Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934938AbbHLJ1x (ORCPT ); Wed, 12 Aug 2015 05:27:53 -0400 Received: from tundra.namei.org ([65.99.196.166]:33605 "EHLO namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932786AbbHLJ1v (ORCPT ); Wed, 12 Aug 2015 05:27:51 -0400 Date: Wed, 12 Aug 2015 19:27:24 +1000 (AEST) From: James Morris To: David Woodhouse cc: David Howells , mcgrof@gmail.com, zohar@linux.vnet.ibm.com, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: Re: [GIT PULL] MODSIGN: Use PKCS#7 for module signatures [ver #7a] In-Reply-To: <1439370753.3100.58.camel@infradead.org> Message-ID: References: <15181.1439323425@warthog.procyon.org.uk> <1439363265.3100.30.camel@infradead.org> <1439370753.3100.58.camel@infradead.org> User-Agent: Alpine 2.20 (LRH 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2233 Lines: 69 On Wed, 12 Aug 2015, David Woodhouse wrote: > On Wed, 2015-08-12 at 19:08 +1000, James Morris wrote: > > > > CHK include/generated/compile.h > > EXTRACT_CERTS signing_key.pem > > At main.c:146: > > - SSL error:02001002:system library:fopen:No such file or directory: > > bss_file.c:169 > > - SSL error:2006D080:BIO routines:BIO_new_file:no such file: > > bss_file.c:172 > > extract-cert: signing_key.pem: No such file or directory > > rm: cannot remove `signing_key.x509': No such file or directory > > make[1]: *** [signing_key.x509] Error 1 > > make: *** [kernel] Error 2 > > Hm, but that ought to have a dependency on signing_key.pem. > > What is CONFIG_MODULE_SIG_KEY? Its default value of 'signing_key.pem'? > That should mean that the rule in kernel/Makefile to create the signing > key does exist. Yep: # CONFIG_MODULE_SIG_SHA512 is not set CONFIG_MODULE_SIG_HASH="sha1" CONFIG_MODULE_SIG_KEY="signing_key.pem" # CONFIG_MODULE_COMPRESS is not set > > At the very end of kernel/Makefile, in the rule for signing_key.x509, > please could you add an 'echo $(X509_DEP)' before the call to > extract_certs? That ought to be correctly depending on the > signing_key.pem file. $ make CHK include/config/kernel.release CHK include/generated/uapi/linux/version.h CHK include/generated/utsrelease.h CHK include/generated/bounds.h CHK include/generated/timeconst.h CHK include/generated/asm-offsets.h CALL scripts/checksyscalls.sh CHK include/generated/compile.h echo EXTRACT_CERTS signing_key.pem i.e. nothing. > > There's magic here to work out the precise dependency, since it might > be a filename relative to either the build tree or the source tree. > I'll take another look and work out how it copes in the case where the > file doesn't exist yet... is this an out-of-tree build? > Nope, but try a make mrproper first (as I have) and see if you get the same result. -- James Morris -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/