Re: RFC: sign the modules at install time

From: Linus Torvalds
Date: Wed Oct 17 2012 - 23:14:43 EST


On Wed, Oct 17, 2012 at 5:54 PM, Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
>>
>> One of the main sane use-cases for module signing is:
>>
>> - CONFIG_CHECK_SIGNATURE=y
>> - randomly generated one-time key
>> - "make modules_install; make install"
>> - "make clean" to get rid of the keys.
>> - reboot.
>
> I want that too, but right now 'make clean' leaves the keys around,
> which seems a bit dangerous to me.

Oh, yes, we should make sure the key file gets cleaned up at "make clean".

I have to admit that I never do the whole "make clean/distclean" any
more, I have gotten so used to just going

git clean -dqfx

to get rid of all generated files in a git directory that I no longer
depend on the makefile getting it right for me.

Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/