[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20120816013813.872.52922.stgit@warthog.procyon.org.uk>
Date: Thu, 16 Aug 2012 02:38:13 +0100
From: David Howells <dhowells@...hat.com>
To: rusty@...tcorp.com.au
Cc: dhowells@...hat.com, dmitry.kasatkin@...el.com,
zohar@...ux.vnet.ibm.com, jmorris@...ei.org,
keyrings@...ux-nfs.org, linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: [PATCH 22/25] MODSIGN: Automatically generate module signing keys if
missing
Automatically generate keys for module signing if they're absent so that
allyesconfig doesn't break. The builder should consider generating their own
keyrings, however, so that the keys are appropriately named and any extra keys
required get imported.
Also change the names of the keyring files to modsign.pub and modsign.sec so
that they are then a more obvious what they're about and add a dependency for
the signing rules on the keyring files so that the signatures get regenerated
if the keyrings change.
Signed-off-by: David Howells <dhowells@...hat.com>
---
kernel/Makefile | 39 +++++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
diff --git a/kernel/Makefile b/kernel/Makefile
index 895bef0..f612ed0 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -133,4 +133,43 @@ targets += timeconst.h
$(obj)/timeconst.h: $(src)/timeconst.pl FORCE
$(call if_changed,timeconst)
+###############################################################################
+#
+# If module signing is requested, say by allyesconfig, but a key has not been
+# supplied, then one will need to be generated to make sure the build does not
+# fail and that the kernel may be used afterwards.
+#
+###############################################################################
+ifeq ($(CONFIG_MODULE_SIG),y)
kernel/modsign-pubkey.o: modsign.pub
+
+modsign.pub modsign.sec: genkey
+ @echo "###"
+ @echo "### Now generating a PGP key pair to be used for signing modules."
+ @echo "###"
+ @echo "### If this takes a long time, you might wish to run rngd in the"
+ @echo "### background to keep the supply of entropy topped up. It"
+ @echo "### needs to be run as root, and should use a hardware random"
+ @echo "### number generator if one is available, eg:"
+ @echo "###"
+ @echo "### rngd -r /dev/hwrandom"
+ @echo "###"
+ gpg --homedir . --batch --gen-key genkey
+ @echo "###"
+ @echo "### Key pair generated."
+ @echo "###"
+ rm -f pubring.gpg secring.gpg trustdb.gpg
+
+genkey:
+ echo "%pubring modsign.pub" >genkey
+ echo "%secring modsign.sec" >>genkey
+ echo "%no-protection: yes" >> genkey
+ echo "%transient-key: yes" >>genkey
+ echo "Key-Type: RSA" >>genkey
+ echo "Key-Length: 4096" >>genkey
+ echo "Name-Real: Sample kernel key" >>genkey
+ echo "Name-Comment: Sample kernel module signing key" >>genkey
+ echo "%commit" >>genkey
+
+endif
+CLEAN_FILES += modsign.pub modsign.sec genkey random_seed
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists