aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2012-09-28 06:16:57 -0400
committerRusty Russell <rusty@rustcorp.com.au>2012-10-10 05:36:34 -0400
commit5e8cb1e441dd74723898cd28fe64af5651023af0 (patch)
tree75d771910d536f9a10cf1eab682d1655ec4adcd3
parent80d65e58e93ffdabf58202653a0435bd3cf2d82e (diff)
MODSIGN: Use the same digest for the autogen key sig as for the module sig
Use the same digest type for the autogenerated key signature as for the module signature so that the hash algorithm is guaranteed to be present in the kernel. Without this, the X.509 certificate loader may reject the X.509 certificate so generated because it was self-signed and the signature will be checked against itself - but this won't work if the digest algorithm must be loaded as a module. The symptom is that the key fails to load with the following message emitted into the kernel log: MODSIGN: Problem loading in-kernel X.509 certificate (-65) the error in brackets being -ENOPKG. What you should see is something like: MODSIGN: Loaded cert 'Magarathea: Glacier signing key: 9588321144239a119d3406d4c4cf1fbae1836fa0' Note that this doesn't apply to certificates that are not self-signed as we don't check those currently as they require the parent CA certificate to be available. Reported-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
-rw-r--r--kernel/Makefile22
1 files changed, 21 insertions, 1 deletions
diff --git a/kernel/Makefile b/kernel/Makefile
index 111a845460c9..a799029320d1 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -149,6 +149,26 @@ kernel/modsign_pubkey.o: signing_key.x509 extra_certificates
149# fail and that the kernel may be used afterwards. 149# fail and that the kernel may be used afterwards.
150# 150#
151############################################################################### 151###############################################################################
152sign_key_with_hash :=
153ifeq ($(CONFIG_MODULE_SIG_SHA1),y)
154sign_key_with_hash := -sha1
155endif
156ifeq ($(CONFIG_MODULE_SIG_SHA224),y)
157sign_key_with_hash := -sha224
158endif
159ifeq ($(CONFIG_MODULE_SIG_SHA256),y)
160sign_key_with_hash := -sha256
161endif
162ifeq ($(CONFIG_MODULE_SIG_SHA384),y)
163sign_key_with_hash := -sha384
164endif
165ifeq ($(CONFIG_MODULE_SIG_SHA512),y)
166sign_key_with_hash := -sha512
167endif
168ifeq ($(sign_key_with_hash),)
169$(error Could not determine digest type to use from kernel config)
170endif
171
152signing_key.priv signing_key.x509: x509.genkey 172signing_key.priv signing_key.x509: x509.genkey
153 @echo "###" 173 @echo "###"
154 @echo "### Now generating an X.509 key pair to be used for signing modules." 174 @echo "### Now generating an X.509 key pair to be used for signing modules."
@@ -160,7 +180,7 @@ signing_key.priv signing_key.x509: x509.genkey
160 @echo "###" 180 @echo "###"
161 @echo "### rngd -r /dev/hwrandom" 181 @echo "### rngd -r /dev/hwrandom"
162 @echo "###" 182 @echo "###"
163 openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \ 183 openssl req -new -nodes -utf8 $(sign_key_with_hash) -days 36500 -batch \
164 -x509 -config x509.genkey \ 184 -x509 -config x509.genkey \
165 -outform DER -out signing_key.x509 \ 185 -outform DER -out signing_key.x509 \
166 -keyout signing_key.priv 186 -keyout signing_key.priv