| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 17 Jan 2016 00:02:26 +0100 From: Luis Ressel <aranea@...ah.de> To: keyrings@...r.kernel.org Cc: linux-kernel@...r.kernel.org, David Howells <dhowells@...hat.com>, David Woodhouse <dwmw2@...radead.org>, James Morris <jmorris@...ei.org> Subject: Re: [PATCH] Restrict read access to private module signing key On Sat, 2 Jan 2016 16:13:50 +0100 Luis Ressel <aranea@...ah.de> wrote: > The autogenerated module signing key shouldn't be world-readable. > > Signed-off-by: Luis Ressel <aranea@...ah.de> > --- > certs/Makefile | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/certs/Makefile b/certs/Makefile > index 28ac694..7f1f082 100644 > --- a/certs/Makefile > +++ b/certs/Makefile > @@ -49,6 +49,8 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey > @echo "### needs to be run as root, and uses a hardware > random" @echo "### number generator if one is available." > @echo "###" > + touch $(obj)/signing_key.pem > + chmod 0600 $(obj)/signing_key.pem > openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) > -days 36500 \ -batch -x509 -config $(obj)/x509.genkey \ > -outform PEM -out $(obj)/signing_key.pem \ I've contributed this patch two weeks ago, but there hasn't been any feedback and it hasn't been merged, either. It's the first kernel patch I've submitted, so I don't know much about the procedures here. Could someone please merge the patch or point out any problems with it? Regards, Luis Ressel
Powered by blists - more mailing lists