Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / cfc411e7fff3e15cd6354ff69773907e2c9d1c0c^! / . / Documentation / module-signing.txt
commitcfc411e7fff3e15cd6354ff69773907e2c9d1c0c[log] [tgz]
authorDavid Howells <dhowells@redhat.com>Fri Aug 14 15:20:41 2015 +0100
committerDavid Woodhouse <David.Woodhouse@intel.com>Fri Aug 14 16:06:13 2015 +0100
treec67e679c1c2bbe4a657ce58d60e995c63535952b
parent0e38c35815f50e5a347977d76fb5eb4c3bf020b5 [diff] [blame]
Move certificate handling to its own directory

Move certificate handling out of the kernel/ directory and into a certs/
directory to get all the weird stuff in one place and move the generated
signing keys into this directory.

Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>

diff --git a/Documentation/module-signing.txt b/Documentation/module-signing.txt
index 02a9baf..a78bf1f 100644
--- a/Documentation/module-signing.txt
+++ b/Documentation/module-signing.txt

@@ -92,13 +92,13 @@
  (4) "File name or PKCS#11 URI of module signing key" (CONFIG_MODULE_SIG_KEY)
 
      Setting this option to something other than its default of
-     "signing_key.pem" will disable the autogeneration of signing keys and
-     allow the kernel modules to be signed with a key of your choosing.
-     The string provided should identify a file containing both a private
-     key and its corresponding X.509 certificate in PEM form, or — on
-     systems where the OpenSSL ENGINE_pkcs11 is functional — a PKCS#11 URI
-     as defined by RFC7512. In the latter case, the PKCS#11 URI should
-     reference both a certificate and a private key.
+     "certs/signing_key.pem" will disable the autogeneration of signing keys
+     and allow the kernel modules to be signed with a key of your choosing.
+     The string provided should identify a file containing both a private key
+     and its corresponding X.509 certificate in PEM form, or — on systems where
+     the OpenSSL ENGINE_pkcs11 is functional — a PKCS#11 URI as defined by
+     RFC7512. In the latter case, the PKCS#11 URI should reference both a
+     certificate and a private key.
 
      If the PEM file containing the private key is encrypted, or if the
      PKCS#11 token requries a PIN, this can be provided at build time by
@@ -130,12 +130,12 @@
 default, the kernel build will automatically generate a new keypair using
 openssl if one does not exist in the file:
 
-	signing_key.pem
+	certs/signing_key.pem
 
 during the building of vmlinux (the public part of the key needs to be built
 into vmlinux) using parameters in the:
 
-	x509.genkey
+	certs/x509.genkey
 
 file (which is also generated if it does not already exist).