Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[PATCH 2/2] MODSIG: use pre-generated X.509 key by MODPUBKEY
25 views
Skip to first unread message
Eric Miao
Nov 4, 2013, 7:10:02 PM11/4/13
to
If MODPUBKEY is specified and other than default ./signing_key.x509, use
that key instead of generating one on-the-fly.
Signed-off-by: Eric Miao <eric...@nvidia.com>
Cc: David Howells <dhow...@redhat.com>
Cc: Dan Willemsen <dwill...@nvidia.com>
---
kernel/Makefile | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/kernel/Makefile b/kernel/Makefile
index 1ce4755..66c7c32 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -165,6 +165,13 @@ ifndef CONFIG_MODULE_SIG_HASH
$(error Could not determine digest type to use from kernel config)
endif
+ifneq ($(MODPUBKEY),./signing_key.x509)
+signing_key.x509: $(MODPUBKEY)
+ @echo "###"
+ @echo "### Use pre-generated X.509 key pair for signing modules."
+ @echo "###"
+ cp -f $< $@
+else
signing_key.priv signing_key.x509: x509.genkey
@echo "###"
@echo "### Now generating an X.509 key pair to be used for signing modules."
@@ -202,3 +209,4 @@ x509.genkey:
@echo >>x509.genkey "subjectKeyIdentifier=hash"
@echo >>x509.genkey "authorityKeyIdentifier=keyid"
endif
+endif
--
1.8.4.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majo...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
that key instead of generating one on-the-fly.
Signed-off-by: Eric Miao <eric...@nvidia.com>
Cc: David Howells <dhow...@redhat.com>
Cc: Dan Willemsen <dwill...@nvidia.com>
---
kernel/Makefile | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/kernel/Makefile b/kernel/Makefile
index 1ce4755..66c7c32 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -165,6 +165,13 @@ ifndef CONFIG_MODULE_SIG_HASH
$(error Could not determine digest type to use from kernel config)
endif
+ifneq ($(MODPUBKEY),./signing_key.x509)
+signing_key.x509: $(MODPUBKEY)
+ @echo "###"
+ @echo "### Use pre-generated X.509 key pair for signing modules."
+ @echo "###"
+ cp -f $< $@
+else
signing_key.priv signing_key.x509: x509.genkey
@echo "###"
@echo "### Now generating an X.509 key pair to be used for signing modules."
@@ -202,3 +209,4 @@ x509.genkey:
@echo >>x509.genkey "subjectKeyIdentifier=hash"
@echo >>x509.genkey "authorityKeyIdentifier=keyid"
endif
+endif
--
1.8.4.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majo...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Eric Miao
Nov 4, 2013, 7:10:02 PM11/4/13
to
Even if MODULE_SIG_FORCE is turned on, it is still useful if module
can export sig_enforce, so user space will know if module signature
is turned on and forced.
Signed-off-by: Eric Miao <eric...@nvidia.com>
Cc: David Howells <dhow...@redhat.com>
Cc: Dan Willemsen <dwill...@nvidia.com>
---
kernel/module.c | 8 ++++++++
index dc58274..d55646b 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -110,6 +110,14 @@ struct list_head *kdb_modules = &modules; /* kdb needs the list of modules */
#ifdef CONFIG_MODULE_SIG
#ifdef CONFIG_MODULE_SIG_FORCE
static bool sig_enforce = true;
+
+static const struct kernel_param_ops param_ops_bool_read_only = {
+ .flags = KERNEL_PARAM_FL_NOARG,
+ .get = param_get_bool,
+};
+#define param_check_bool_read_only param_check_bool
+
+module_param(sig_enforce, bool_read_only, 0444);
#else
static bool sig_enforce = false;
can export sig_enforce, so user space will know if module signature
is turned on and forced.
Signed-off-by: Eric Miao <eric...@nvidia.com>
Cc: David Howells <dhow...@redhat.com>
Cc: Dan Willemsen <dwill...@nvidia.com>
---
1 file changed, 8 insertions(+)
diff --git a/kernel/module.c b/kernel/module.c
index dc58274..d55646b 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -110,6 +110,14 @@ struct list_head *kdb_modules = &modules; /* kdb needs the list of modules */
#ifdef CONFIG_MODULE_SIG
#ifdef CONFIG_MODULE_SIG_FORCE
static bool sig_enforce = true;
+
+static const struct kernel_param_ops param_ops_bool_read_only = {
+ .flags = KERNEL_PARAM_FL_NOARG,
+ .get = param_get_bool,
+};
+#define param_check_bool_read_only param_check_bool
+
+module_param(sig_enforce, bool_read_only, 0444);
#else
static bool sig_enforce = false;
0 new messages