lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aO_xM1PraLOLjD4h@levanger>
Date: Wed, 15 Oct 2025 21:08:35 +0200
From: Nicolas Schier <nsc@...nel.org>
To: mike.malyshev@...il.com
Cc: Nathan Chancellor <nathan@...nel.org>,
	Masahiro Yamada <masahiroy@...nel.org>,
	linux-kbuild@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] kbuild: Use objtree for module signing key path

On Wed, Oct 15, 2025 at 04:34:52PM +0000, mike.malyshev@...il.com wrote:
> From: Mikhail Malyshev <mike.malyshev@...il.com>
> 
> When building out-of-tree modules with CONFIG_MODULE_SIG_FORCE=y,
> module signing fails because the private key path uses $(srctree)
> while the public key path uses $(objtree). Since signing keys are
> generated in the build directory during kernel compilation, both
> paths should use $(objtree) for consistency.
> 
> This causes SSL errors like:
>   SSL error:02001002:system library:fopen:No such file or directory
>   sign-file: /kernel-src/certs/signing_key.pem
> 
> The issue occurs because:
> - sig-key uses: $(srctree)/certs/signing_key.pem (source tree)
> - cmd_sign uses: $(objtree)/certs/signing_key.x509 (build tree)
> 
> But both keys are generated in $(objtree) during the build.
> 
> This complements commit 25ff08aa43e37 ("kbuild: Fix signing issue for
> external modules") which fixed the scripts path and public key path,
> but missed the private key path inconsistency.
> 
> Fixes out-of-tree module signing for configurations with separate
> source and build directories (e.g., O=/kernel-out).
> 
> Signed-off-by: Mikhail Malyshev <mike.malyshev@...il.com>
> ---
>  scripts/Makefile.modinst | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Thanks!

Tested-by: Nicolas Schier <nsc@...nel.org>

I am going to wait a few days for possible tags and other feedback.

-- 
Nicolas

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ