Re: [PATCH] Restrict read access to private module signing key
From: Luis Ressel
Date: Sat Jan 16 2016 - 18:03:24 EST
On Sat, 2 Jan 2016 16:13:50 +0100
Luis Ressel <aranea@xxxxxxxx> wrote:
> The autogenerated module signing key shouldn't be world-readable.
> Signed-off-by: Luis Ressel <aranea@xxxxxxxx>
> certs/Makefile | 2 ++
> 1 file changed, 2 insertions(+)
> diff --git a/certs/Makefile b/certs/Makefile
> index 28ac694..7f1f082 100644
> --- a/certs/Makefile
> +++ b/certs/Makefile
> @@ -49,6 +49,8 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey
> @echo "### needs to be run as root, and uses a hardware
> random" @echo "### number generator if one is available."
> @echo "###"
> + touch $(obj)/signing_key.pem
> + chmod 0600 $(obj)/signing_key.pem
> openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH)
> -days 36500 \ -batch -x509 -config $(obj)/x509.genkey \
> -outform PEM -out $(obj)/signing_key.pem \
I've contributed this patch two weeks ago, but there hasn't been any
feedback and it hasn't been merged, either. It's the first kernel patch
I've submitted, so I don't know much about the procedures here. Could
someone please merge the patch or point out any problems with it?