This was applied today with rc7-git1
Thanks,
Justin
On Mon, Mar 7, 2016 at 12:42 AM, Thorsten Leemhuis <fedora@xxxxxxxxxxxxx>
wrote:
> On 07.03.2016 07:40, Thorsten Leemhuis wrote:
> > Hi Justin! Please consider merging the two patches I'll send as reply to
> > this mail.
>
> From 73643da91a47992f42616875984baec116667511 Mon Sep 17 00:00:00 2001
> From: Thorsten Leemhuis <fedora@xxxxxxxxxxxxx>
> Date: Fri, 1 Jan 2016 17:45:08 +0100
> Subject: [PATCH 2/2] sign modules on all archs
>
> ---
> config-generic | 17 ++++++++++++++---
> config-x86-generic | 13 +------------
> kernel.spec | 9 ++++-----
> 3 files changed, 19 insertions(+), 20 deletions(-)
>
> diff --git a/config-generic b/config-generic
> index 30f00b2..0e8f192 100644
> --- a/config-generic
> +++ b/config-generic
> @@ -5855,11 +5855,22 @@ CONFIG_POWERCAP=y
>
> # CONFIG_CPUFREQ_DT is not set
>
> -# CONFIG_MODULE_SIG is not set
> +CONFIG_MODULE_SIG=y
> +CONFIG_MODULE_SIG_ALL=y
> +# CONFIG_MODULE_SIG_SHA1 is not set
> +CONFIG_MODULE_SIG_SHA256=y
> +# CONFIG_MODULE_SIG_FORCE is not set
> +CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
> +CONFIG_SYSTEM_TRUSTED_KEYS=""
> +CONFIG_PKCS7_MESSAGE_PARSER=y
> +# CONFIG_PKCS7_TEST_KEY is not set
> +CONFIG_SIGNED_PE_FILE_VERIFICATION=y
> +CONFIG_SYSTEM_TRUSTED_KEYRING=y
> +CONFIG_SYSTEM_BLACKLIST_KEYRING=y
> +# CONFIG_MODULE_SIG_UEFI is not set
> +# CONFIG_EFI_SIGNATURE_LIST_PARSER is not set
> # FIXME: Revisit this to see if we can use it instead of the spec file
> stuff
> # CONFIG_MODULE_COMPRESS is not set
> -# CONFIG_SYSTEM_TRUSTED_KEYRING is not set
> -# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set
>
> # CONFIG_RTC_DRV_EFI is not set
> # CONFIG_NET_XGENE is not set
> diff --git a/config-x86-generic b/config-x86-generic
> index 33b55f3..4815913 100644
> --- a/config-x86-generic
> +++ b/config-x86-generic
> @@ -583,18 +583,7 @@ CONFIG_MOUSE_PS2_VMMOUSE=y
> CONFIG_XZ_DEC_X86=y
>
> CONFIG_MPILIB=y
> -CONFIG_PKCS7_MESSAGE_PARSER=y
> -# CONFIG_PKCS7_TEST_KEY is not set
> -CONFIG_SIGNED_PE_FILE_VERIFICATION=y
> -CONFIG_SYSTEM_TRUSTED_KEYRING=y
> -CONFIG_SYSTEM_BLACKLIST_KEYRING=y
> -CONFIG_MODULE_SIG=y
> -CONFIG_MODULE_SIG_ALL=y
> -# CONFIG_MODULE_SIG_SHA1 is not set
> -CONFIG_MODULE_SIG_SHA256=y
> -# CONFIG_MODULE_SIG_FORCE is not set
> -CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
> -CONFIG_SYSTEM_TRUSTED_KEYS=""
> +
> CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y
> CONFIG_EFI_SIGNATURE_LIST_PARSER=y
>
> diff --git a/kernel.spec b/kernel.spec
> index 6081458..ad3fd42 100644
> --- a/kernel.spec
> +++ b/kernel.spec
> @@ -16,7 +16,7 @@ Summary: The Linux kernel
> %global zipmodules 1
> %else
> %global signkernel 0
> -%global signmodules 0
> +%global signmodules 1
> %global zipmodules 0
> %endif
>
> @@ -393,14 +393,12 @@ BuildRequires: rpm-build, elfutils
> %define debuginfo_args --strict-build-id -r
> %endif
>
> -%ifarch %{ix86} x86_64
> -# MODULE_SIG is enabled in config-x86-generic and needs these:
> +%if %{signkernel}%{signmodules}
> BuildRequires: openssl openssl-devel
> -%endif
> -
> %if %{signkernel}
> BuildRequires: pesign >= 0.10-4
> %endif
> +%endif
>
> %if %{with_cross}
> BuildRequires: binutils-%{_build_arch}-linux-gnu,
> gcc-%{_build_arch}-linux-gnu
> @@ -2149,6 +2147,7 @@ fi
> * Sat Mar 5 2016 Thorsten Leemhuis <fedora@xxxxxxxxxxxxx>
> - add signkernel macro to make signing kernel and signing modules
> independent from each other
> +- sign modules on all archs
>
> * Fri Mar 04 2016 Justin M. Forbes <jforbes@xxxxxxxxxxxxxxxxx> -
> 4.5.0-0.rc6.git3.1
> - Linux v4.5-rc6-41-ge3c2ef4
> --
> 1.8.3.1
>
>
_______________________________________________
kernel mailing list
kernel@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/kernel@xxxxxxxxxxxxxxxxxxxxxxx
