Patch "certs: Trigger creation of RSA module signing key if it's not an RSA key" has been added to the 5.14-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    certs: Trigger creation of RSA module signing key if it's not an RSA key

to the 5.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     certs-trigger-creation-of-rsa-module-signing-key-if-.patch
and it can be found in the queue-5.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 0caba533a43094cd4e6b02e99311c1e397d38bae
Author: Stefan Berger <stefanb@xxxxxxxxxxxxx>
Date:   Tue Jun 29 17:34:20 2021 -0400

    certs: Trigger creation of RSA module signing key if it's not an RSA key
    
    [ Upstream commit ea35e0d5df6c92fa2e124bb1b91d09b2240715ba ]
    
    Address a kbuild issue where a developer created an ECDSA key for signing
    kernel modules and then builds an older version of the kernel, when bi-
    secting the kernel for example, that does not support ECDSA keys.
    
    If openssl is installed, trigger the creation of an RSA module signing
    key if it is not an RSA key.
    
    Fixes: cfc411e7fff3 ("Move certificate handling to its own directory")
    Cc: David Howells <dhowells@xxxxxxxxxx>
    Cc: David Woodhouse <dwmw2@xxxxxxxxxxxxx>
    Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
    Reviewed-by: Jarkko Sakkinen <jarkko@xxxxxxxxxx>
    Tested-by: Jarkko Sakkinen <jarkko@xxxxxxxxxx>
    Signed-off-by: Jarkko Sakkinen <jarkko@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/certs/Makefile b/certs/Makefile
index 359239a0ee9e..f9344e52ecda 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -57,11 +57,19 @@ endif
 redirect_openssl	= 2>&1
 quiet_redirect_openssl	= 2>&1
 silent_redirect_openssl = 2>/dev/null
+openssl_available       = $(shell openssl help 2>/dev/null && echo yes)
 
 # We do it this way rather than having a boolean option for enabling an
 # external private key, because 'make randconfig' might enable such a
 # boolean option and we unfortunately can't make it depend on !RANDCONFIG.
 ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem")
+
+ifeq ($(openssl_available),yes)
+X509TEXT=$(shell openssl x509 -in "certs/signing_key.pem" -text 2>/dev/null)
+
+$(if $(findstring rsaEncryption,$(X509TEXT)),,$(shell rm -f "certs/signing_key.pem"))
+endif
+
 $(obj)/signing_key.pem: $(obj)/x509.genkey
 	@$(kecho) "###"
 	@$(kecho) "### Now generating an X.509 key pair to be used for signing modules."