| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <50813C15.1000202@ahsoftware.de> Date: Fri, 19 Oct 2012 13:40:05 +0200 From: Alexander Holler <holler@...oftware.de> To: David Howells <dhowells@...hat.com> CC: Stephen Rothwell <sfr@...b.auug.org.au>, Rusty Russell <rusty@...tcorp.com.au>, Linus Torvalds <torvalds@...ux-foundation.org>, David Miller <davem@...emloft.net>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org> Subject: Re: RFC: sign the modules at install time Am 19.10.2012 13:25, schrieb David Howells: > Stephen Rothwell <sfr@...b.auug.org.au> wrote: > >> So, this still generates the keys during the normal build, right? That >> would be a problem for build servers that have limited randomness >> available to them, I think. > > openssl uses /dev/urandom (unlike gpg), so that's less of a problem. Hmm, please don't forget the case where people want to build the kernel in some sandbox (like chroot or similiar) where the build-system doesn't have access to /dev. I haven't checked what openssl does if that is the case, so maybe the script which calls it should either offer a verbose error message for that case, or should be prepared that openssl might fail because of a missing /dev/urandom. If that's already done, just ignore my email, I haven't read the complete thread, sorry. Regards, Alexander -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists