| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1353939786-4829-2-git-send-email-zohar@linux.vnet.ibm.com>
Date: Mon, 26 Nov 2012 09:23:06 -0500
From: Mimi Zohar <zohar@...ux.vnet.ibm.com>
To: linux-security-module@...r.kernel.org
Cc: Mimi Zohar <zohar@...ux.vnet.ibm.com>,
Rusty Russell <rusty@...tcorp.com.au>,
linux-kernel@...r.kernel.org, Mimi Zohar <zohar@...ibm.com>
Subject: [RFC][PATCH 2/2] modsig: differentiate between ephemeral and persistent key names
Using the same name for ephemeral and "persistent" keys results
in deleting the "persistent" key. This patch renames the normal
kbuild asymmetric key pair name to "default_signing_key" and the
ephemeral key pair name to "ephemeral_signing_key".
Signed-off-by: Mimi Zohar <zohar@...ibm.com>
---
Makefile | 14 +++++++++-----
kernel/Makefile | 12 ++++++++----
2 files changed, 17 insertions(+), 9 deletions(-)
diff --git a/Makefile b/Makefile
index d0dd777..525f512 100644
--- a/Makefile
+++ b/Makefile
@@ -721,15 +721,17 @@ export mod_strip_cmd
export KBUILD_MODSIG := 0
ifeq ($(CONFIG_MODULE_SIG),y)
-MODSECKEY = ./signing_key.priv
-MODPUBKEY = ./signing_key.x509
-
# Use 'make MODSIG=1 modules_install' to use ephemeral keys for module signing
ifeq ("$(origin MODSIG)", "command line")
KBUILD_MODSIG := $(MODSIG)
+MODSECKEY = ./ephemeral_signing_key.priv
+MODPUBKEY = ./ephemeral_signing_key.x509
+else
+MODSECKEY = ./default_signing_key.priv
+MODPUBKEY = ./default_signing_key.x509
endif
-export MODPUBKEY
+export MODPUBKEY MODSECKEY
mod_sign_cmd = perl $(srctree)/scripts/sign-file $(MODSECKEY) $(MODPUBKEY)
else
mod_sign_cmd = true
@@ -1037,7 +1039,9 @@ MRPROPER_DIRS += include/config usr/include include/generated \
arch/*/include/generated
MRPROPER_FILES += .config .config.old .version .old_version $(version_h) \
Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \
- signing_key.priv signing_key.x509 x509.genkey \
+ default_signing_key.priv default_signing_key.x509 \
+ ephemeral_signing_key.priv ephemeral_signing_key.x509 \
+ signing_key.x509 x509.genkey \
extra_certificates signing_key.x509.keyid \
signing_key.x509.signer
diff --git a/kernel/Makefile b/kernel/Makefile
index 86e3285..34107d9 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -139,7 +139,11 @@ ifeq ($(CONFIG_MODULE_SIG),y)
extra_certificates:
touch $@
-kernel/modsign_pubkey.o: signing_key.x509 extra_certificates
+signing_key.x509: FORCE
+ ln -fs $(MODPUBKEY) $@
+ touch $@
+
+kernel/modsign_pubkey.o: $(MODPUBKEY) signing_key.x509 extra_certificates
###############################################################################
#
@@ -168,7 +172,7 @@ ifeq ($(sign_key_with_hash),)
$(error Could not determine digest type to use from kernel config)
endif
-signing_key.priv signing_key.x509: x509.genkey
+$(MODSECKEY) $(MODPUBKEY): x509.genkey
@echo "###"
@echo "### Now generating an X.509 key pair to be used for signing modules."
@echo "###"
@@ -179,8 +183,8 @@ signing_key.priv signing_key.x509: x509.genkey
@echo "###"
openssl req -new -nodes -utf8 $(sign_key_with_hash) -days 36500 -batch \
-x509 -config x509.genkey \
- -outform DER -out signing_key.x509 \
- -keyout signing_key.priv
+ -outform DER -out $(MODPUBKEY) \
+ -keyout $(MODSECKEY)
@echo "###"
@echo "### Key pair generated."
@echo "###"
--
1.7.7.6
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists