Re: [GIT PULL] MODSIGN: Use PKCS#7 for module signatures [ver #7a]

From: James Morris
Date: Wed Aug 12 2015 - 05:27:56 EST

Next message: Luis Henriques: "[PATCH 3.16.y-ckt 058/118] bridge: mdb: start delete timer for temp static entries"
Previous message: Luis Henriques: "[PATCH 3.16.y-ckt 057/118] ipv6: Make MLD packets to only be processed locally"
In reply to: David Woodhouse: "Re: [GIT PULL] MODSIGN: Use PKCS#7 for module signatures [ver #7a]"
Next in thread: David Woodhouse: "Re: [GIT PULL] MODSIGN: Use PKCS#7 for module signatures [ver #7a]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 12 Aug 2015, David Woodhouse wrote:

> On Wed, 2015-08-12 at 19:08 +1000, James Morris wrote:
> >
> > CHK include/generated/compile.h
> > EXTRACT_CERTS signing_key.pem
> > At main.c:146:
> > - SSL error:02001002:system library:fopen:No such file or directory:
> > bss_file.c:169
> > - SSL error:2006D080:BIO routines:BIO_new_file:no such file:
> > bss_file.c:172
> > extract-cert: signing_key.pem: No such file or directory
> > rm: cannot remove `signing_key.x509': No such file or directory
> > make[1]: *** [signing_key.x509] Error 1
> > make: *** [kernel] Error 2
>
> Hm, but that ought to have a dependency on signing_key.pem.
>
> What is CONFIG_MODULE_SIG_KEY? Its default value of 'signing_key.pem'?
> That should mean that the rule in kernel/Makefile to create the signing
> key does exist.

Yep:

# CONFIG_MODULE_SIG_SHA512 is not set
CONFIG_MODULE_SIG_HASH="sha1"
CONFIG_MODULE_SIG_KEY="signing_key.pem"
# CONFIG_MODULE_COMPRESS is not set

>
> At the very end of kernel/Makefile, in the rule for signing_key.x509,
> please could you add an 'echo $(X509_DEP)' before the call to
> extract_certs? That ought to be correctly depending on the
> signing_key.pem file.

$ make
CHK include/config/kernel.release
CHK include/generated/uapi/linux/version.h
CHK include/generated/utsrelease.h
CHK include/generated/bounds.h
CHK include/generated/timeconst.h
CHK include/generated/asm-offsets.h
CALL scripts/checksyscalls.sh
CHK include/generated/compile.h
echo

EXTRACT_CERTS signing_key.pem

i.e. nothing.

>
> There's magic here to work out the precise dependency, since it might
> be a filename relative to either the build tree or the source tree.
> I'll take another look and work out how it copes in the case where the
> file doesn't exist yet... is this an out-of-tree build?
>

Nope, but try a make mrproper first (as I have) and see if you get the
same result.

--
James Morris
<jmorris@xxxxxxxxx>

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Luis Henriques: "[PATCH 3.16.y-ckt 058/118] bridge: mdb: start delete timer for temp static entries"
Previous message: Luis Henriques: "[PATCH 3.16.y-ckt 057/118] ipv6: Make MLD packets to only be processed locally"
In reply to: David Woodhouse: "Re: [GIT PULL] MODSIGN: Use PKCS#7 for module signatures [ver #7a]"
Next in thread: David Woodhouse: "Re: [GIT PULL] MODSIGN: Use PKCS#7 for module signatures [ver #7a]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]