mirror of
https://github.com/torvalds/linux.git
synced 2024-11-22 12:11:40 +00:00
certs: Trigger creation of RSA module signing key if it's not an RSA key
Address a kbuild issue where a developer created an ECDSA key for signing
kernel modules and then builds an older version of the kernel, when bi-
secting the kernel for example, that does not support ECDSA keys.
If openssl is installed, trigger the creation of an RSA module signing
key if it is not an RSA key.
Fixes: cfc411e7ff
("Move certificate handling to its own directory")
Cc: David Howells <dhowells@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Tested-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
This commit is contained in:
parent
6824f8554a
commit
ea35e0d5df
@ -57,11 +57,19 @@ endif
|
||||
redirect_openssl = 2>&1
|
||||
quiet_redirect_openssl = 2>&1
|
||||
silent_redirect_openssl = 2>/dev/null
|
||||
openssl_available = $(shell openssl help 2>/dev/null && echo yes)
|
||||
|
||||
# We do it this way rather than having a boolean option for enabling an
|
||||
# external private key, because 'make randconfig' might enable such a
|
||||
# boolean option and we unfortunately can't make it depend on !RANDCONFIG.
|
||||
ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem")
|
||||
|
||||
ifeq ($(openssl_available),yes)
|
||||
X509TEXT=$(shell openssl x509 -in "certs/signing_key.pem" -text 2>/dev/null)
|
||||
|
||||
$(if $(findstring rsaEncryption,$(X509TEXT)),,$(shell rm -f "certs/signing_key.pem"))
|
||||
endif
|
||||
|
||||
$(obj)/signing_key.pem: $(obj)/x509.genkey
|
||||
@$(kecho) "###"
|
||||
@$(kecho) "### Now generating an X.509 key pair to be used for signing modules."
|
||||
|
Loading…
Reference in New Issue
Block a user