MODSIGN without RTC?

From: Alexander Holler
Date: Wed Feb 06 2013 - 18:43:02 EST


Hello,

I wanted to try out MODSIGN with kernel 3.7.6 and I've just got hit by:

[ 1.346445] X.509: Cert 6a23533cec71c4c52a1618fb4d830e06aa90474e is not yet valid

The reason is likely that the (ARM) device in question doesn't have a RTC (oh, that topic again ;) ) and gets it's time on boot through NTP.

The used certificate was generated automatically. Having a look at it, the following is shown:

Validity
Not Before: Feb 6 02:56:46 2013 GMT
Not After : Jan 13 02:56:46 2113 GMT

Without having thought about possible security problems, my first idea would be to let the validity start at 1970. As I never did such I never had thought about possible implications when doing such (e.g. I don't know if someone checks the start date for plausabilitiy)

Another solution would be to retry loading of the certificate if the time gets set (and e.g. differs more than a year).

Has someone already thought about how to solve that problem? Or did everyone use sane systems which have a (working) RTC?

Regards,

Alexander
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/