lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 11 Mar 2021 06:44:48 -0500
From:   "Valdis Klētnieks" <valdis.kletnieks@...edu>
To:     David Howells <dhowells@...hat.com>
Cc:     David Woodhouse <dwmw2@...radead.org>, keyrings@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: 'make O=' indigestion with module signing

On Thu, 11 Mar 2021 10:49:14 +0000, David Howells said:
> I wonder...  Can you grab branch keys-cve-2020-26541-branch from:
>
> 	https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/
>
> and try that?  If that breaks, can you try dropping the top four commits?

[/usr/src/linux-next] git checkout keys-cve-2020-26541-branch
Checking out files: 100% (13062/13062), done.
Previous HEAD position was b01d57bfdc41 Add linux-next specific files for 20210310
Branch 'keys-cve-2020-26541-branch' set up to track remote branch 'keys-cve-2020-26541-branch' from 'linux-fs'.
Switched to a new branch 'keys-cve-2020-26541-branch'

That still didn't work, and dropping off the 4 commits from Eric Snowberg
didn't change things.

I checked out next-20210310, did a 'make mrproper', and tested as the
owner of the source tree rather than as a different user...

LANG=C make O=/tmp/test-as-owner  V=1 ARCH=arm64 ASFLAGS='-mcpu=all' CROSS_COMPILE=/opt/aarch64/bin/aarch64-linux-gnu- certs/

make -f /usr/src/linux-next/scripts/Makefile.build obj=certs \
single-build= \
need-builtin=1 need-modorder=1
  scripts/extract-cert /usr/src/linux-next/"certs/signing_key.pem" certs/signing_key.x509
Extracted cert: /CN=Build time autogenerated kernel key
  /opt/aarch64/bin/aarch64-linux-gnu-gcc (...)  -o certs/system_keyring.o /usr/src/linux-next/certs/system_keyring.c

And the files ended up where they belonged:

 ls -l /tmp/test-as-owner/certs/
total 72
-rw-r--r-- 1 source source  1288 Mar 11 06:33 blacklist_nohashes.o
-rw-r--r-- 1 source source 18496 Mar 11 06:33 blacklist.o
-rw-r--r-- 1 source source   542 Mar 11 06:33 built-in.a
-rw-r--r-- 1 source source  5856 Mar 11 06:33 common.o
-rw-r--r-- 1 source source     0 Mar 11 06:33 modules.order
-rw-r--r-- 1 source source  1184 Mar 11 06:33 revocation_certificates.o
-rw-r--r-- 1 source source  1357 Mar 11 06:33 signing_key.x509
-rw-r--r-- 1 source source  6888 Mar 11 06:33 system_certificates.o
-rw-r--r-- 1 source source 17504 Mar 11 06:33 system_keyring.o
-rw-r--r-- 1 source source     0 Mar 11 06:33 x509_certificate_list
-rw-r--r-- 1 source source     0 Mar 11 06:33 x509_revocation_list

So there's something weird going on with scripts/extract-cert when running
as a userid other than the owner of the source tree..  I wonder if it's actually
an OpenSSL issue...

I'll look at it some more later today...

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ