Re: [RFC][PATCH 1/2] modsig: add support to sign kernel modules using ephemeral keys

From: David Howells
Date: Tue Dec 04 2012 - 13:14:29 EST


Rusty Russell <rusty@xxxxxxxxxxxxxxx> wrote:

> > +PHONY += _newmodpubkey_
> > +_newmodpubkey_:
> > + @rm -f $(MODSECKEY) $(MODPUBKEY)
> > + $(Q)$(MAKE) -W kernel/modsign_pubkey.o

Please don't do this. It can muck up the dependencies as make thinks it has
already done this file at this point. Also, rebuilding bzImage yet again
wouldn't be the best. We already do it a number of times. Further, if
vmlinux is already installed when you rebuild, you may confuse gdb if the
debuginfo then no longer matches vmlinux.

You have to expose the private key *anyway* - so how much does this actually
gain you? Especially with a one-shot transient key.

David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/