Re: Still some race in X509 certificates handling

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2015-02-13 13:15, David Howells wrote:
> Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
> 
>> When it happens, I can do a rebuild, and the build will say
>>
>>    X.509 certificate list changed
>>
>> which is kind of odd, since the list should *always* be just that
>> single key for me (ie "./signing_key.509").
> 
> Did you by any chance set aside a build tree that went wrong?  If so, could
> you have a look to see what's in:
> 
> 	<builddir>/kernel/.x509.list
> 	<builddir>/kernel/x509_certificate_list (note this is binary)
> 	<builddir>/x509.genkey
> 
> and make sure that:
> 
> 	<builddir>/signing_key.priv
> 	<builddir>/signing_key.x509
> 
> both exist.  I wonder if the problem might perhaps be due to one of
> signing_key.priv or signing_key.x509 getting removed somehow - but not both.

It could also be due to the usage of realpath when building the
certificate list:

X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += $(objtree)/signing_key.x509
X509_CERTIFICATES-raw := $(sort $(foreach CERT,$(X509_CERTIFICATES-y), \
				$(or $(realpath $(CERT)),$(CERT))))

If signing_key.x509 hasn't been generated yet, it will be stored as as
./signing_key.x509. In a later make invocation, realpath will resolve it
into /home/.../signing_key.x509. But then, it should fail every time,
because of the := assignment.

Michal
--
To unsubscribe from this list: send the line "unsubscribe linux-kbuild" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux&nblp;USB Development]     [Linux Media]     [Video for Linux]     [Linux Audio Users]     [Yosemite Secrets]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux