RFC: sign the modules at install time

From: Linus Torvalds
Date: Wed Oct 17 2012 - 16:37:02 EST

This was based on the complaint from Davem that the "make
allmodconfig" build got way slower because module signing takes a

And quite frankly, the whole "extra strip and sign" thing at modpost
time was just nasty ugly code.

Why don't we do something *much* simpler? We already have a
conditional stripping of modules (that whole INSTALL_MOD_STRIP) logic,
and it really simplifies everything if we just do something very
similar for the signing of modules. At "make modules_install" time,
exactly like the stripping is done.

Sure, it means that if you want to load modules directly from your
kernel build tree (without installing them), you'd better be running a
kernel that doesn't need the signing (or you need to sign things
explicitly). But seriously, nobody cares. If you are building a module
after booting the kernel with the intention of loading that modified
module, you aren't going to be doing that whole module signing thing
*anyway*. Signed modules make sense when building the kernel and
module together, so signing them as we install the kernel and module
is just sensible.

And it really is much simpler as shown by the diffstat: 13
insertions(+), 78 deletions(-).

It seems to work for me from my (very very limited) testing. Comments?


Attachment: patch.diff
Description: Binary data