Re: RFC: sign the modules at install time

From: Josh Boyer
Date: Thu Oct 18 2012 - 15:58:07 EST

On Thu, Oct 18, 2012 at 2:46 PM, Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
> On Wed, Oct 17, 2012 at 10:34 PM, Rusty Russell <rusty@xxxxxxxxxxxxxxx> wrote:
>> Hacking the keyid and signer-name to be extracted every time by
>> sign-file takes my modules_install time from 18.6 seconds to 19.1. We'd
>> get that back easily by making sign-file a perl script anyway; it calls
>> out to perl 3 times already.
> Ok, that tiny slowdown seems worth the cleanup, especially if we'd get
> it back from somebody re-writing it in perl.
> Want to sign off on the two patches, or put them in your git tree?

I tested Rusty's version of the 'sign modules at module_install time'
patch in a Fedora kernel build today. It seems to work well enough,
even if we wind up signing things twice. A brief cleanup of my patch
to add a modules_sign target on top of that is below.

It might even be able to be moved entirely into scripts/Makefile.modinst
but I haven't gotten that far yet.