From: Andy Whitcroft <apw@canonical.com>
Subject: Re: [PATCH 1/1] x509: only prefix strip raw serial numbers
Date: Wed, 16 Sep 2015 11:57:51 +0100
Message-ID: <20150916105751.GW19632@bark>
References: <1442218417-24897-1-git-send-email-apw@canonical.com>
 <10881.1442311183@warthog.procyon.org.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>,
	linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org
To: David Howells <dhowells@redhat.com>
Return-path: <linux-kernel-owner@vger.kernel.org>
Content-Disposition: inline
In-Reply-To: <10881.1442311183@warthog.procyon.org.uk>
Sender: linux-kernel-owner@vger.kernel.org
List-Id: linux-crypto.vger.kernel.org

On Tue, Sep 15, 2015 at 10:59:43AM +0100, David Howells wrote:
> Andy Whitcroft <apw@canonical.com> wrote:
> 
> > This leads us to truncate the id for kernel module signing keys and to
> > fail to recognise our own modules:
> > 
> >   [    1.572423] Loaded X.509 cert 'Build time autogenerated kernel
> >     key: 62a7c3d2da278be024da4af8652c071f3fea33'
> >   [    1.646153] Request for unknown module key 'Build time autogenerated
> >     kernel key: 0062a7c3d2da278be024da4af8652c071f3fea33' err -11
> 
> I don't suppose you've saved the key and a random small module that I can have
> a play with?

Sorry no, the key was an ephemeral key in those builds.  I did run a few
key builds to generate a new key with 0's to confirm this was possible.

> What version of the kernel are you using, btw?

Ahh yes, this was against a v4.2 final, I see that sign-file is all
changing to use openssl, so I will go confirm that this is not different
as a result.

-apw