Re: [GIT PULL] MODSIGN: Use PKCS#7 for module signatures [ver #7a]

From: David Woodhouse
Date: Wed Aug 12 2015 - 05:13:05 EST

On Wed, 2015-08-12 at 19:08 +1000, James Morris wrote:
> CHK include/generated/compile.h
> EXTRACT_CERTS signing_key.pem
> At main.c:146:
> - SSL error:02001002:system library:fopen:No such file or directory:
> bss_file.c:169
> - SSL error:2006D080:BIO routines:BIO_new_file:no such file:
> bss_file.c:172
> extract-cert: signing_key.pem: No such file or directory
> rm: cannot remove `signing_key.x509': No such file or directory
> make[1]: *** [signing_key.x509] Error 1
> make: *** [kernel] Error 2

Hm, but that ought to have a dependency on signing_key.pem.

What is CONFIG_MODULE_SIG_KEY? Its default value of 'signing_key.pem'?
That should mean that the rule in kernel/Makefile to create the signing
key does exist.

At the very end of kernel/Makefile, in the rule for signing_key.x509,
please could you add an 'echo $(X509_DEP)' before the call to
extract_certs? That ought to be correctly depending on the
signing_key.pem file.

There's magic here to work out the precise dependency, since it might
be a filename relative to either the build tree or the source tree.
I'll take another look and work out how it copes in the case where the
file doesn't exist yet... is this an out-of-tree build?


Attachment: smime.p7s
Description: S/MIME cryptographic signature