| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1459619722-13695-2-git-send-email-bpoirier@suse.com>
Date: Sat, 2 Apr 2016 10:55:22 -0700
From: Benjamin Poirier <bpoirier@...e.com>
To: Steven Rostedt <rostedt@...dmis.org>
Cc: Michal Marek <mmarek@...e.cz>, joeyli <jlee@...e.com>,
"Yann E . MORIN " <yann.morin.1998@...e.fr>,
linux-kbuild@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH 2/2] localmodconfig: Reset certificate paths
When using `make localmodconfig` and friends, if the input config comes
from a kernel that was built in a different environment (for example, the
canonical case of using localmodconfig to trim a distribution kernel
config) the key files for module signature checking will not be available
and should be regenerated or omitted. Otherwise, the user will be faced
with annoying errors when trying to build with the generated .config:
make[1]: *** No rule to make target 'keyring.crt', needed by 'certs/x509_certificate_list'. Stop.
Makefile:1576: recipe for target 'certs/' failed
Signed-off-by: Benjamin Poirier <bpoirier@...e.com>
---
scripts/kconfig/streamline_config.pl | 34 ++++++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/scripts/kconfig/streamline_config.pl b/scripts/kconfig/streamline_config.pl
index 7036ae3..514735d 100755
--- a/scripts/kconfig/streamline_config.pl
+++ b/scripts/kconfig/streamline_config.pl
@@ -610,6 +610,40 @@ foreach my $line (@config_file) {
next;
}
+ if (/CONFIG_MODULE_SIG_KEY="(.+)"/) {
+ my $orig_cert = $1;
+ my $default_cert = "certs/signing_key.pem";
+
+ # Check that the logic in this script still matches the one in Kconfig
+ if (!defined($depends{"MODULE_SIG_KEY"}) ||
+ $depends{"MODULE_SIG_KEY"} !~ /"\Q$default_cert\E"/) {
+ die "Assertion failure, update needed";
+ }
+
+ if ($orig_cert ne $default_cert && ! -f $orig_cert) {
+ print STDERR "Module signature verification enabled but ",
+ "module signing key \"$orig_cert\" not found. Resetting ",
+ "signing key to default value.\n";
+ print "CONFIG_MODULE_SIG_KEY=\"$default_cert\"\n";
+ } else {
+ print;
+ }
+ next;
+ }
+
+ if (/CONFIG_SYSTEM_TRUSTED_KEYS="(.+)"/) {
+ my $orig_keys = $1;
+
+ if (! -f $orig_keys) {
+ print STDERR "System keyring enabled but keys \"$orig_keys\" ",
+ "not found. Resetting keys to default value.\n";
+ print "CONFIG_SYSTEM_TRUSTED_KEYS=\"\"\n";
+ } else {
+ print;
+ }
+ next;
+ }
+
if (/^(CONFIG.*)=(m|y)/) {
if (defined($configs{$1})) {
if ($localyesconfig) {
--
2.7.2
Powered by blists - more mailing lists