linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Stefan Berger <stefanb@linux.ibm.com>
To: jeyu@kernel.org, keyrings@vger.kernel.org, dhowells@redhat.com,
	dwmw2@infradead.org, zohar@linux.ibm.com, jarkko@kernel.org
Cc: nayna@linux.ibm.com, linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Stefan Berger <stefanb@linux.ibm.com>
Subject: [PATCH v5 1/2] certs: Trigger creation of RSA module signing key if it's not an RSA key
Date: Wed,  2 Jun 2021 10:35:36 -0400	[thread overview]
Message-ID: <20210602143537.545132-2-stefanb@linux.ibm.com> (raw)
In-Reply-To: <20210602143537.545132-1-stefanb@linux.ibm.com>

Address a kbuild issue where a developer created an ECDSA key for signing
kernel modules and then builds an older version of the kernel, when bi-
secting the kernel for example, that does not support ECDSA keys.

If openssl is installed, trigger the creation of an RSA module signing
key if it is not an RSA key.

Fixes: cfc411e7fff3 ("Move certificate handling to its own directory")
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Cc: David Howells <dhowells@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>
---
 certs/Makefile | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/certs/Makefile b/certs/Makefile
index 359239a0ee9e..72758684d254 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -57,11 +57,19 @@ endif
 redirect_openssl	= 2>&1
 quiet_redirect_openssl	= 2>&1
 silent_redirect_openssl = 2>/dev/null
+openssl_available       = $(shell openssl help 2>/dev/null && echo yes)
 
 # We do it this way rather than having a boolean option for enabling an
 # external private key, because 'make randconfig' might enable such a
 # boolean option and we unfortunately can't make it depend on !RANDCONFIG.
 ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem")
+
+ifeq ($(openssl_available),yes)
+X509TEXT=$(shell openssl x509 -in $(CONFIG_MODULE_SIG_KEY) -text)
+
+$(if $(findstring rsaEncryption,$(X509TEXT)),,$(shell rm -f $(CONFIG_MODULE_SIG_KEY)))
+endif
+
 $(obj)/signing_key.pem: $(obj)/x509.genkey
 	@$(kecho) "###"
 	@$(kecho) "### Now generating an X.509 key pair to be used for signing modules."
-- 
2.29.2


  reply	other threads:[~2021-06-02 14:36 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-02 14:35 [PATCH v5 0/2] Add support for ECDSA-signed kernel modules Stefan Berger
2021-06-02 14:35 ` Stefan Berger [this message]
2021-06-02 14:35 ` [PATCH v5 2/2] certs: Add support for using elliptic curve keys for signing modules Stefan Berger
2021-06-03  6:47 ` [PATCH v5 0/2] Add support for ECDSA-signed kernel modules Jarkko Sakkinen
2021-06-03 12:32   ` Stefan Berger
2021-06-09 12:44     ` Jarkko Sakkinen
2021-06-09 13:58       ` Stefan Berger
2021-06-10  9:03         ` Jarkko Sakkinen
2021-06-10 11:50           ` Stefan Berger
  -- strict thread matches above, loose matches on Subject: below --
2021-06-01 10:52 Stefan Berger
2021-06-01 10:52 ` [PATCH v5 1/2] certs: Trigger creation of RSA module signing key if it's not an RSA key Stefan Berger
2021-06-01 17:58   ` Jarkko Sakkinen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210602143537.545132-2-stefanb@linux.ibm.com \
    --to=stefanb@linux.ibm.com \
    --cc=dhowells@redhat.com \
    --cc=dwmw2@infradead.org \
    --cc=jarkko@kernel.org \
    --cc=jeyu@kernel.org \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=nayna@linux.ibm.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).