diff mbox series

[v8,1/2] certs: Trigger creation of RSA module signing key if it's not an RSA key

Message ID 20210629213421.60320-2-stefanb@linux.vnet.ibm.com (mailing list archive)
State New, archived
Headers show
Series Add support for ECDSA-signed kernel modules | expand

Commit Message

Stefan Berger June 29, 2021, 9:34 p.m. UTC
From: Stefan Berger <stefanb@linux.ibm.com>

Address a kbuild issue where a developer created an ECDSA key for signing
kernel modules and then builds an older version of the kernel, when bi-
secting the kernel for example, that does not support ECDSA keys.

If openssl is installed, trigger the creation of an RSA module signing
key if it is not an RSA key.

Fixes: cfc411e7fff3 ("Move certificate handling to its own directory")
Cc: David Howells <dhowells@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 certs/Makefile | 8 ++++++++
 1 file changed, 8 insertions(+)

Comments

Linus Torvalds June 30, 2021, 7:17 p.m. UTC | #1
On Tue, Jun 29, 2021 at 2:34 PM Stefan Berger
<stefanb@linux.vnet.ibm.com> wrote:
>
> Address a kbuild issue where a developer created an ECDSA key for signing
> kernel modules and then builds an older version of the kernel, when bi-
> secting the kernel for example, that does not support ECDSA keys.

Thanks, these two don't confuse me any more.

                Linus
Jarkko Sakkinen July 2, 2021, 6:49 a.m. UTC | #2
On Wed, Jun 30, 2021 at 12:17:38PM -0700, Linus Torvalds wrote:
> On Tue, Jun 29, 2021 at 2:34 PM Stefan Berger
> <stefanb@linux.vnet.ibm.com> wrote:
> >
> > Address a kbuild issue where a developer created an ECDSA key for signing
> > kernel modules and then builds an older version of the kernel, when bi-
> > secting the kernel for example, that does not support ECDSA keys.
> 
> Thanks, these two don't confuse me any more.
> 
>                 Linus

I'll (re-)test the changes, and make a PR after rc1 out.

/Jarkko
diff mbox series

Patch

diff --git a/certs/Makefile b/certs/Makefile
index 359239a0ee9e..f9344e52ecda 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -57,11 +57,19 @@  endif
 redirect_openssl	= 2>&1
 quiet_redirect_openssl	= 2>&1
 silent_redirect_openssl = 2>/dev/null
+openssl_available       = $(shell openssl help 2>/dev/null && echo yes)
 
 # We do it this way rather than having a boolean option for enabling an
 # external private key, because 'make randconfig' might enable such a
 # boolean option and we unfortunately can't make it depend on !RANDCONFIG.
 ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem")
+
+ifeq ($(openssl_available),yes)
+X509TEXT=$(shell openssl x509 -in "certs/signing_key.pem" -text 2>/dev/null)
+
+$(if $(findstring rsaEncryption,$(X509TEXT)),,$(shell rm -f "certs/signing_key.pem"))
+endif
+
 $(obj)/signing_key.pem: $(obj)/x509.genkey
 	@$(kecho) "###"
 	@$(kecho) "### Now generating an X.509 key pair to be used for signing modules."