Re: [GIT PULL] MODSIGN: Use PKCS#7 for module signatures [ver #7a]

From: David Woodhouse
Date: Wed Aug 12 2015 - 05:50:53 EST

Next message: David Woodhouse: "Re: [PATCH 30/31] intel-iommu: handle page-less SG entries"
Previous message: Chao Yu: "[PATCH] f2fs: avoid clear valid page"
In reply to: James Morris: "Re: [GIT PULL] MODSIGN: Use PKCS#7 for module signatures [ver #7a]"
Next in thread: James Morris: "Re: [GIT PULL] MODSIGN: Use PKCS#7 for module signatures [ver #7a]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2015-08-12 at 19:27 +1000, James Morris wrote:
>
> Yep:
>
> # CONFIG_MODULE_SIG_SHA512 is not set
> CONFIG_MODULE_SIG_HASH="sha1"
> CONFIG_MODULE_SIG_KEY="signing_key.pem"
> # CONFIG_MODULE_COMPRESS is not set

Can I have the full config please? Not that I understand how anything
else would really make much difference.

> >
> > At the very end of kernel/Makefile, in the rule for
> signing_key.x509,
> > please could you add an 'echo $(X509_DEP)' before the call to
> > extract_certs? That ought to be correctly depending on the
> > signing_key.pem file.
>
> $ make
> CHK include/config/kernel.release
> CHK include/generated/uapi/linux/version.h
> CHK include/generated/utsrelease.h
> CHK include/generated/bounds.h
> CHK include/generated/timeconst.h
> CHK include/generated/asm-offsets.h
> CALL scripts/checksyscalls.sh
> CHK include/generated/compile.h
> echo
>
> EXTRACT_CERTS signing_key.pem
>
> i.e. nothing.

Odd.

What are $(MODULE_SIG_KEY_FILENAME) and $(MODULE_SIG_KEY_SRCPREFIX) ?

I'm going to have to make another pot of coffee if I'm going to debug
the config_filename thing today... :)

I'm scared to start thinking this way but... what version of 'make' are
you using? If your precise .config doesn't help, is there any chance I
can log into an affected box to poke at it?

I've also been testing David's tree (commit f81977b46 precisely), so
perhaps I should also try *precisely* the merged tree you're looking
at. Again, not that I can imagine anything that would make this
difference.

> >
> > There's magic here to work out the precise dependency, since it
> might
> > be a filename relative to either the build tree or the source tree.
> > I'll take another look and work out how it copes in the case where
> the
> > file doesn't exist yet... is this an out-of-tree build?
> >
>
> Nope, but try a make mrproper first (as I have) and see if you get
> the same result.

I've been testing that, both in-tree and out-of-tree. I can't make it
*fail* to set X509_DEP and thus depend correctly on the signing_key.pem
file.

--
David Woodhouse Open Source Technology Centre
David.Woodhouse@xxxxxxxxx Intel Corporation

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Next message: David Woodhouse: "Re: [PATCH 30/31] intel-iommu: handle page-less SG entries"
Previous message: Chao Yu: "[PATCH] f2fs: avoid clear valid page"
In reply to: James Morris: "Re: [GIT PULL] MODSIGN: Use PKCS#7 for module signatures [ver #7a]"
Next in thread: James Morris: "Re: [GIT PULL] MODSIGN: Use PKCS#7 for module signatures [ver #7a]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]