Re: RFC: sign the modules at install time

From: Alexander Holler
Date: Fri Oct 19 2012 - 07:40:22 EST


Am 19.10.2012 13:25, schrieb David Howells:
Stephen Rothwell <sfr@xxxxxxxxxxxxxxxx> wrote:

So, this still generates the keys during the normal build, right? That
would be a problem for build servers that have limited randomness
available to them, I think.

openssl uses /dev/urandom (unlike gpg), so that's less of a problem.

Hmm, please don't forget the case where people want to build the kernel in some sandbox (like chroot or similiar) where the build-system doesn't have access to /dev.

I haven't checked what openssl does if that is the case, so maybe the script which calls it should either offer a verbose error message for that case, or should be prepared that openssl might fail because of a missing /dev/urandom.

If that's already done, just ignore my email, I haven't read the complete thread, sorry.

Regards,

Alexander
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/