[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <109018.1615463088@turing-police>
Date: Thu, 11 Mar 2021 06:44:48 -0500
From: "Valdis Klētnieks" <valdis.kletnieks@...edu>
To: David Howells <dhowells@...hat.com>
Cc: David Woodhouse <dwmw2@...radead.org>, keyrings@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: 'make O=' indigestion with module signing
On Thu, 11 Mar 2021 10:49:14 +0000, David Howells said:
> I wonder... Can you grab branch keys-cve-2020-26541-branch from:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/
>
> and try that? If that breaks, can you try dropping the top four commits?
[/usr/src/linux-next] git checkout keys-cve-2020-26541-branch
Checking out files: 100% (13062/13062), done.
Previous HEAD position was b01d57bfdc41 Add linux-next specific files for 20210310
Branch 'keys-cve-2020-26541-branch' set up to track remote branch 'keys-cve-2020-26541-branch' from 'linux-fs'.
Switched to a new branch 'keys-cve-2020-26541-branch'
That still didn't work, and dropping off the 4 commits from Eric Snowberg
didn't change things.
I checked out next-20210310, did a 'make mrproper', and tested as the
owner of the source tree rather than as a different user...
LANG=C make O=/tmp/test-as-owner V=1 ARCH=arm64 ASFLAGS='-mcpu=all' CROSS_COMPILE=/opt/aarch64/bin/aarch64-linux-gnu- certs/
make -f /usr/src/linux-next/scripts/Makefile.build obj=certs \
single-build= \
need-builtin=1 need-modorder=1
scripts/extract-cert /usr/src/linux-next/"certs/signing_key.pem" certs/signing_key.x509
Extracted cert: /CN=Build time autogenerated kernel key
/opt/aarch64/bin/aarch64-linux-gnu-gcc (...) -o certs/system_keyring.o /usr/src/linux-next/certs/system_keyring.c
And the files ended up where they belonged:
ls -l /tmp/test-as-owner/certs/
total 72
-rw-r--r-- 1 source source 1288 Mar 11 06:33 blacklist_nohashes.o
-rw-r--r-- 1 source source 18496 Mar 11 06:33 blacklist.o
-rw-r--r-- 1 source source 542 Mar 11 06:33 built-in.a
-rw-r--r-- 1 source source 5856 Mar 11 06:33 common.o
-rw-r--r-- 1 source source 0 Mar 11 06:33 modules.order
-rw-r--r-- 1 source source 1184 Mar 11 06:33 revocation_certificates.o
-rw-r--r-- 1 source source 1357 Mar 11 06:33 signing_key.x509
-rw-r--r-- 1 source source 6888 Mar 11 06:33 system_certificates.o
-rw-r--r-- 1 source source 17504 Mar 11 06:33 system_keyring.o
-rw-r--r-- 1 source source 0 Mar 11 06:33 x509_certificate_list
-rw-r--r-- 1 source source 0 Mar 11 06:33 x509_revocation_list
So there's something weird going on with scripts/extract-cert when running
as a userid other than the owner of the source tree.. I wonder if it's actually
an OpenSSL issue...
I'll look at it some more later today...
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists