv" will disable the autogeneration of signing keys and "signing_key.pem" will disable the autogeneration of signing keys and
allow the kernel modules to be signed with a key of your choosing. allow the kernel modules to be signed with a key of your choosing.
The string provided should identify a file containing both a private The string provided should identify a file containing both a private
key and its corresponding X.509 certificate in PEM form, or — on key and its corresponding X.509 certificate in PEM form, or — on
...@@ -116,11 +116,10 @@ kernel so that it can be used to check the signatures as the modules are ...@@ -116,11 +116,10 @@ kernel so that it can be used to check the signatures as the modules are
loaded. loaded.
Under normal conditions, when CONFIG_MODULE_SIG_KEY is unchanged from its Under normal conditions, when CONFIG_MODULE_SIG_KEY is unchanged from its
default of "signing_key.priv", the kernel build will automatically generate default, the kernel build will automatically generate a new keypair using
a new keypair using openssl if one does not exist in the files: openssl if one does not exist in the file:
signing_key.priv signing_key.pem
signing_key.x509
during the building of vmlinux (the public part of the key needs to be built during the building of vmlinux (the public part of the key needs to be built
into vmlinux) using parameters in the: into vmlinux) using parameters in the:
......
...@@ -1173,8 +1173,8 @@ MRPROPER_DIRS += include/config usr/include include/generated \ ...@@ -1173,8 +1173,8 @@ MRPROPER_DIRS += include/config usr/include include/generated \
arch/*/include/generated .tmp_objdiff arch/*/include/generated .tmp_objdiff
MRPROPER_FILES += .config .config.old .version .old_version \ MRPROPER_FILES += .config .config.old .version .old_version \
Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \ Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \
signing_key.priv signing_key.x509 x509.genkey \ signing_key.pem signing_key.priv signing_key.x509 \
extra_certificates signing_key.x509.keyid \ x509.genkey extra_certificates signing_key.x509.keyid \
signing_key.x509.signer vmlinux-gdb.py signing_key.x509.signer vmlinux-gdb.py
# clean - Delete most, but leave enough to build external modules # clean - Delete most, but leave enough to build external modules
......
...@@ -1950,7 +1950,7 @@ config MODULE_SIG_HASH ...@@ -1950,7 +1950,7 @@ config MODULE_SIG_HASH
config MODULE_SIG_KEY config MODULE_SIG_KEY
string "File name or PKCS#11 URI of module signing key" string "File name or PKCS#11 URI of module signing key"
default "signing_key.priv" default "signing_key.pem"
depends on MODULE_SIG depends on MODULE_SIG
help help
Provide the file name of a private key/certificate in PEM format, Provide the file name of a private key/certificate in PEM format,
...@@ -1958,7 +1958,7 @@ config MODULE_SIG_KEY ...@@ -1958,7 +1958,7 @@ config MODULE_SIG_KEY
the URI should identify, both the certificate and its corresponding the URI should identify, both the certificate and its corresponding
private key. private key.
If this option is unchanged from its default "signing_key.priv", If this option is unchanged from its default "signing_key.pem",
then the kernel will automatically generate the private key and then the kernel will automatically generate the private key and
certificate as described in Documentation/module-signing.txt certificate as described in Documentation/module-signing.txt
......
...@@ -173,8 +173,8 @@ endif ...@@ -173,8 +173,8 @@ endif
# We do it this way rather than having a boolean option for enabling an # We do it this way rather than having a boolean option for enabling an
# external private key, because 'make randconfig' might enable such a # external private key, because 'make randconfig' might enable such a
# boolean option and we unfortunately can't make it depend on !RANDCONFIG. # boolean option and we unfortunately can't make it depend on !RANDCONFIG.
ifeq ($(CONFIG_MODULE_SIG_KEY),"signing_key.priv") ifeq ($(CONFIG_MODULE_SIG_KEY),"signing_key.pem")
signing_key.priv signing_key.x509: x509.genkey signing_key.pem: x509.genkey
@echo "###" @echo "###"
@echo "### Now generating an X.509 key pair to be used for signing modules." @echo "### Now generating an X.509 key pair to be used for signing modules."
@echo "###" @echo "###"
...@@ -185,8 +185,8 @@ signing_key.priv signing_key.x509: x509.genkey ...@@ -185,8 +185,8 @@ signing_key.priv signing_key.x509: x509.genkey
@echo "###" @echo "###"
openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \ openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
-batch -x509 -config x509.genkey \ -batch -x509 -config x509.genkey \
-outform DER -out signing_key.x509 \ -outform PEM -out signing_key.pem \
-keyout signing_key.priv 2>&1 -keyout signing_key.pem 2>&1
@echo "###" @echo "###"
@echo "### Key pair generated." @echo "### Key pair generated."
@echo "###" @echo "###"
...@@ -210,9 +210,9 @@ x509.genkey: ...@@ -210,9 +210,9 @@ x509.genkey:
@echo >>x509.genkey "keyUsage=digitalSignature" @echo >>x509.genkey "keyUsage=digitalSignature"
@echo >>x509.genkey "subjectKeyIdentifier=hash" @echo >>x509.genkey "subjectKeyIdentifier=hash"
@echo >>x509.genkey "authorityKeyIdentifier=keyid" @echo >>x509.genkey "authorityKeyIdentifier=keyid"
else endif
# For external (PKCS#11 or PEM) key, we need to obtain the certificate from
# CONFIG_MODULE_SIG_KEY automatically. # We need to obtain the certificate from CONFIG_MODULE_SIG_KEY.
quiet_cmd_extract_der = CERT_DER $(2) quiet_cmd_extract_der = CERT_DER $(2)
cmd_extract_der = scripts/extract-cert "$(2)" signing_key.x509 cmd_extract_der = scripts/extract-cert "$(2)" signing_key.x509
...@@ -249,4 +249,3 @@ endif ...@@ -249,4 +249,3 @@ endif
signing_key.x509: scripts/extract-cert include/config/module/sig/key.h $(X509_DEP) signing_key.x509: scripts/extract-cert include/config/module/sig/key.h $(X509_DEP)
$(call cmd,extract_der,$(X509_SOURCE)) $(call cmd,extract_der,$(X509_SOURCE))
endif endif
endif
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment