Re: [PATCH 10/8] modsign: Allow password to be specified for signing key
From: David Woodhouse
Date: Tue May 19 2015 - 12:15:34 EST
On Tue, 2015-05-19 at 18:50 +0300, Petko Manolov wrote:
> On 15-05-19 15:45:58, David Woodhouse wrote:
> > We don't want this in the Kconfig since it might then get exposed in
> > /proc/config.gz. So make it a parameter to Kbuild instead. This also
> > means we don't have to jump through hoops to strip quotes from it, as
> > we would if it was a config option.
>
> If it were on a network-less, secure sign/build server i'd say it is OK.
>
> However, exposing your private key's password in an environment variable on a
> regular Linux box is a bit fishy.
I don't quite understand the objection.
If you want the modules to be signed with an external key of your
choice, then for the duration of the 'make modules_sign' run (or 'make
modules_install if CONFIG_MODULE_SIG_ALL=y) surely the password has to
be available *somehow*?
You are, of course, free to sign the modules by invoking sign-file
directly. In which case you *still* need to provide it with the password
for the key somehow, if there is one.
Mimi quite rightly pointed out that my original mechanism for this, a
CONFIG_MODULE_SIG_KEY_PASSWORD option, was inadvertently exposing it
more than was necessary.
As it is now, you *only* need it in the environment for the duration of
the operations that actually *use* it.
Do you have a better suggestion?
--
David Woodhouse Open Source Technology Centre
David.Woodhouse@xxxxxxxxx Intel Corporation
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/