Re: [GIT PULL] MODSIGN: Use PKCS#7 for module signatures [ver #7a]
From: David Woodhouse
Date: Wed Aug 12 2015 - 05:50:53 EST
On Wed, 2015-08-12 at 19:27 +1000, James Morris wrote:
> # CONFIG_MODULE_SIG_SHA512 is not set
> # CONFIG_MODULE_COMPRESS is not set
Can I have the full config please? Not that I understand how anything
else would really make much difference.
> > At the very end of kernel/Makefile, in the rule for
> > please could you add an 'echo $(X509_DEP)' before the call to
> > extract_certs? That ought to be correctly depending on the
> > signing_key.pem file.
> $ make
> CHK include/config/kernel.release
> CHK include/generated/uapi/linux/version.h
> CHK include/generated/utsrelease.h
> CHK include/generated/bounds.h
> CHK include/generated/timeconst.h
> CHK include/generated/asm-offsets.h
> CALL scripts/checksyscalls.sh
> CHK include/generated/compile.h
> EXTRACT_CERTS signing_key.pem
> i.e. nothing.
What are $(MODULE_SIG_KEY_FILENAME) and $(MODULE_SIG_KEY_SRCPREFIX) ?
I'm going to have to make another pot of coffee if I'm going to debug
the config_filename thing today... :)
I'm scared to start thinking this way but... what version of 'make' are
you using? If your precise .config doesn't help, is there any chance I
can log into an affected box to poke at it?
I've also been testing David's tree (commit f81977b46 precisely), so
perhaps I should also try *precisely* the merged tree you're looking
at. Again, not that I can imagine anything that would make this
> > There's magic here to work out the precise dependency, since it
> > be a filename relative to either the build tree or the source tree.
> > I'll take another look and work out how it copes in the case where
> > file doesn't exist yet... is this an out-of-tree build?
> Nope, but try a make mrproper first (as I have) and see if you get
> the same result.
I've been testing that, both in-tree and out-of-tree. I can't make it
*fail* to set X509_DEP and thus depend correctly on the signing_key.pem
David Woodhouse Open Source Technology Centre
David.Woodhouse@xxxxxxxxx Intel Corporation
Description: S/MIME cryptographic signature