[RFC][PATCH 2/2] modsig: differentiate between ephemeral and persistent key names

From: Mimi Zohar
Date: Mon Nov 26 2012 - 09:25:07 EST


Using the same name for ephemeral and "persistent" keys results
in deleting the "persistent" key. This patch renames the normal
kbuild asymmetric key pair name to "default_signing_key" and the
ephemeral key pair name to "ephemeral_signing_key".

Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxx>
---
Makefile | 14 +++++++++-----
kernel/Makefile | 12 ++++++++----
2 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/Makefile b/Makefile
index d0dd777..525f512 100644
--- a/Makefile
+++ b/Makefile
@@ -721,15 +721,17 @@ export mod_strip_cmd
export KBUILD_MODSIG := 0

ifeq ($(CONFIG_MODULE_SIG),y)
-MODSECKEY = ./signing_key.priv
-MODPUBKEY = ./signing_key.x509
-
# Use 'make MODSIG=1 modules_install' to use ephemeral keys for module signing
ifeq ("$(origin MODSIG)", "command line")
KBUILD_MODSIG := $(MODSIG)
+MODSECKEY = ./ephemeral_signing_key.priv
+MODPUBKEY = ./ephemeral_signing_key.x509
+else
+MODSECKEY = ./default_signing_key.priv
+MODPUBKEY = ./default_signing_key.x509
endif

-export MODPUBKEY
+export MODPUBKEY MODSECKEY
mod_sign_cmd = perl $(srctree)/scripts/sign-file $(MODSECKEY) $(MODPUBKEY)
else
mod_sign_cmd = true
@@ -1037,7 +1039,9 @@ MRPROPER_DIRS += include/config usr/include include/generated \
arch/*/include/generated
MRPROPER_FILES += .config .config.old .version .old_version $(version_h) \
Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \
- signing_key.priv signing_key.x509 x509.genkey \
+ default_signing_key.priv default_signing_key.x509 \
+ ephemeral_signing_key.priv ephemeral_signing_key.x509 \
+ signing_key.x509 x509.genkey \
extra_certificates signing_key.x509.keyid \
signing_key.x509.signer

diff --git a/kernel/Makefile b/kernel/Makefile
index 86e3285..34107d9 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -139,7 +139,11 @@ ifeq ($(CONFIG_MODULE_SIG),y)
extra_certificates:
touch $@

-kernel/modsign_pubkey.o: signing_key.x509 extra_certificates
+signing_key.x509: FORCE
+ ln -fs $(MODPUBKEY) $@
+ touch $@
+
+kernel/modsign_pubkey.o: $(MODPUBKEY) signing_key.x509 extra_certificates

###############################################################################
#
@@ -168,7 +172,7 @@ ifeq ($(sign_key_with_hash),)
$(error Could not determine digest type to use from kernel config)
endif

-signing_key.priv signing_key.x509: x509.genkey
+$(MODSECKEY) $(MODPUBKEY): x509.genkey
@echo "###"
@echo "### Now generating an X.509 key pair to be used for signing modules."
@echo "###"
@@ -179,8 +183,8 @@ signing_key.priv signing_key.x509: x509.genkey
@echo "###"
openssl req -new -nodes -utf8 $(sign_key_with_hash) -days 36500 -batch \
-x509 -config x509.genkey \
- -outform DER -out signing_key.x509 \
- -keyout signing_key.priv
+ -outform DER -out $(MODPUBKEY) \
+ -keyout $(MODSECKEY)
@echo "###"
@echo "### Key pair generated."
@echo "###"
--
1.7.7.6

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/