lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20251015230712.GA3943617@ax162>
Date: Wed, 15 Oct 2025 16:07:12 -0700
From: Nathan Chancellor <nathan@...nel.org>
To: mike.malyshev@...il.com
Cc: Nicolas Schier <nicolas.schier@...ux.dev>,
	Masahiro Yamada <masahiroy@...nel.org>,
	linux-kbuild@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] kbuild: Use objtree for module signing key path

On Wed, Oct 15, 2025 at 04:34:52PM +0000, mike.malyshev@...il.com wrote:
> From: Mikhail Malyshev <mike.malyshev@...il.com>
> 
> When building out-of-tree modules with CONFIG_MODULE_SIG_FORCE=y,
> module signing fails because the private key path uses $(srctree)
> while the public key path uses $(objtree). Since signing keys are
> generated in the build directory during kernel compilation, both
> paths should use $(objtree) for consistency.
> 
> This causes SSL errors like:
>   SSL error:02001002:system library:fopen:No such file or directory
>   sign-file: /kernel-src/certs/signing_key.pem
> 
> The issue occurs because:
> - sig-key uses: $(srctree)/certs/signing_key.pem (source tree)
> - cmd_sign uses: $(objtree)/certs/signing_key.x509 (build tree)
> 
> But both keys are generated in $(objtree) during the build.
> 
> This complements commit 25ff08aa43e37 ("kbuild: Fix signing issue for
> external modules") which fixed the scripts path and public key path,
> but missed the private key path inconsistency.
> 
> Fixes out-of-tree module signing for configurations with separate
> source and build directories (e.g., O=/kernel-out).
> 
> Signed-off-by: Mikhail Malyshev <mike.malyshev@...il.com>

Seems reasonable to me but I have not tested to verify.

Reviewed-by: Nathan Chancellor <nathan@...nel.org>

> ---
>  scripts/Makefile.modinst | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst
> index 1628198f3e830..9ba45e5b32b18 100644
> --- a/scripts/Makefile.modinst
> +++ b/scripts/Makefile.modinst
> @@ -100,7 +100,7 @@ endif
>  # Don't stop modules_install even if we can't sign external modules.
>  #
>  ifeq ($(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY)),)
> -sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(srctree)/)$(CONFIG_MODULE_SIG_KEY)
> +sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(objtree)/)$(CONFIG_MODULE_SIG_KEY)
>  else
>  sig-key := $(CONFIG_MODULE_SIG_KEY)
>  endif
> -- 
> 2.43.0
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ