Am 07.02.2013 07:42, schrieb Geert Uytterhoeven: > On Thu, Feb 7, 2013 at 2:06 AM, Alexander Holler <hol...@ahsoftware.de> wrote: >> Am 07.02.2013 00:42, schrieb Alexander Holler: >>> I wanted to try out MODSIGN with kernel 3.7.6 and I've just got hit by: >>> >>> [ 1.346445] X.509: Cert 6a23533cec71c4c52a1618fb4d830e06aa90474e is >>> not yet valid >>> >>> The reason is likely that the (ARM) device in question doesn't have a >>> RTC (oh, that topic again ;) ) and gets it's time on boot through NTP. >>> >>> The used certificate was generated automatically. Having a look at it, >>> the following is shown: >>> >>> Validity >>> Not Before: Feb 6 02:56:46 2013 GMT >>> Not After : Jan 13 02:56:46 2113 GMT >>> >>> Without having thought about possible security problems, my first idea >>> would be to let the validity start at 1970. As I never did such I never >>> had thought about possible implications when doing such (e.g. I don't >>> know if someone checks the start date for plausabilitiy) >>> >>> Another solution would be to retry loading of the certificate if the >>> time gets set (and e.g. differs more than a year). >>> >>> Has someone already thought about how to solve that problem? Or did >>> everyone use sane systems which have a (working) RTC? >> >> >> Another option would be to make a configure option to just ignore the date. > > Or an option to auto-advance the clock to the "Not Before" date if needed... > >> I'm not sure if I would like to use MODSIGN when I have to fear that the >> machine wouldn't start when the RTC fails or got set to a wrong date. > > Hmm, nice failure mode...
And the dream of every vendor, finally a working expiration date. And a nice TV-B-Gone, just feed a wrong date once. ;) Regards, Alexader -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
