1 files changed, 49 insertions, 0 deletions
diff --git a/kernel/Makefile b/kernel/Makefile
index 08ba8a6abd1c..58c6f111267e 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -132,3 +132,52 @@ quiet_cmd_timeconst  = TIMEC   $@
 targets += timeconst.h
 $(obj)/timeconst.h: $(src)/timeconst.pl FORCE
        $(call if_changed,timeconst)
+ifeq ($(CONFIG_MODULE_SIG),y)
+###############################################################################
+#
+# If module signing is requested, say by allyesconfig, but a key has not been
+# supplied, then one will need to be generated to make sure the build does not
+# fail and that the kernel may be used afterwards.
+#
+###############################################################################
+signing_key.priv signing_key.x509: x509.genkey
+        @echo "###"
+        @echo "### Now generating an X.509 key pair to be used for signing modules."
+        @echo "###"
+        @echo "### If this takes a long time, you might wish to run rngd in the"
+        @echo "### background to keep the supply of entropy topped up.  It"
+        @echo "### needs to be run as root, and should use a hardware random"
+        @echo "### number generator if one is available, eg:"
+        @echo "###"
+        @echo "###     rngd -r /dev/hwrandom"
+        @echo "###"
+        openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
+                -x509 -config x509.genkey \
+                -outform DER -out signing_key.x509 \
+                -keyout signing_key.priv
+        @echo "###"
+        @echo "### Key pair generated."
+        @echo "###"
+x509.genkey:
+        @echo Generating X.509 key generation config
+        @echo  >x509.genkey "[ req ]"
+        @echo >>x509.genkey "default_bits = 4096"
+        @echo >>x509.genkey "distinguished_name = req_distinguished_name"
+        @echo >>x509.genkey "prompt = no"
+        @echo >>x509.genkey "x509_extensions = myexts"
+        @echo >>x509.genkey
+        @echo >>x509.genkey "[ req_distinguished_name ]"
+        @echo >>x509.genkey "O = Magrathea"
+        @echo >>x509.genkey "CN = Glacier signing key"
+        @echo >>x509.genkey "emailAddress = slartibartfast@magrathea.h2g2"
+        @echo >>x509.genkey
+        @echo >>x509.genkey "[ myexts ]"
+        @echo >>x509.genkey "basicConstraints=critical,CA:FALSE"
+        @echo >>x509.genkey "keyUsage=digitalSignature"
+        @echo >>x509.genkey "subjectKeyIdentifier=hash"
+        @echo >>x509.genkey "authorityKeyIdentifier=keyid"
+endif
+CLEAN_FILES += signing_key.priv signing_key.x509 x509.genkey

diff --git a/kernel/Makefile b/kernel/Makefile index 08ba8a6abd1c..58c6f111267e 100644 --- a/kernel/Makefile +++ b/kernel/Makefile
@@ -132,3 +132,52 @@ quiet_cmd_timeconst = TIMEC $@
132	targets += timeconst.h	132	targets += timeconst.h
133	$(obj)/timeconst.h: $(src)/timeconst.pl FORCE	133	$(obj)/timeconst.h: $(src)/timeconst.pl FORCE
134	$(call if_changed,timeconst)	134	$(call if_changed,timeconst)
		135
		136	ifeq ($(CONFIG_MODULE_SIG),y)
		137
		138	###############################################################################
		139	#
		140	# If module signing is requested, say by allyesconfig, but a key has not been
		141	# supplied, then one will need to be generated to make sure the build does not
		142	# fail and that the kernel may be used afterwards.
		143	#
		144	###############################################################################
		145	signing_key.priv signing_key.x509: x509.genkey
		146	@echo "###"
		147	@echo "### Now generating an X.509 key pair to be used for signing modules."
		148	@echo "###"
		149	@echo "### If this takes a long time, you might wish to run rngd in the"
		150	@echo "### background to keep the supply of entropy topped up. It"
		151	@echo "### needs to be run as root, and should use a hardware random"
		152	@echo "### number generator if one is available, eg:"
		153	@echo "###"
		154	@echo "### rngd -r /dev/hwrandom"
		155	@echo "###"
		156	openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
		157	-x509 -config x509.genkey \
		158	-outform DER -out signing_key.x509 \
		159	-keyout signing_key.priv
		160	@echo "###"
		161	@echo "### Key pair generated."
		162	@echo "###"
		163
		164	x509.genkey:
		165	@echo Generating X.509 key generation config
		166	@echo >x509.genkey "[ req ]"
		167	@echo >>x509.genkey "default_bits = 4096"
		168	@echo >>x509.genkey "distinguished_name = req_distinguished_name"
		169	@echo >>x509.genkey "prompt = no"
		170	@echo >>x509.genkey "x509_extensions = myexts"
		171	@echo >>x509.genkey
		172	@echo >>x509.genkey "[ req_distinguished_name ]"
		173	@echo >>x509.genkey "O = Magrathea"
		174	@echo >>x509.genkey "CN = Glacier signing key"
		175	@echo >>x509.genkey "emailAddress = slartibartfast@magrathea.h2g2"
		176	@echo >>x509.genkey
		177	@echo >>x509.genkey "[ myexts ]"
		178	@echo >>x509.genkey "basicConstraints=critical,CA:FALSE"
		179	@echo >>x509.genkey "keyUsage=digitalSignature"
		180	@echo >>x509.genkey "subjectKeyIdentifier=hash"
		181	@echo >>x509.genkey "authorityKeyIdentifier=keyid"
		182	endif
		183	CLEAN_FILES += signing_key.priv signing_key.x509 x509.genkey