summaryrefslogtreecommitdiff
path: root/Makefile
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2015-07-20 21:16:27 +0100
committerDavid Howells <dhowells@redhat.com>2015-08-07 16:26:13 +0100
commit3f1e1bea34740069f70c6bc92d0f712345d5c28e (patch)
tree35ceac092ff7591536810cceecdbf22f4132b046 /Makefile
parentbc1c373dd2a5113800360f7152be729c9da996cc (diff)
MODSIGN: Use PKCS#7 messages as module signatures
Move to using PKCS#7 messages as module signatures because: (1) We have to be able to support the use of X.509 certificates that don't have a subjKeyId set. We're currently relying on this to look up the X.509 certificate in the trusted keyring list. (2) PKCS#7 message signed information blocks have a field that supplies the data required to match with the X.509 certificate that signed it. (3) The PKCS#7 certificate carries fields that specify the digest algorithm used to generate the signature in a standardised way and the X.509 certificates specify the public key algorithm in a standardised way - so we don't need our own methods of specifying these. (4) We now have PKCS#7 message support in the kernel for signed kexec purposes and we can make use of this. To make this work, the old sign-file script has been replaced with a program that needs compiling in a previous patch. The rules to build it are added here. Signed-off-by: David Howells <dhowells@redhat.com> Tested-by: Vivek Goyal <vgoyal@redhat.com>
Diffstat (limited to 'Makefile')
-rw-r--r--Makefile2
1 files changed, 1 insertions, 1 deletions
diff --git a/Makefile b/Makefile
index a9ad4908e870..dc87ec280fbc 100644
--- a/Makefile
+++ b/Makefile
@@ -873,7 +873,7 @@ ifdef CONFIG_MODULE_SIG_ALL
MODSECKEY = ./signing_key.priv
MODPUBKEY = ./signing_key.x509
export MODPUBKEY
-mod_sign_cmd = perl $(srctree)/scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)
+mod_sign_cmd = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)
else
mod_sign_cmd = true
endif