[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1016.1348824193@warthog.procyon.org.uk>
Date: Fri, 28 Sep 2012 10:23:13 +0100
From: David Howells <dhowells@...hat.com>
To: Rusty Russell <rusty@...tcorp.com.au>
Cc: dhowells@...hat.com, herbert@...dor.hengli.com.au,
pjones@...hat.com, jwboyer@...hat.com,
linux-crypto@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, keyrings@...ux-nfs.org
Subject: Re: [GIT PULL] Asymmetric keys and module signing
Rusty Russell <rusty@...tcorp.com.au> wrote:
> [ 3.361036] Request for unknown module key 'Magrathea: Glacier signing key: 6
> e03943da0f3b015ba6ed7f5e0cac4fe48680994' err -11
Okay, it turns out that my attempts to remove SHA1 by editing it out of the
.config file were doomed to failure because a couple of IPv6 options I had
turned on selected it back on.
Having turned those off and then turned off SHA1, I see in the kernel log:
MODSIGN: Problem loading in-kernel X.509 certificate (-65)
MODSIGN: Loaded cert 'Red Hat Test Certificate: 3580cf35d76b3b667a40df66691cbcf87353b23c'
My kernel has an extra certificate (in the extra_certificates file) given to
me by Peter Jones in addition to the one it generates itself.
The first line is it failing to load the transient SHA1-hashed cert that was
generated by the kernel build (the Magrathean glacier signing key).
The second line is it managing to load the certificate that Peter gave me for
which it doesn't have the parent CA certificate available. I've made the
assumption (which isn't necessarily warranted) that the signature in the cert,
if the cert is not self-signed, is generated using the CA private key, not by
the private key corresponding to this cert.
David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists