Fw: [PATCH] Restrict read access to private module signing key

From: Luis Ressel
Date: Tue Jan 05 2016 - 19:26:19 EST

Next message: Kees Cook: "Re: [kernel-hardening] [RFC][PATCH 6/7] mm: Add Kconfig option for slab sanitization"
Previous message: Steinar H. Gunderson: "[PATCH v2] Add support for usbfs zerocopy."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I forgot to CC this mailing list.

Begin forwarded message:

Date: Sat, 2 Jan 2016 16:13:50 +0100
From: Luis Ressel <aranea@xxxxxxxx>
To: keyrings@xxxxxxxxxxxxxxx
Cc: keyrings@xxxxxxxxxxxxx, David Howells <dhowells@xxxxxxxxxx>, David
Woodhouse <dwmw2@xxxxxxxxxxxxx> Subject: [PATCH] Restrict read access
to private module signing key

The autogenerated module signing key shouldn't be world-readable.

Signed-off-by: Luis Ressel <aranea@xxxxxxxx>
---
certs/Makefile | 2 ++
1 file changed, 2 insertions(+)

diff --git a/certs/Makefile b/certs/Makefile
index 28ac694..7f1f082 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -49,6 +49,8 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey
@echo "### needs to be run as root, and uses a hardware random"
@echo "### number generator if one is available."
@echo "###"
+ touch $(obj)/signing_key.pem
+ chmod 0600 $(obj)/signing_key.pem
openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days
36500 \ -batch -x509 -config $(obj)/x509.genkey \
-outform PEM -out $(obj)/signing_key.pem \
--
2.6.4
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Kees Cook: "Re: [kernel-hardening] [RFC][PATCH 6/7] mm: Add Kconfig option for slab sanitization"
Previous message: Steinar H. Gunderson: "[PATCH v2] Add support for usbfs zerocopy."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]