MODSIGN: Automatically generate module signing keys if missing

Automatically generate keys for module signing if they're absent so that allyesconfig doesn't break. The builder should consider generating their own key and certificate, however, so that the keys are appropriately named. The private key for the module signer should be placed in signing_key.priv (unencrypted!) and the public key in an X.509 certificate as signing_key.x509. If a transient key is desired for signing the modules, a config file for 'openssl req' can be placed in x509.genkey, looking something like the following: [ req ] default_bits = 4096 distinguished_name = req_distinguished_name prompt = no x509_extensions = myexts [ req_distinguished_name ] O = Magarathea CN = Glacier signing key emailAddress = slartibartfast@magrathea.h2g2 [ myexts ] basicConstraints=critical,CA:FALSE keyUsage=digitalSignature subjectKeyIdentifier=hash authorityKeyIdentifier=hash The build process will use this to configure: openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \ -x509 -config x509.genkey \ -outform DER -out signing_key.x509 \ -keyout signing_key.priv to generate the key. Note that it is required that the X.509 certificate have a subjectKeyIdentifier and an authorityKeyIdentifier. Without those, the certificate will be rejected. These can be used to check the validity of a certificate. Note that 'make distclean' will remove signing_key.{priv,x509} and x509.genkey, whether or not they were generated automatically. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
author: David Howells <dhowells@redhat.com> 2012-09-26 05:09:51 -0400
committer: Rusty Russell <rusty@rustcorp.com.au> 2012-10-10 05:31:21 -0400
commit: d441108c6f77541bb66fcd5b3389415b4c232008 (patch)
tree: eda7f0ed11d134b992bcb085a4543d63f38def4b /kernel
parent: ea0b6dcf71d216dc11733ac19b26df0f5d0fd6c2 (diff)
1 files changed, 49 insertions, 0 deletions
diff --git a/kernel/Makefile b/kernel/Makefile
index 08ba8a6abd1c..58c6f111267e 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -132,3 +132,52 @@ quiet_cmd_timeconst  = TIMEC   $@
 targets += timeconst.h
 $(obj)/timeconst.h: $(src)/timeconst.pl FORCE
        $(call if_changed,timeconst)
+ifeq ($(CONFIG_MODULE_SIG),y)
+###############################################################################
+#
+# If module signing is requested, say by allyesconfig, but a key has not been
+# supplied, then one will need to be generated to make sure the build does not
+# fail and that the kernel may be used afterwards.
+#
+###############################################################################
+signing_key.priv signing_key.x509: x509.genkey
+        @echo "###"
+        @echo "### Now generating an X.509 key pair to be used for signing modules."
+        @echo "###"
+        @echo "### If this takes a long time, you might wish to run rngd in the"
+        @echo "### background to keep the supply of entropy topped up.  It"
+        @echo "### needs to be run as root, and should use a hardware random"
+        @echo "### number generator if one is available, eg:"
+        @echo "###"
+        @echo "###     rngd -r /dev/hwrandom"
+        @echo "###"
+        openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
+                -x509 -config x509.genkey \
+                -outform DER -out signing_key.x509 \
+                -keyout signing_key.priv
+        @echo "###"
+        @echo "### Key pair generated."
+        @echo "###"
+x509.genkey:
+        @echo Generating X.509 key generation config
+        @echo  >x509.genkey "[ req ]"
+        @echo >>x509.genkey "default_bits = 4096"
+        @echo >>x509.genkey "distinguished_name = req_distinguished_name"
+        @echo >>x509.genkey "prompt = no"
+        @echo >>x509.genkey "x509_extensions = myexts"
+        @echo >>x509.genkey
+        @echo >>x509.genkey "[ req_distinguished_name ]"
+        @echo >>x509.genkey "O = Magrathea"
+        @echo >>x509.genkey "CN = Glacier signing key"
+        @echo >>x509.genkey "emailAddress = slartibartfast@magrathea.h2g2"
+        @echo >>x509.genkey
+        @echo >>x509.genkey "[ myexts ]"
+        @echo >>x509.genkey "basicConstraints=critical,CA:FALSE"
+        @echo >>x509.genkey "keyUsage=digitalSignature"
+        @echo >>x509.genkey "subjectKeyIdentifier=hash"
+        @echo >>x509.genkey "authorityKeyIdentifier=keyid"
+endif
+CLEAN_FILES += signing_key.priv signing_key.x509 x509.genkey
author	David Howells <dhowells@redhat.com>	2012-09-26 05:09:51 -0400
committer	Rusty Russell <rusty@rustcorp.com.au>	2012-10-10 05:31:21 -0400
commit	d441108c6f77541bb66fcd5b3389415b4c232008 (patch)
tree	eda7f0ed11d134b992bcb085a4543d63f38def4b /kernel
parent	ea0b6dcf71d216dc11733ac19b26df0f5d0fd6c2 (diff)

diff --git a/kernel/Makefile b/kernel/Makefile index 08ba8a6abd1c..58c6f111267e 100644 --- a/kernel/Makefile +++ b/kernel/Makefile
@@ -132,3 +132,52 @@ quiet_cmd_timeconst = TIMEC $@
132	targets += timeconst.h	132	targets += timeconst.h
133	$(obj)/timeconst.h: $(src)/timeconst.pl FORCE	133	$(obj)/timeconst.h: $(src)/timeconst.pl FORCE
134	$(call if_changed,timeconst)	134	$(call if_changed,timeconst)
		135
		136	ifeq ($(CONFIG_MODULE_SIG),y)
		137
		138	###############################################################################
		139	#
		140	# If module signing is requested, say by allyesconfig, but a key has not been
		141	# supplied, then one will need to be generated to make sure the build does not
		142	# fail and that the kernel may be used afterwards.
		143	#
		144	###############################################################################
		145	signing_key.priv signing_key.x509: x509.genkey
		146	@echo "###"
		147	@echo "### Now generating an X.509 key pair to be used for signing modules."
		148	@echo "###"
		149	@echo "### If this takes a long time, you might wish to run rngd in the"
		150	@echo "### background to keep the supply of entropy topped up. It"
		151	@echo "### needs to be run as root, and should use a hardware random"
		152	@echo "### number generator if one is available, eg:"
		153	@echo "###"
		154	@echo "### rngd -r /dev/hwrandom"
		155	@echo "###"
		156	openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
		157	-x509 -config x509.genkey \
		158	-outform DER -out signing_key.x509 \
		159	-keyout signing_key.priv
		160	@echo "###"
		161	@echo "### Key pair generated."
		162	@echo "###"
		163
		164	x509.genkey:
		165	@echo Generating X.509 key generation config
		166	@echo >x509.genkey "[ req ]"
		167	@echo >>x509.genkey "default_bits = 4096"
		168	@echo >>x509.genkey "distinguished_name = req_distinguished_name"
		169	@echo >>x509.genkey "prompt = no"
		170	@echo >>x509.genkey "x509_extensions = myexts"
		171	@echo >>x509.genkey
		172	@echo >>x509.genkey "[ req_distinguished_name ]"
		173	@echo >>x509.genkey "O = Magrathea"
		174	@echo >>x509.genkey "CN = Glacier signing key"
		175	@echo >>x509.genkey "emailAddress = slartibartfast@magrathea.h2g2"
		176	@echo >>x509.genkey
		177	@echo >>x509.genkey "[ myexts ]"
		178	@echo >>x509.genkey "basicConstraints=critical,CA:FALSE"
		179	@echo >>x509.genkey "keyUsage=digitalSignature"
		180	@echo >>x509.genkey "subjectKeyIdentifier=hash"
		181	@echo >>x509.genkey "authorityKeyIdentifier=keyid"
		182	endif
		183	CLEAN_FILES += signing_key.priv signing_key.x509 x509.genkey