lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Tue, 22 Jun 2021 00:23:46 +1000
From:   Ian Fleming <wholehepple@...il.com>
To:     linux-doc@...r.kernel.org
Cc:     linux-kernel@...r.kernel.org
Subject: [PATCH] certs: Documentation/admin-guide/module-signing.rst and
 root .gitignore

From: Ian Fleming <wholehepple@...il.com>

Commit b31f2a495debc71bdfefefea8056ade429f79c4b changes mrproper targets for files generated from module signing.
Root .gitignore also has 5 lines to be removed. One thing to note is how the openssl command example has been changed in module-signing.rst: kernel_key.pem to signing_key.pem so mrproper cleans up automatically generated and in case of manually generated from the example.

Signed-off-by: Ian Fleming <wholehepple@...il.com>
---
.gitignore                                   |  9 ---------
Documentation/admin-guide/module-signing.rst | 32 +++++++++++++++-----------------
2 files changed, 15 insertions(+), 26 deletions(-)

diff --git a/.gitignore b/.gitignore
index 7afd412dadd2..624604e3ec6a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -133,15 +133,6 @@ ID
 *~
 \#*#
 
-#
-# Leavings from module signing
-#
-extra_certificates
-signing_key.pem
-signing_key.priv
-signing_key.x509
-x509.genkey
-
 # Kconfig presets
 /all.config
 /alldef.config

diff --git a/Documentation/admin-guide/module-signing.rst b/Documentation/admin-guide/module-signing.rst
index 7d7c7c8a545c..2ac462b6c832 100644
--- a/Documentation/admin-guide/module-signing.rst
+++ b/Documentation/admin-guide/module-signing.rst
@@ -132,23 +132,19 @@ it can be deleted or stored securely.  The public key gets built into the
 kernel so that it can be used to check the signatures as the modules are
 loaded.
 
-Under normal conditions, when ``CONFIG_MODULE_SIG_KEY`` is unchanged from its
-default, the kernel build will automatically generate a new keypair using
-openssl if one does not exist in the file::
+If ``CONFIG_MODULE_SIG_KEY`` is unchanged from its default, the kernel build will
+automatically generate a new keypair using openssl if one does not exist in the file::
 
 	certs/signing_key.pem
 
-during the building of vmlinux (the public part of the key needs to be built
-into vmlinux) using parameters in the::
+the public part of the key needs to be built into the kernel using parameters in the::
 
 	certs/x509.genkey
 
 file (which is also generated if it does not already exist).
 
-It is strongly recommended that you provide your own x509.genkey file.
-
-Most notably, in the x509.genkey file, the req_distinguished_name section
-should be altered from the default::
+It is strongly recommended that you provide your own x509.genkey file.  Most notably the
+the *req_distinguished_name* section should be altered from the default::
 
 	[ req_distinguished_name ]
 	#O = Unspecified company
@@ -160,15 +156,17 @@ The generated RSA key size can also be set with::
 	[ req ]
 	default_bits = 4096
 
+It is also possible to manually generate the private/public key files using openssl
+and the key generation configuration file::
+
+        certs/x509.genkey
 
-It is also possible to manually generate the key private/public files using the
-x509.genkey key generation configuration file in the root node of the Linux
-kernel sources tree and the openssl command.  The following is an example to
-generate the public/private key files::
+The following is an example of how to generate the X.509 keypair to be used for
+signing modules::
 
-	openssl req -new -nodes -utf8 -sha256 -days 36500 -batch -x509 \
-	   -config x509.genkey -outform PEM -out kernel_key.pem \
-	   -keyout kernel_key.pem
+	$ openssl req -new -nodes -utf8 -sha256 -days 36500 -batch -x509 \
+	     -config x509.genkey -outform PEM -out signing_key.pem \
+	     -keyout signing_key.pem
 
 The full pathname for the resulting kernel_key.pem file can then be specified
 in the ``CONFIG_MODULE_SIG_KEY`` option, and the certificate and key therein will
@@ -276,7 +274,7 @@ Administering/protecting the private key
 Since the private key is used to sign modules, viruses and malware could use
 the private key to sign modules and compromise the operating system.  The
 private key must be either destroyed or moved to a secure location and not kept
-in the root node of the kernel source tree.
+in the certs/ directory of the kernel source tree.
 
 If you use the same private key to sign modules for multiple kernel
 configurations, you must ensure that the module version information is

Powered by blists - more mailing lists