[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YdSOV7LL0vWCMcWl@casper.infradead.org>
Date: Tue, 4 Jan 2022 18:13:43 +0000
From: Matthew Wilcox <willy@...radead.org>
To: Masahiro Yamada <masahiroy@...nel.org>
Cc: Linux Kbuild mailing list <linux-kbuild@...r.kernel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
efi@...ts.einval.com,
debian-kernel <debian-kernel@...ts.debian.org>,
linux-efi <linux-efi@...r.kernel.org>,
Ard Biesheuvel <ardb@...nel.org>,
David Woodhouse <dwmw2@...radead.org>,
David Howells <dhowells@...hat.com>, keyrings@...r.kernel.org
Subject: Re: [PATCH v2] builddeb: Support signing kernels with the module
signing key
On Wed, Jan 05, 2022 at 12:39:57AM +0900, Masahiro Yamada wrote:
> > +vmlinux=$($MAKE -s -f $srctree/Makefile image_name)
> > +key=
> > +if is_enabled CONFIG_EFI_STUB && is_enabled CONFIG_MODULE_SIG; then
> > + cert=$(grep ^CONFIG_MODULE_SIG_KEY= include/config/auto.conf | cut -d\" -f2)
> > + if [ ! -f $cert ]; then
> > + cert=$srctree/$cert
> > + fi
> > +
> > + key=${cert%pem}priv
> > + if [ ! -f $key ]; then
> > + key=$cert
> > + fi
>
>
> I still do not understand this part.
>
> It is true that the Debian document you referred to creates separate files
> for the key and the certificate:
> # openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform
> DER -out MOK.der -days 36500 -subj "/CN=My Name/" -nodes
>
> but, is such a use-case possible in Kbuild?
If someone has followed the Debian instructions for creating a MOK,
then they will have two separate files. We should support both the case
where someone has created a Debian MOK and the case where someone has
used Kbuild to create this foolish blob with both private and public
key in one file.
> In the old days, yes, the key and the certificate were stored in separate files.
> (the key in *.priv and the certificate in *.x509)
>
>
> Please read this commit:
Yes, I did.
> The motivation for this change is still questionable to me;
> the commit description sounds like they merged *.priv and *.x509
> into *.pem just because they could not write a correct Makefile.
> (If requested, I can write a correct Makefile that works in parallel build)
I think that would be preferable. Putting the private and public keys
in the same file cannot be good security practice!
Powered by blists - more mailing lists