Re: [PATCH] MODSIGN: Change default key details [ver #2]

Fri, 01 May 2015 14:42:12 -0700 

Forgive me if this git send-email blows up in my face somehow, as I hadn't been 
subscribed to this list before this reply.

I had some similar and probably related behavior I submitted a patch to the 
kbuild guys for that fell on deaf ears. Basically, I think an order-only 
prerequisite would make the most sense in this case because right now the key 
generation target is going to trigger any time the x509.genkey file has its 
timestamp touched to where it becomes "newer" than our keys, even if its 
content remains the same.

What if I provided my own keys already, as module-signing.txt said was okay? 
What if the autogenerated keys from my last build still exist?

>From module-signing.txt:

> Under normal conditions, the kernel build will automatically generate a new
> keypair using openssl if one does not exist in the files:
>
>        signing_key.priv
>        signing_key.x509

Nope, sorry, not true. Even if your keys exist, due to unfortunate parallel 
make/disk write order/racy kbuild/goblins your x509.genkey file has a newer 
timestamp than your keys, and now your keys are going to get tossed 
(regenerated and overwritten, yay!). Worse still, I think they could even get 
tossed AFTER the build decides "hey nice keys, I'll just use those". Either 
way, this patch is ultimately correct because this is exactly the kind of racy 
scenario order-only prerequisites was made for. We should not care anything 
about x509.genkey if our signing keys already exist. Period.

Here's my two-line patch strictly defining the build order, for your perusal.

Signed-off-by: Abelardo Ricart III <aric...@memnix.com>
---

diff --git a/kernel/Makefile b/kernel/Makefile
index 1408b33..10c8df0 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -168,7 +168,8 @@ ifndef CONFIG_MODULE_SIG_HASH
 $(error Could not determine digest type to use from kernel config)
 endif
 
-signing_key.priv signing_key.x509: x509.genkey
+signing_key.priv signing_key.x509: | x509.genkey
+       $(warning *** X.509 module signing key pair not found in root of source 
tree ***)
        @echo "###"
        @echo "### Now generating an X.509 key pair to be used for signing 
modules."
        @echo "###"
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Reply via email to