summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2015-08-11 12:38:54 +0100
committerDavid Howells <dhowells@redhat.com>2015-08-12 17:01:01 +0100
commit228c37ff980f5643401a1667f5ab7c6f38602cf8 (patch)
treee5626bde6b067bc3119caba067307439328948a6
parent99db44350672c8a5ee9a7b0a6f4cd6ff10136065 (diff)
sign-file: Document dependency on OpenSSL devel libraries
The revised sign-file program is no longer a script that wraps the openssl program, but now rather a program that makes use of OpenSSL's crypto library. This means that to build the sign-file program, the kernel build process now has a dependency on the OpenSSL development packages in addition to OpenSSL itself. Document this in Kconfig and in module-signing.txt. Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
-rw-r--r--Documentation/module-signing.txt3
-rw-r--r--init/Kconfig4
2 files changed, 7 insertions, 0 deletions
diff --git a/Documentation/module-signing.txt b/Documentation/module-signing.txt
index 4e62bc29666e..02a9baf1c72f 100644
--- a/Documentation/module-signing.txt
+++ b/Documentation/module-signing.txt
@@ -111,6 +111,9 @@ This has a number of options available:
additional certificates which will be included in the system keyring by
default.
+Note that enabling module signing adds a dependency on the OpenSSL devel
+packages to the kernel build processes for the tool that does the signing.
+
=======================
GENERATING SIGNING KEYS
diff --git a/init/Kconfig b/init/Kconfig
index 62b725653c36..5d1a703663ad 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1897,6 +1897,10 @@ config MODULE_SIG
is simply appended to the module. For more information see
Documentation/module-signing.txt.
+ Note that this option adds the OpenSSL development packages as a
+ kernel build dependency so that the signing tool can use its crypto
+ library.
+
!!!WARNING!!! If you enable this option, you MUST make sure that the
module DOES NOT get stripped after being signed. This includes the
debuginfo strip done by some packagers (such as rpmbuild) and