diff options
author | Michal Marek <mmarek@suse.cz> | 2013-01-24 22:11:31 -0500 |
---|---|---|
committer | Rusty Russell <rusty@rustcorp.com.au> | 2013-01-25 01:25:37 -0500 |
commit | d9d8d7ed498ec65bea72dd24be7b9cd35af0c200 (patch) | |
tree | d2d9721c2e64a941f22a7c4a4611a53155d9ec36 | |
parent | 1c37c054a7493e0537ea3d15a59dac3a0aa63a05 (diff) |
MODSIGN: Add option to not sign modules during modules_install
To allow the builder to sign only a subset of modules, or to sign the
modules using a key that is not available on the build machine, add
CONFIG_MODULE_SIG_ALL. If this option is unset, no modules will be
signed during build. The default is 'y', to preserve the current
behavior.
Signed-off-by: Michal Marek <mmarek@suse.cz>
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
-rw-r--r-- | Makefile | 2 | ||||
-rw-r--r-- | init/Kconfig | 11 |
2 files changed, 12 insertions, 1 deletions
@@ -719,7 +719,7 @@ endif # INSTALL_MOD_STRIP | |||
719 | export mod_strip_cmd | 719 | export mod_strip_cmd |
720 | 720 | ||
721 | 721 | ||
722 | ifeq ($(CONFIG_MODULE_SIG),y) | 722 | ifdef CONFIG_MODULE_SIG_ALL |
723 | MODSECKEY = ./signing_key.priv | 723 | MODSECKEY = ./signing_key.priv |
724 | MODPUBKEY = ./signing_key.x509 | 724 | MODPUBKEY = ./signing_key.x509 |
725 | export MODPUBKEY | 725 | export MODPUBKEY |
diff --git a/init/Kconfig b/init/Kconfig index fff4cb1321c5..88f334fb403b 100644 --- a/init/Kconfig +++ b/init/Kconfig | |||
@@ -1665,6 +1665,17 @@ config MODULE_SIG_FORCE | |||
1665 | Reject unsigned modules or signed modules for which we don't have a | 1665 | Reject unsigned modules or signed modules for which we don't have a |
1666 | key. Without this, such modules will simply taint the kernel. | 1666 | key. Without this, such modules will simply taint the kernel. |
1667 | 1667 | ||
1668 | config MODULE_SIG_ALL | ||
1669 | bool "Automatically sign all modules" | ||
1670 | default y | ||
1671 | depends on MODULE_SIG | ||
1672 | help | ||
1673 | Sign all modules during make modules_install. Without this option, | ||
1674 | modules must be signed manually, using the scripts/sign-file tool. | ||
1675 | |||
1676 | comment "Do not forget to sign required modules with scripts/sign-file" | ||
1677 | depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL | ||
1678 | |||
1668 | choice | 1679 | choice |
1669 | prompt "Which hash algorithm should modules be signed with?" | 1680 | prompt "Which hash algorithm should modules be signed with?" |
1670 | depends on MODULE_SIG | 1681 | depends on MODULE_SIG |