Annnnnnd I just realized this patch is incorrect. Comments on the concept
are still welcome however.
On Thu, 2015-04-09 at 17:51 -0400, Abelardo Ricart III wrote:
> The module-signing.txt documentation states that the kernel will use an
> existing
> x.509 key pair for module signing should they exist in the root of the source
> tree.
> However, user provided signing keys are overwritten during build if the last-
> modified
> times on the key pair don't align with what make expects. This patch
> explicitly checks
> for the existence of the signing key files, skipping key generation should
> they exist.
>
> Signed-off-by: Abelardo Ricart III <aricart@xxxxxxxxxx>
> ---
>
> diff --git a/kernel/Makefile b/kernel/Makefile
> index 1408b33..6b8f292 100644
> --- a/kernel/Makefile
> +++ b/kernel/Makefile
> @@ -168,6 +168,9 @@ ifndef CONFIG_MODULE_SIG_HASH
> $(error Could not determine digest type to use from kernel config)
> endif
>
> +ifneq ("$(wildcard $(srctree)/signing_key.priv)","")
> +ifneq ("$(wildcard $(srctree)/signing_key.x509)","")
> +$(warning *** X.509 module signing key pair not found in root of source tree
> ***)
> signing_key.priv signing_key.x509: x509.genkey
> @echo "###"
> @echo "### Now generating an X.509 key pair to be used for signing
> modules."
> @@ -184,6 +187,8 @@ signing_key.priv signing_key.x509: x509.genkey
> @echo "###"
> @echo "### Key pair generated."
> @echo "###"
> +endif
> +endif
>
> x509.genkey:
> @echo Generating X.509 key generation config
--
To unsubscribe from this list: send the line "unsubscribe linux-kbuild" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
