From: Andy Whitcroft Subject: Re: [PATCH 1/1] x509: only prefix strip raw serial numbers Date: Wed, 16 Sep 2015 11:57:51 +0100 Message-ID: <20150916105751.GW19632@bark> References: <1442218417-24897-1-git-send-email-apw@canonical.com> <10881.1442311183@warthog.procyon.org.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Herbert Xu , "David S. Miller" , linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org To: David Howells Return-path: Content-Disposition: inline In-Reply-To: <10881.1442311183@warthog.procyon.org.uk> Sender: linux-kernel-owner@vger.kernel.org List-Id: linux-crypto.vger.kernel.org On Tue, Sep 15, 2015 at 10:59:43AM +0100, David Howells wrote: > Andy Whitcroft wrote: > > > This leads us to truncate the id for kernel module signing keys and to > > fail to recognise our own modules: > > > > [ 1.572423] Loaded X.509 cert 'Build time autogenerated kernel > > key: 62a7c3d2da278be024da4af8652c071f3fea33' > > [ 1.646153] Request for unknown module key 'Build time autogenerated > > kernel key: 0062a7c3d2da278be024da4af8652c071f3fea33' err -11 > > I don't suppose you've saved the key and a random small module that I can have > a play with? Sorry no, the key was an ephemeral key in those builds. I did run a few key builds to generate a new key with 0's to confirm this was possible. > What version of the kernel are you using, btw? Ahh yes, this was against a v4.2 final, I see that sign-file is all changing to use openssl, so I will go confirm that this is not different as a result. -apw