modsign: Use single PEM file for autogenerated key
The current rule for generating signing_key.priv and signing_key.x509 is
a classic example of a bad rule which has a tendency to break parallel
make. When invoked to create *either* target, it generates the other
target as a side-effect that make didn't predict.
So let's switch to using a single file signing_key.pem which contains
both key and certificate. That matches what we do in the case of an
external key specified by CONFIG_MODULE_SIG_KEY anyway, so it's also
slightly cleaner.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: David Howells <dhowells@redhat.com>
diff --git a/.gitignore b/.gitignore
index 4ad4a98..17fa24d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -97,6 +97,7 @@
# Leavings from module signing
#
extra_certificates
+signing_key.pem
signing_key.priv
signing_key.x509
x509.genkey
diff --git a/Documentation/module-signing.txt b/Documentation/module-signing.txt
index 6930019..5d5e4e3 100644
--- a/Documentation/module-signing.txt
+++ b/Documentation/module-signing.txt
@@ -91,7 +91,7 @@
(4) "File name or PKCS#11 URI of module signing key" (CONFIG_MODULE_SIG_KEY)
Setting this option to something other than its default of
- "signing_key.priv" will disable the autogeneration of signing keys and
+ "signing_key.pem" will disable the autogeneration of signing keys and
allow the kernel modules to be signed with a key of your choosing.
The string provided should identify a file containing both a private
key and its corresponding X.509 certificate in PEM form, or — on
@@ -116,11 +116,10 @@
loaded.
Under normal conditions, when CONFIG_MODULE_SIG_KEY is unchanged from its
-default of "signing_key.priv", the kernel build will automatically generate
-a new keypair using openssl if one does not exist in the files:
+default, the kernel build will automatically generate a new keypair using
+openssl if one does not exist in the file:
- signing_key.priv
- signing_key.x509
+ signing_key.pem
during the building of vmlinux (the public part of the key needs to be built
into vmlinux) using parameters in the:
diff --git a/Makefile b/Makefile
index 531dd16..6ab99d8 100644
--- a/Makefile
+++ b/Makefile
@@ -1173,8 +1173,8 @@
arch/*/include/generated .tmp_objdiff
MRPROPER_FILES += .config .config.old .version .old_version \
Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \
- signing_key.priv signing_key.x509 x509.genkey \
- extra_certificates signing_key.x509.keyid \
+ signing_key.pem signing_key.priv signing_key.x509 \
+ x509.genkey extra_certificates signing_key.x509.keyid \
signing_key.x509.signer vmlinux-gdb.py
# clean - Delete most, but leave enough to build external modules
diff --git a/init/Kconfig b/init/Kconfig
index e2e0a1d2..2b11985 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1950,7 +1950,7 @@
config MODULE_SIG_KEY
string "File name or PKCS#11 URI of module signing key"
- default "signing_key.priv"
+ default "signing_key.pem"
depends on MODULE_SIG
help
Provide the file name of a private key/certificate in PEM format,
@@ -1958,7 +1958,7 @@
the URI should identify, both the certificate and its corresponding
private key.
- If this option is unchanged from its default "signing_key.priv",
+ If this option is unchanged from its default "signing_key.pem",
then the kernel will automatically generate the private key and
certificate as described in Documentation/module-signing.txt
diff --git a/kernel/Makefile b/kernel/Makefile
index fa2f8b8..7453283 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -173,8 +173,8 @@
# We do it this way rather than having a boolean option for enabling an
# external private key, because 'make randconfig' might enable such a
# boolean option and we unfortunately can't make it depend on !RANDCONFIG.
-ifeq ($(CONFIG_MODULE_SIG_KEY),"signing_key.priv")
-signing_key.priv signing_key.x509: x509.genkey
+ifeq ($(CONFIG_MODULE_SIG_KEY),"signing_key.pem")
+signing_key.pem: x509.genkey
@echo "###"
@echo "### Now generating an X.509 key pair to be used for signing modules."
@echo "###"
@@ -185,8 +185,8 @@
@echo "###"
openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
-batch -x509 -config x509.genkey \
- -outform DER -out signing_key.x509 \
- -keyout signing_key.priv 2>&1
+ -outform PEM -out signing_key.pem \
+ -keyout signing_key.pem 2>&1
@echo "###"
@echo "### Key pair generated."
@echo "###"
@@ -210,9 +210,9 @@
@echo >>x509.genkey "keyUsage=digitalSignature"
@echo >>x509.genkey "subjectKeyIdentifier=hash"
@echo >>x509.genkey "authorityKeyIdentifier=keyid"
-else
-# For external (PKCS#11 or PEM) key, we need to obtain the certificate from
-# CONFIG_MODULE_SIG_KEY automatically.
+endif
+
+# We need to obtain the certificate from CONFIG_MODULE_SIG_KEY.
quiet_cmd_extract_der = CERT_DER $(2)
cmd_extract_der = scripts/extract-cert "$(2)" signing_key.x509
@@ -249,4 +249,3 @@
signing_key.x509: scripts/extract-cert include/config/module/sig/key.h $(X509_DEP)
$(call cmd,extract_der,$(X509_SOURCE))
endif
-endif