Re: [GIT PULL] Asymmetric keys and module signing
From: Rusty Russell
Date: Tue Oct 02 2012 - 03:11:22 EST
Josh Boyer <jwboyer@xxxxxxxxxx> writes:
> On Sat, Sep 29, 2012 at 08:13:25AM +0100, David Howells wrote:
>> Rusty Russell <rusty@xxxxxxxxxxxxxxx> wrote:
>>
>> > [ 2.808075] Loading module verification certificates
>> > [ 2.809331] X.509: Cert 6e03943da0f3b015ba6ed7f5e0cac4fe48680994 has expired
>> > [ 2.810500] MODSIGN: Problem loading in-kernel X.509 certificate (-127)
>>
>> Hmmm... Other people have seen that.
>>
>> Ahhhhh!
>>
>> I wonder if the problem is that the certificate is valid for 100 years....
>> That might well cause an overflow on a 32-bit system.
>
> That does seem quite plausible. The comparisons are done with time_t,
> which boils down to 'long' and 100 years in seconds would overflow
> LONG_MAX.
>
>> Could you try changing the '36500' in kernel/Makefile to something shorter,
>> like 365?
>
> I tried two values today. One close to LONG_MAX (24800 or ~68 years),
> and 10 years (3650). The former still seemed to overflow, but
> specifying a 10yr lifetime appears to have worked.
That's because the timestamp is absolute, right? Indeed, that seems to
be the limit here.
Here's my solution (tested, and it breaks if you change 2147300000 to
2147600000 as expected):