Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751870AbbEGMYt (ORCPT ); Thu, 7 May 2015 08:24:49 -0400 Received: from cantor2.suse.de ([195.135.220.15]:41789 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750906AbbEGMYr (ORCPT ); Thu, 7 May 2015 08:24:47 -0400 Date: Thu, 7 May 2015 14:24:45 +0200 From: Michal Marek To: David Howells Cc: Linus Torvalds , Abelardo Ricart III , Linux Kernel Mailing List , Sedat Dilek , keyrings@linux-nfs.org, Rusty Russell , LSM List , James Morris , Greg Kroah-Hartman Subject: Re: [PATCH] MODSIGN: Change default key details [ver #2] Message-ID: <20150507122445.GB4912@sepie.suse.cz> References: <1430516505-4812-1-git-send-email-aricart@memnix.com> <1430559977.5803.12.camel@memnix.com> <5548E02A.5050006@suse.cz> <9365.1430996458@warthog.procyon.org.uk> <20150507121546.GA4912@sepie.suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20150507121546.GA4912@sepie.suse.cz> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4915 Lines: 120 On Thu, May 07, 2015 at 02:15:46PM +0200, Michal Marek wrote: > That's the problem with allowing a file to be either user-supplied or > generated. We can use separate files for the user-supplied/generated > cases like below and solve this for good. Not signed off yet, because it > is only lightly tested and the clean rules and .gitignore need to be > updated. Forgot to 'git add' one typo fix. >From 132a4494b255d2320bcafc729791b8bf26c9d244 Mon Sep 17 00:00:00 2001 From: Michal Marek Date: Thu, 7 May 2015 13:38:23 +0200 Subject: [PATCH] MODSIGN: Split user-supplied and autogenerated signing key Allow the users to place signing_key.{x509,priv} and x509.genkey in the source tree. If any of these files is missing, generate the file in the build tree with an .auto suffix. This avoids problems with overwriting user-supplied files. --- Makefile | 4 ++-- kernel/Makefile | 46 +++++++++++++++++++++++----------------------- 2 files changed, 25 insertions(+), 25 deletions(-) diff --git a/Makefile b/Makefile index 19e256a..69026fc 100644 --- a/Makefile +++ b/Makefile @@ -873,8 +873,8 @@ INITRD_COMPRESS-$(CONFIG_RD_LZ4) := lz4 # export INITRD_COMPRESS := $(INITRD_COMPRESS-y) ifdef CONFIG_MODULE_SIG_ALL -MODSECKEY = ./signing_key.priv -MODPUBKEY = ./signing_key.x509 +MODSECKEY = $(firstword $(wildcard $(srctree)/signing_key.priv) ./signing_key.priv.auto) +MODPUBKEY = $(firstword $(wildcard $(srctree)/signing_key.x509) ./signing_key.x509.auto) export MODPUBKEY mod_sign_cmd = perl $(srctree)/scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY) else diff --git a/kernel/Makefile b/kernel/Makefile index e072239..4bcf20e 100644 --- a/kernel/Makefile +++ b/kernel/Makefile @@ -124,7 +124,7 @@ $(obj)/config_data.h: $(obj)/config_data.gz FORCE ############################################################################### ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y) X509_CERTIFICATES-y := $(wildcard *.x509) -X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += signing_key.x509 +X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += $(if $(wildcard $(srctree)/signing_key.x509),,signing_key.x509.auto) X509_CERTIFICATES := $(sort $(X509_CERTIFICATES-y)) ifneq ($(objtree),$(srctree)) X509_CERTIFICATES += $(sort $(wildcard $(srctree)/*.x509)) @@ -165,7 +165,7 @@ ifndef CONFIG_MODULE_SIG_HASH $(error Could not determine digest type to use from kernel config) endif -signing_key.priv signing_key.x509: x509.genkey +signing_key.priv.auto signing_key.x509.auto: $(firstword $(wildcard $(srctree)/x509.genkey) x509.genkey.auto) @echo "###" @echo "### Now generating an X.509 key pair to be used for signing modules." @echo "###" @@ -175,30 +175,30 @@ signing_key.priv signing_key.x509: x509.genkey @echo "### number generator if one is available." @echo "###" openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \ - -batch -x509 -config x509.genkey \ - -outform DER -out signing_key.x509 \ - -keyout signing_key.priv 2>&1 + -batch -x509 -config $< \ + -outform DER -out signing_key.x509.auto \ + -keyout signing_key.priv.auto 2>&1 @echo "###" @echo "### Key pair generated." @echo "###" -x509.genkey: +x509.genkey.auto: @echo Generating X.509 key generation config - @echo >x509.genkey "[ req ]" - @echo >>x509.genkey "default_bits = 4096" - @echo >>x509.genkey "distinguished_name = req_distinguished_name" - @echo >>x509.genkey "prompt = no" - @echo >>x509.genkey "string_mask = utf8only" - @echo >>x509.genkey "x509_extensions = myexts" - @echo >>x509.genkey - @echo >>x509.genkey "[ req_distinguished_name ]" - @echo >>x509.genkey "O = Magrathea" - @echo >>x509.genkey "CN = Glacier signing key" - @echo >>x509.genkey "emailAddress = slartibartfast@magrathea.h2g2" - @echo >>x509.genkey - @echo >>x509.genkey "[ myexts ]" - @echo >>x509.genkey "basicConstraints=critical,CA:FALSE" - @echo >>x509.genkey "keyUsage=digitalSignature" - @echo >>x509.genkey "subjectKeyIdentifier=hash" - @echo >>x509.genkey "authorityKeyIdentifier=keyid" + @echo >$@ "[ req ]" + @echo >>$@ "default_bits = 4096" + @echo >>$@ "distinguished_name = req_distinguished_name" + @echo >>$@ "prompt = no" + @echo >>$@ "string_mask = utf8only" + @echo >>$@ "x509_extensions = myexts" + @echo >>$@ + @echo >>$@ "[ req_distinguished_name ]" + @echo >>$@ "O = Magrathea" + @echo >>$@ "CN = Glacier signing key" + @echo >>$@ "emailAddress = slartibartfast@magrathea.h2g2" + @echo >>$@ + @echo >>$@ "[ myexts ]" + @echo >>$@ "basicConstraints=critical,CA:FALSE" + @echo >>$@ "keyUsage=digitalSignature" + @echo >>$@ "subjectKeyIdentifier=hash" + @echo >>$@ "authorityKeyIdentifier=keyid" endif -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/