Re: Still some race in X509 certificates handling

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:

> When it happens, I can do a rebuild, and the build will say
> 
>    X.509 certificate list changed
> 
> which is kind of odd, since the list should *always* be just that
> single key for me (ie "./signing_key.509").

Did you by any chance set aside a build tree that went wrong?  If so, could
you have a look to see what's in:

	<builddir>/kernel/.x509.list
	<builddir>/kernel/x509_certificate_list (note this is binary)
	<builddir>/x509.genkey

and make sure that:

	<builddir>/signing_key.priv
	<builddir>/signing_key.x509

both exist.  I wonder if the problem might perhaps be due to one of
signing_key.priv or signing_key.x509 getting removed somehow - but not both.
Make seems a bit weird on targets that produce two files, one of which isn't
depended on (it might remove it under some circumstances, I think).


Btw, do you use O=<builddir> when you're building?  That causes a certain
amount of pain to get right because:

 (1) the auto-generated keys have to be placed into the build dir, not the
     source dir;

 (2) we still need to scrape extra X.509 certs from the source dir; and

 (3) we don't want to see the autogenerated X.509 certificate twice if the
     build dir is the same as the source dir.

Actually, we could simplify the makefile a bit and waive (3) if we weeded out
duplicate X.509 certs by X.509 parameter value rather than by filename before
adding them into the kernel.

> (Side note: the HHGTTG references are cute, but I suspect we should
> rename the key so that it just says something boring like "build-time
> autogenerated kernel key" instead. Just so that the error messages are
> a bit more readable to people who aren't kernel engineers)

Awww...

My main point was to try and encourage distributions to supply an x509.genkey
with fields filled in with appropriate info.  I guess that's probably achieved
by now, so I could make it something else.  It has to be specified by an
X.400/X.500 DN, though, so maybe:

	@echo >>x509.genkey "O = Your company name"
	@echo >>x509.genkey "CN = Build time autogenerated kernel key"
	@echo >>x509.genkey "emailAddress = you@your.company"

I would really like to leave O, CN and emailAddress in here because these are
the fields that x509_fabricate_name() uses in the kernel.

David
--
To unsubscribe from this list: send the line "unsubscribe linux-kbuild" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux&nblp;USB Development]     [Linux Media]     [Video for Linux]     [Linux Audio Users]     [Yosemite Secrets]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux