[PATCH 22/23] MODSIGN: Automatically generate module signing keys ifmissing

From: David Howells
Date: Tue May 22 2012 - 19:05:18 EST

Next message: David Howells: "[PATCH 23/23] MODSIGN: Panic the kernel if FIPS is enabled uponmodule signing failure"
Previous message: David Howells: "[PATCH 20/23] MODSIGN: Provide module signing public keys to thekernel"
In reply to: David Howells: "[PATCH 20/23] MODSIGN: Provide module signing public keys to thekernel"
Next in thread: David Howells: "[PATCH 23/23] MODSIGN: Panic the kernel if FIPS is enabled uponmodule signing failure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Automatically generate keys for module signing if they're absent so that
allyesconfig doesn't break. The builder should consider generating their own
keyrings, however, so that the keys are appropriately named and any extra keys
required get imported.

Also change the names of the keyring files to modsign.pub and modsign.sec so
that they are then a more obvious what they're about and add a dependency for
the signing rules on the keyring files so that the signatures get regenerated
if the keyrings change.

Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
---

kernel/Makefile | 39 +++++++++++++++++++++++++++++++++++++++
1 files changed, 39 insertions(+), 0 deletions(-)

diff --git a/kernel/Makefile b/kernel/Makefile
index 28f0ec4..d8139bb 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -129,4 +129,43 @@ targets += timeconst.h
$(obj)/timeconst.h: $(src)/timeconst.pl FORCE
$(call if_changed,timeconst)

+###############################################################################
+#
+# If module signing is requested, say by allyesconfig, but a key has not been
+# supplied, then one will need to be generated to make sure the build does not
+# fail and that the kernel may be used afterwards.
+#
+###############################################################################
+ifeq ($(CONFIG_MODULE_SIG),y)
kernel/modsign-pubkey.o: modsign.pub
+
+modsign.pub modsign.sec: genkey
+ @echo "###"
+ @echo "### Now generating a PGP key pair to be used for signing modules."
+ @echo "###"
+ @echo "### If this takes a long time, you might wish to run rngd in the"
+ @echo "### background to keep the supply of entropy topped up. It"
+ @echo "### needs to be run as root, and should use a hardware random"
+ @echo "### number generator if one is available, eg:"
+ @echo "###"
+ @echo "### rngd -r /dev/hwrandom"
+ @echo "###"
+ gpg --homedir . --batch --gen-key genkey
+ @echo "###"
+ @echo "### Key pair generated."
+ @echo "###"
+ rm -f pubring.gpg secring.gpg trustdb.gpg
+
+genkey:
+ echo "%pubring modsign.pub" >genkey
+ echo "%secring modsign.sec" >>genkey
+ echo "%no-protection: yes" >> genkey
+ echo "%transient-key: yes" >>genkey
+ echo "Key-Type: RSA" >>genkey
+ echo "Key-Length: 4096" >>genkey
+ echo "Name-Real: Sample kernel key" >>genkey
+ echo "Name-Comment: Sample kernel module signing key" >>genkey
+ echo "%commit" >>genkey
+
+endif
+CLEAN_FILES += modsign.pub modsign.sec genkey random_seed

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Howells: "[PATCH 23/23] MODSIGN: Panic the kernel if FIPS is enabled uponmodule signing failure"
Previous message: David Howells: "[PATCH 20/23] MODSIGN: Provide module signing public keys to thekernel"
In reply to: David Howells: "[PATCH 20/23] MODSIGN: Provide module signing public keys to thekernel"
Next in thread: David Howells: "[PATCH 23/23] MODSIGN: Panic the kernel if FIPS is enabled uponmodule signing failure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]