diff options
| author | David Woodhouse <David.Woodhouse@intel.com> | 2015-07-20 21:16:30 +0100 |
|---|---|---|
| committer | David Howells <dhowells@redhat.com> | 2015-08-07 16:26:14 +0100 |
| commit | fb1179499134bc718dc7557c7a6a95dc72f224cb (patch) | |
| tree | 5a0b7e87708c275071f4c3079099854a13eee812 /Documentation/module-signing.txt | |
| parent | 1329e8cc69b93a0b1bc6d197b30dcff628c18dbf (diff) | |
| download | op-kernel-dev-fb1179499134bc718dc7557c7a6a95dc72f224cb.zip op-kernel-dev-fb1179499134bc718dc7557c7a6a95dc72f224cb.tar.gz | |
modsign: Use single PEM file for autogenerated key
The current rule for generating signing_key.priv and signing_key.x509 is
a classic example of a bad rule which has a tendency to break parallel
make. When invoked to create *either* target, it generates the other
target as a side-effect that make didn't predict.
So let's switch to using a single file signing_key.pem which contains
both key and certificate. That matches what we do in the case of an
external key specified by CONFIG_MODULE_SIG_KEY anyway, so it's also
slightly cleaner.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'Documentation/module-signing.txt')
| -rw-r--r-- | Documentation/module-signing.txt | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/Documentation/module-signing.txt b/Documentation/module-signing.txt index 6930019..5d5e4e3 100644 --- a/Documentation/module-signing.txt +++ b/Documentation/module-signing.txt @@ -91,7 +91,7 @@ This has a number of options available: (4) "File name or PKCS#11 URI of module signing key" (CONFIG_MODULE_SIG_KEY) Setting this option to something other than its default of - "signing_key.priv" will disable the autogeneration of signing keys and + "signing_key.pem" will disable the autogeneration of signing keys and allow the kernel modules to be signed with a key of your choosing. The string provided should identify a file containing both a private key and its corresponding X.509 certificate in PEM form, or — on @@ -116,11 +116,10 @@ kernel so that it can be used to check the signatures as the modules are loaded. Under normal conditions, when CONFIG_MODULE_SIG_KEY is unchanged from its -default of "signing_key.priv", the kernel build will automatically generate -a new keypair using openssl if one does not exist in the files: +default, the kernel build will automatically generate a new keypair using +openssl if one does not exist in the file: - signing_key.priv - signing_key.x509 + signing_key.pem during the building of vmlinux (the public part of the key needs to be built into vmlinux) using parameters in the: |
