[PATCH] Restrict read access to private module signing key

From: Luis Ressel
Date: Sat Jan 30 2016 - 08:28:53 EST

Next message: Maciej W. Rozycki: "Re: [PATCH] ld-version: fix it on Fedora"
Previous message: tip-bot for Alexander Kuleshov: "[tip:x86/boot] x86/boot: Simplify kernel load address alignment check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The autogenerated module signing key shouldn't be world-readable.

Signed-off-by: Luis Ressel <aranea@xxxxxxxx>
---
certs/Makefile | 2 ++
1 file changed, 2 insertions(+)

diff --git a/certs/Makefile b/certs/Makefile
index 28ac694..7f1f082 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -49,6 +49,8 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey
@echo "### needs to be run as root, and uses a hardware random"
@echo "### number generator if one is available."
@echo "###"
+ touch $(obj)/signing_key.pem
+ chmod 0600 $(obj)/signing_key.pem
openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
-batch -x509 -config $(obj)/x509.genkey \
-outform PEM -out $(obj)/signing_key.pem \
--
2.7.0

Next message: Maciej W. Rozycki: "Re: [PATCH] ld-version: fix it on Fedora"
Previous message: tip-bot for Alexander Kuleshov: "[tip:x86/boot] x86/boot: Simplify kernel load address alignment check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]