tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork

Configure Feed

Select the types of activity you want to include in your feed.

MODSIGN: Use the same digest for the autogen key sig as for the module sig

Use the same digest type for the autogenerated key signature as for the module
signature so that the hash algorithm is guaranteed to be present in the kernel.

Without this, the X.509 certificate loader may reject the X.509 certificate so
generated because it was self-signed and the signature will be checked against
itself - but this won't work if the digest algorithm must be loaded as a
module.

The symptom is that the key fails to load with the following message emitted
into the kernel log:

MODSIGN: Problem loading in-kernel X.509 certificate (-65)

the error in brackets being -ENOPKG. What you should see is something like:

MODSIGN: Loaded cert 'Magarathea: Glacier signing key: 9588321144239a119d3406d4c4cf1fbae1836fa0'

Note that this doesn't apply to certificates that are not self-signed as we
don't check those currently as they require the parent CA certificate to be
available.

Reported-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

authored by

David Howells and committed by
Rusty Russell 5e8cb1e4 80d65e58

+21 -1
+21 -1
kernel/Makefile
··· 149 149 # fail and that the kernel may be used afterwards. 150 150 # 151 151 ############################################################################### 152 + sign_key_with_hash := 153 + ifeq ($(CONFIG_MODULE_SIG_SHA1),y) 154 + sign_key_with_hash := -sha1 155 + endif 156 + ifeq ($(CONFIG_MODULE_SIG_SHA224),y) 157 + sign_key_with_hash := -sha224 158 + endif 159 + ifeq ($(CONFIG_MODULE_SIG_SHA256),y) 160 + sign_key_with_hash := -sha256 161 + endif 162 + ifeq ($(CONFIG_MODULE_SIG_SHA384),y) 163 + sign_key_with_hash := -sha384 164 + endif 165 + ifeq ($(CONFIG_MODULE_SIG_SHA512),y) 166 + sign_key_with_hash := -sha512 167 + endif 168 + ifeq ($(sign_key_with_hash),) 169 + $(error Could not determine digest type to use from kernel config) 170 + endif 171 + 152 172 signing_key.priv signing_key.x509: x509.genkey 153 173 @echo "###" 154 174 @echo "### Now generating an X.509 key pair to be used for signing modules." ··· 180 160 @echo "###" 181 161 @echo "### rngd -r /dev/hwrandom" 182 162 @echo "###" 183 - openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \ 163 + openssl req -new -nodes -utf8 $(sign_key_with_hash) -days 36500 -batch \ 184 164 -x509 -config x509.genkey \ 185 165 -outform DER -out signing_key.x509 \ 186 166 -keyout signing_key.priv