Linux-Security-Module Archive on
 help / color / Atom feed
From: Stefan Berger <>
	Stefan Berger <>
Subject: [PATCH 1/2] certs: Trigger recreation of module signing key if it's not an RSA key
Date: Tue,  6 Apr 2021 14:53:39 -0400
Message-ID: <> (raw)
In-Reply-To: <>

Make sure that the kernel module signing key is an RSA key and
remove it otherwise so that it gets recreated.

Prevent module loading failures if a developer chose an ECDSA key for
module signing with a 5.12 kernel and then falls back to compiling an
older kernel. However, this will also only work if falling back to
kernels that have actually been patched with this kernel, such as the
stable trees.

Fixes: cfc411e7fff3 ("Move certificate handling to its own directory")
Signed-off-by: Stefan Berger <>
 certs/Makefile | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/certs/Makefile b/certs/Makefile
index e3185c57fbd8..f64bc89ccbf1 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -59,6 +59,11 @@ silent_redirect_openssl = 2>/dev/null
 # external private key, because 'make randconfig' might enable such a
 # boolean option and we unfortunately can't make it depend on !RANDCONFIG.
 ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem")
+X509TEXT=$(shell openssl x509 -in $(CONFIG_MODULE_SIG_KEY) -text)
+$(if $(findstring rsaEncryption,$(X509TEXT)),,$(shell rm -f $(CONFIG_MODULE_SIG_KEY)))
 $(obj)/signing_key.pem: $(obj)/x509.genkey
 	@$(kecho) "###"
 	@$(kecho) "### Now generating an X.509 key pair to be used for signing modules."

  reply index

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-06 18:53 [PATCH 0/2] Add support for ECDSA-signed kernel modules Stefan Berger
2021-04-06 18:53 ` Stefan Berger [this message]
2021-04-06 18:53 ` [PATCH 2/2] certs: Add support for using elliptic curve keys for signing modules Stefan Berger
2021-04-07 15:53 ` [PATCH 0/2] Add support for ECDSA-signed kernel modules Jarkko Sakkinen
2021-04-07 16:10   ` Mimi Zohar
2021-04-07 17:53     ` Stefan Berger
2021-04-07 20:15       ` Jarkko Sakkinen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Security-Module Archive on

Archives are clonable:
	git clone --mirror linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ \
	public-inbox-index linux-security-module

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone