Re: [PATCH] MODSIGN: Only sign modules if built in-tree
From: Rusty Russell
Date: Fri Nov 02 2012 - 00:25:26 EST
Josh Boyer <jwboyer@xxxxxxxxxx> writes:
> On Thu, Nov 01, 2012 at 07:26:55AM -0400, Josh Boyer wrote:
>> > I prefer something like this (untested):
>> >
>> > diff --git a/Makefile b/Makefile
>> > index 42d0e56..cb66c8d 100644
>> > --- a/Makefile
>> > +++ b/Makefile
>> > @@ -722,8 +722,14 @@ export mod_strip_cmd
>> > ifeq ($(CONFIG_MODULE_SIG),y)
>> > MODSECKEY = ./signing_key.priv
>> > MODPUBKEY = ./signing_key.x509
>> > +ifeq ($(KBUILD_EXTMOD),)
>> > +SIGNFAIL = false
>> > +else
>> > +# External builds might not have a signing key, don't break module_install.
>> > +SIGNFAIL = true
>> > +endif # KBUILD_EXTMOD
>> > export MODPUBKEY
>> > -mod_sign_cmd = perl $(srctree)/scripts/sign-file $(MODSECKEY) $(MODPUBKEY)
>> > +mod_sign_cmd = perl $(srctree)/scripts/sign-file $(MODSECKEY) $(MODPUBKEY) || $(SIGNFAIL)
>> > else
>> > mod_sign_cmd = true
>> > endif
>>
>> OK. I'll give this a spin locally today, but at first glance it seems
>> like it would do the same.
>
> We need to put $(SIGNFAIL) before the perl script invocation or we get
> errors because mod_sign_cmd is passed an argument and sign-file is
> treating the "|| $(SIGNFAIL)" as something it's passed. That was the
> only change I needed to make and it works as expected.
>
> Do you want me to send a v2 of the patch, or will you add it yourself
> given you've basically written the code? Either way works for me.
Please re-submit.
Thanks,
Rusty.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/