diff options
author | David Howells <dhowells@redhat.com> | 2015-07-20 21:16:27 +0100 |
---|---|---|
committer | David Howells <dhowells@redhat.com> | 2015-08-07 16:26:13 +0100 |
commit | 3f1e1bea34740069f70c6bc92d0f712345d5c28e (patch) | |
tree | 35ceac092ff7591536810cceecdbf22f4132b046 /scripts/Makefile | |
parent | bc1c373dd2a5113800360f7152be729c9da996cc (diff) | |
download | lwn-3f1e1bea34740069f70c6bc92d0f712345d5c28e.tar.gz lwn-3f1e1bea34740069f70c6bc92d0f712345d5c28e.zip |
MODSIGN: Use PKCS#7 messages as module signatures
Move to using PKCS#7 messages as module signatures because:
(1) We have to be able to support the use of X.509 certificates that don't
have a subjKeyId set. We're currently relying on this to look up the
X.509 certificate in the trusted keyring list.
(2) PKCS#7 message signed information blocks have a field that supplies the
data required to match with the X.509 certificate that signed it.
(3) The PKCS#7 certificate carries fields that specify the digest algorithm
used to generate the signature in a standardised way and the X.509
certificates specify the public key algorithm in a standardised way - so
we don't need our own methods of specifying these.
(4) We now have PKCS#7 message support in the kernel for signed kexec purposes
and we can make use of this.
To make this work, the old sign-file script has been replaced with a program
that needs compiling in a previous patch. The rules to build it are added
here.
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Vivek Goyal <vgoyal@redhat.com>
Diffstat (limited to 'scripts/Makefile')
-rw-r--r-- | scripts/Makefile | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/scripts/Makefile b/scripts/Makefile index 2016a64497ab..b12fe020664d 100644 --- a/scripts/Makefile +++ b/scripts/Makefile @@ -16,9 +16,11 @@ hostprogs-$(CONFIG_VT) += conmakehash hostprogs-$(BUILD_C_RECORDMCOUNT) += recordmcount hostprogs-$(CONFIG_BUILDTIME_EXTABLE_SORT) += sortextable hostprogs-$(CONFIG_ASN1) += asn1_compiler +hostprogs-$(CONFIG_MODULE_SIG) += sign-file HOSTCFLAGS_sortextable.o = -I$(srctree)/tools/include HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include +HOSTLOADLIBES_sign-file = -lcrypto always := $(hostprogs-y) $(hostprogs-m) |