[PATCH 2/4] modsign: Allow external signing key to be specified
From: David Woodhouse
Date: Fri May 15 2015 - 12:53:32 EST
Signed-off-by: David Woodhouse <David.Woodhouse@xxxxxxxxx>
---
Makefile | 2 +-
init/Kconfig | 13 +++++++++++++
kernel/Makefile | 6 ++++++
3 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index ad27fc9..9590e67 100644
--- a/Makefile
+++ b/Makefile
@@ -872,7 +872,7 @@ INITRD_COMPRESS-$(CONFIG_RD_LZ4) := lz4
# export INITRD_COMPRESS := $(INITRD_COMPRESS-y)
ifdef CONFIG_MODULE_SIG_ALL
-MODSECKEY = ./signing_key.priv
+MODSECKEY = $(CONFIG_MODULE_SIG_KEY)
MODPUBKEY = ./signing_key.x509
export MODPUBKEY
mod_sign_cmd = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)
diff --git a/init/Kconfig b/init/Kconfig
index c05afd6..1ca075a 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1954,6 +1954,19 @@ config MODULE_SIG_HASH
default "sha384" if MODULE_SIG_SHA384
default "sha512" if MODULE_SIG_SHA512
+config MODULE_SIG_EXTERNAL_KEY
+ bool "Use external key for module signing"
+ depends on MODULE_SIG_ALL
+ help
+ Use an external private key for module signing.
+
+config MODULE_SIG_KEY
+ string "File name or PKCS#11 URI of module signing key" if MODULE_SIG_EXTERNAL_KEY
+ default "signing_key.priv"
+ help
+ Provide the file name of a private key in PEM format, or a PKCS#11
+ URI according to RFC7512 to specify the key.
+
config MODULE_COMPRESS
bool "Compress modules on installation"
depends on MODULES
diff --git a/kernel/Makefile b/kernel/Makefile
index 60c302c..b1a718c 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -170,6 +170,11 @@ ifndef CONFIG_MODULE_SIG_HASH
$(error Could not determine digest type to use from kernel config)
endif
+# 'make randconfig' might enable CONFIG_MODULE_SIG_EXTERNAL_KEY but will
+# leave any strings at their default settings. We want to let the automatic
+# key generation work in that case, which is why we check the string here
+# instead of just using 'ifndef CONFIG_MODULE_SIG_EXTERNAL_KEY'.
+ifeq ($(CONFIG_MODULE_SIG_KEY),"signing_key.priv")
signing_key.priv signing_key.x509: x509.genkey
@echo "###"
@echo "### Now generating an X.509 key pair to be used for signing modules."
@@ -207,3 +212,4 @@ x509.genkey:
@echo >>x509.genkey "subjectKeyIdentifier=hash"
@echo >>x509.genkey "authorityKeyIdentifier=keyid"
endif
+endif
--
2.4.0
--
David Woodhouse Open Source Technology Centre
David.Woodhouse@xxxxxxxxx Intel Corporation
Attachment:
smime.p7s
Description: S/MIME cryptographic signature