[PATCH] Restrict read access to private module signing key
From: Luis Ressel
Date: Sat Jan 30 2016 - 08:28:53 EST
The autogenerated module signing key shouldn't be world-readable.
Signed-off-by: Luis Ressel <aranea@xxxxxxxx>
---
certs/Makefile | 2 ++
1 file changed, 2 insertions(+)
diff --git a/certs/Makefile b/certs/Makefile
index 28ac694..7f1f082 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -49,6 +49,8 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey
@echo "### needs to be run as root, and uses a hardware random"
@echo "### number generator if one is available."
@echo "###"
+ touch $(obj)/signing_key.pem
+ chmod 0600 $(obj)/signing_key.pem
openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
-batch -x509 -config $(obj)/x509.genkey \
-outform PEM -out $(obj)/signing_key.pem \
--
2.7.0