Re: [GIT PULL] MODSIGN: Use PKCS#7 for module signatures [ver #7a]

From: David Woodhouse
Date: Wed Aug 12 2015 - 05:50:53 EST

On Wed, 2015-08-12 at 19:27 +1000, James Morris wrote:
> Yep:
> # CONFIG_MODULE_SIG_SHA512 is not set
> CONFIG_MODULE_SIG_KEY="signing_key.pem"

Can I have the full config please? Not that I understand how anything
else would really make much difference.

> >
> > At the very end of kernel/Makefile, in the rule for
> signing_key.x509,
> > please could you add an 'echo $(X509_DEP)' before the call to
> > extract_certs? That ought to be correctly depending on the
> > signing_key.pem file.
> $ make
> CHK include/config/kernel.release
> CHK include/generated/uapi/linux/version.h
> CHK include/generated/utsrelease.h
> CHK include/generated/bounds.h
> CHK include/generated/timeconst.h
> CHK include/generated/asm-offsets.h
> CALL scripts/
> CHK include/generated/compile.h
> echo
> EXTRACT_CERTS signing_key.pem
> i.e. nothing.



I'm going to have to make another pot of coffee if I'm going to debug
the config_filename thing today... :)

I'm scared to start thinking this way but... what version of 'make' are
you using? If your precise .config doesn't help, is there any chance I
can log into an affected box to poke at it?

I've also been testing David's tree (commit f81977b46 precisely), so
perhaps I should also try *precisely* the merged tree you're looking
at. Again, not that I can imagine anything that would make this

> >
> > There's magic here to work out the precise dependency, since it
> might
> > be a filename relative to either the build tree or the source tree.
> > I'll take another look and work out how it copes in the case where
> the
> > file doesn't exist yet... is this an out-of-tree build?
> >
> Nope, but try a make mrproper first (as I have) and see if you get
> the same result.

I've been testing that, both in-tree and out-of-tree. I can't make it
*fail* to set X509_DEP and thus depend correctly on the signing_key.pem

David Woodhouse Open Source Technology Centre
David.Woodhouse@xxxxxxxxx Intel Corporation

Attachment: smime.p7s
Description: S/MIME cryptographic signature