On May 26, 2015 7:15:38 PM GMT+03:00, David Howells <dhowe...@redhat.com> wrote: >Hi Michal, > >Could you have a look at the patch at the end of my branch: > > > http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=modsign-pkcs7 > >It changes things from picking up arbitrary *.x509 files dropped in the >kernel >source and/or build directory to taking a single named PEM file with >all the >additional certs as a string config option. The PEM file can contain >multiple >certs simply cat'd together. > >If you're okay with that, it obsoletes these patches of yours. > >I've attached it here for convenience also. > >David >--- >commit 9c71c950793b1b8c23c6d945b31f6545f82adced >Author: David Woodhouse <david.woodho...@intel.com> >Date: Thu May 21 12:23:55 2015 +0100 > > modsign: Add explicit CONFIG_SYSTEM_TRUSTED_KEYS option > >Let the user explicitly provide a file containing trusted keys, instead >of > just automatically finding files matching *.x509 in the build tree and > trusting whatever we find. This really ought to be an *explicit* > configuration, and the build rules for dealing with the files were > fairly painful too. > > Signed-off-by: David Woodhouse <david.woodho...@intel.com> > Signed-off-by: David Howells <dhowe...@redhat.com> > >diff --git a/Documentation/module-signing.txt >b/Documentation/module-signing.txt >index 5d5e4e32dc26..4e62bc29666e 100644 >--- a/Documentation/module-signing.txt >+++ b/Documentation/module-signing.txt >@@ -88,6 +88,7 @@ This has a number of options available: >than being a module) so that modules signed with that algorithm can >have > their signatures checked without causing a dependency loop. > >+ >(4) "File name or PKCS#11 URI of module signing key" >(CONFIG_MODULE_SIG_KEY) > > Setting this option to something other than its default of >@@ -104,6 +105,13 @@ This has a number of options available: > means of the KBUILD_SIGN_PIN variable. > > >+ (5) "Additional X.509 keys for default system keyring" >(CONFIG_SYSTEM_TRUSTED_KEYS) >+ >+ This option can be set to the filename of a PEM-encoded file >containing >+ additional certificates which will be included in the system >keyring by >+ default. >+ >+ > ======================= > GENERATING SIGNING KEYS > ======================= >@@ -171,10 +179,9 @@ in a keyring called ".system_keyring" that can be >seen by: > 302d2d52 I------ 1 perm 1f010000 0 0 asymmetri Fedora >kernel signing key: d69a84e6bce3d216b979e9505b3e3ef9a7118079: X509.RSA >a7118079 [] > ... > >-Beyond the public key generated specifically for module signing, any >file >-placed in the kernel source root directory or the kernel build root >directory >-whose name is suffixed with ".x509" will be assumed to be an X.509 >public key >-and will be added to the keyring. >+Beyond the public key generated specifically for module signing,
I think this should be "private", not "public" key. The modules are signed with the private key... Petko -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
