Re: [PATCH 1/3] X.509: Fix certificate gathering again
From: Petko Manolov
Date: Tue May 26 2015 - 15:50:22 EST
On May 26, 2015 7:15:38 PM GMT+03:00, David Howells <dhowells@xxxxxxxxxx> wrote:
>Hi Michal,
>
>Could you have a look at the patch at the end of my branch:
>
> http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=modsign-pkcs7
>
>It changes things from picking up arbitrary *.x509 files dropped in the
>kernel
>source and/or build directory to taking a single named PEM file with
>all the
>additional certs as a string config option. The PEM file can contain
>multiple
>certs simply cat'd together.
>
>If you're okay with that, it obsoletes these patches of yours.
>
>I've attached it here for convenience also.
>
>David
>---
>commit 9c71c950793b1b8c23c6d945b31f6545f82adced
>Author: David Woodhouse <David.Woodhouse@xxxxxxxxx>
>Date: Thu May 21 12:23:55 2015 +0100
>
> modsign: Add explicit CONFIG_SYSTEM_TRUSTED_KEYS option
>
>Let the user explicitly provide a file containing trusted keys, instead
>of
> just automatically finding files matching *.x509 in the build tree and
> trusting whatever we find. This really ought to be an *explicit*
> configuration, and the build rules for dealing with the files were
> fairly painful too.
>
> Signed-off-by: David Woodhouse <David.Woodhouse@xxxxxxxxx>
> Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
>
>diff --git a/Documentation/module-signing.txt
>b/Documentation/module-signing.txt
>index 5d5e4e32dc26..4e62bc29666e 100644
>--- a/Documentation/module-signing.txt
>+++ b/Documentation/module-signing.txt
>@@ -88,6 +88,7 @@ This has a number of options available:
>than being a module) so that modules signed with that algorithm can
>have
> their signatures checked without causing a dependency loop.
>
>+
>(4) "File name or PKCS#11 URI of module signing key"
>(CONFIG_MODULE_SIG_KEY)
>
> Setting this option to something other than its default of
>@@ -104,6 +105,13 @@ This has a number of options available:
> means of the KBUILD_SIGN_PIN variable.
>
>
>+ (5) "Additional X.509 keys for default system keyring"
>(CONFIG_SYSTEM_TRUSTED_KEYS)
>+
>+ This option can be set to the filename of a PEM-encoded file
>containing
>+ additional certificates which will be included in the system
>keyring by
>+ default.
>+
>+
> =======================
> GENERATING SIGNING KEYS
> =======================
>@@ -171,10 +179,9 @@ in a keyring called ".system_keyring" that can be
>seen by:
> 302d2d52 I------ 1 perm 1f010000 0 0 asymmetri Fedora
>kernel signing key: d69a84e6bce3d216b979e9505b3e3ef9a7118079: X509.RSA
>a7118079 []
> ...
>
>-Beyond the public key generated specifically for module signing, any
>file
>-placed in the kernel source root directory or the kernel build root
>directory
>-whose name is suffixed with ".x509" will be assumed to be an X.509
>public key
>-and will be added to the keyring.
>+Beyond the public key generated specifically for module signing,
I think this should be "private", not "public" key. The modules are signed with the private key...
Petko
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/