Re: [PATCH] MODSIGN: Change default key details [ver #2]

From: Sedat Dilek
Date: Thu Apr 30 2015 - 10:39:36 EST


On Thu, Apr 30, 2015 at 3:58 PM, David Howells <dhowells@xxxxxxxxxx> wrote:
> Change default key details to be more obviously unspecified.
>
> Reported-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
> Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
> Acked-by: James Morris <james.l.morris@xxxxxxxxxx>
> ---
>
> Documentation/module-signing.txt | 6 +++---
> kernel/Makefile | 6 +++---
> 2 files changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/Documentation/module-signing.txt b/Documentation/module-signing.txt
> index 09c2382ad055..c72702ec1ded 100644
> --- a/Documentation/module-signing.txt
> +++ b/Documentation/module-signing.txt
> @@ -119,9 +119,9 @@ Most notably, in the x509.genkey file, the req_distinguished_name section
> should be altered from the default:
>
> [ req_distinguished_name ]
> - O = Magrathea
> - CN = Glacier signing key
> - emailAddress = slartibartfast@xxxxxxxxxxxxxx
> + #O = Unspecified company
> + CN = Build time autogenerated kernel key
> + #emailAddress = unspecified.user@xxxxxxxxxxxxxxxxxxx
>
> The generated RSA key size can also be set with:
>
> diff --git a/kernel/Makefile b/kernel/Makefile
> index 0f8f8b0bc1bf..60c302cfb4d3 100644
> --- a/kernel/Makefile
> +++ b/kernel/Makefile
> @@ -197,9 +197,9 @@ x509.genkey:
> @echo >>x509.genkey "x509_extensions = myexts"
> @echo >>x509.genkey
> @echo >>x509.genkey "[ req_distinguished_name ]"
> - @echo >>x509.genkey "O = Magrathea"
> - @echo >>x509.genkey "CN = Glacier signing key"
> - @echo >>x509.genkey "emailAddress = slartibartfast@xxxxxxxxxxxxxx"
> + @echo >>x509.genkey "#O = Unspecified company"
> + @echo >>x509.genkey "CN = Build time autogenerated kernel key"
> + @echo >>x509.genkey "#emailAddress = unspecified.user@xxxxxxxxxxxxxxxxxxx"
> @echo >>x509.genkey
> @echo >>x509.genkey "[ myexts ]"
> @echo >>x509.genkey "basicConstraints=critical,CA:FALSE"
>

[ CC Greg ]

Thanks for considering me.

I reported missing generated files in the "module signature" area.

>From [1]...

[ 2.117022] Request for unknown module key 'Magrathea: Glacier
signing key: 009aa341bb673735a51dc34b238a0ca481d68098' err -11
[ 2.117114] mii: module verification failed: signature and/or
required key missing - tainting kernel

This happened a 2nd time with a different kernel-series!
Not sure why this was the case.
It did not happen when rebuilding with the same kernel-config again.
Not sure if parallel-make-jobs might be a cause for this (see attached
build-script).

$ egrep -i 'signature|module_sig' /boot/config-4.0.1-1-iniza-small |
grep ^CONFIG
CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_ALL=y
CONFIG_MODULE_SIG_SHA512=y
CONFIG_MODULE_SIG_HASH="sha512"
CONFIG_INTEGRITY_SIGNATURE=y
CONFIG_SIGNATURE=y

For my quick builds of rcN Linux-kernels I normally do not need
signing my modules.
I really do not use it (it's taken from the Ubuntu kernel-settings).

Attached is my simple build-script for generating Debian/Ubuntu kernel
packages via builddeb script.

If you have any ideas/hints please let me know.

- Sedat -

[1] https://lkml.org/lkml/2015/2/9/396

Attachment: config-4.0.1-1-iniza-small
Description: Binary data

Attachment: build_linux-upstream.sh
Description: Bourne shell script