Fw: [PATCH] Restrict read access to private module signing key
From: Luis Ressel
Date: Tue Jan 05 2016 - 19:26:19 EST
I forgot to CC this mailing list.
Begin forwarded message:
Date: Sat, 2 Jan 2016 16:13:50 +0100
From: Luis Ressel <aranea@xxxxxxxx>
To: keyrings@xxxxxxxxxxxxxxx
Cc: keyrings@xxxxxxxxxxxxx, David Howells <dhowells@xxxxxxxxxx>, David
Woodhouse <dwmw2@xxxxxxxxxxxxx> Subject: [PATCH] Restrict read access
to private module signing key
The autogenerated module signing key shouldn't be world-readable.
Signed-off-by: Luis Ressel <aranea@xxxxxxxx>
---
certs/Makefile | 2 ++
1 file changed, 2 insertions(+)
diff --git a/certs/Makefile b/certs/Makefile
index 28ac694..7f1f082 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -49,6 +49,8 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey
@echo "### needs to be run as root, and uses a hardware random"
@echo "### number generator if one is available."
@echo "###"
+ touch $(obj)/signing_key.pem
+ chmod 0600 $(obj)/signing_key.pem
openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days
36500 \ -batch -x509 -config $(obj)/x509.genkey \
-outform PEM -out $(obj)/signing_key.pem \
--
2.6.4
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/