summaryrefslogtreecommitdiff
path: root/Documentation/module-signing.txt
diff options
context:
space:
mode:
authorDavid Woodhouse <David.Woodhouse@intel.com>2015-07-20 23:16:30 +0300
committerDavid Howells <dhowells@redhat.com>2015-08-07 18:26:14 +0300
commitfb1179499134bc718dc7557c7a6a95dc72f224cb (patch)
tree5a0b7e87708c275071f4c3079099854a13eee812 /Documentation/module-signing.txt
parent1329e8cc69b93a0b1bc6d197b30dcff628c18dbf (diff)
downloadlinux-fb1179499134bc718dc7557c7a6a95dc72f224cb.tar.xz
modsign: Use single PEM file for autogenerated key
The current rule for generating signing_key.priv and signing_key.x509 is a classic example of a bad rule which has a tendency to break parallel make. When invoked to create *either* target, it generates the other target as a side-effect that make didn't predict. So let's switch to using a single file signing_key.pem which contains both key and certificate. That matches what we do in the case of an external key specified by CONFIG_MODULE_SIG_KEY anyway, so it's also slightly cleaner. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'Documentation/module-signing.txt')
-rw-r--r--Documentation/module-signing.txt9
1 files changed, 4 insertions, 5 deletions
diff --git a/Documentation/module-signing.txt b/Documentation/module-signing.txt
index 693001920890..5d5e4e32dc26 100644
--- a/Documentation/module-signing.txt
+++ b/Documentation/module-signing.txt
@@ -91,7 +91,7 @@ This has a number of options available:
(4) "File name or PKCS#11 URI of module signing key" (CONFIG_MODULE_SIG_KEY)
Setting this option to something other than its default of
- "signing_key.priv" will disable the autogeneration of signing keys and
+ "signing_key.pem" will disable the autogeneration of signing keys and
allow the kernel modules to be signed with a key of your choosing.
The string provided should identify a file containing both a private
key and its corresponding X.509 certificate in PEM form, or — on
@@ -116,11 +116,10 @@ kernel so that it can be used to check the signatures as the modules are
loaded.
Under normal conditions, when CONFIG_MODULE_SIG_KEY is unchanged from its
-default of "signing_key.priv", the kernel build will automatically generate
-a new keypair using openssl if one does not exist in the files:
+default, the kernel build will automatically generate a new keypair using
+openssl if one does not exist in the file:
- signing_key.priv
- signing_key.x509
+ signing_key.pem
during the building of vmlinux (the public part of the key needs to be built
into vmlinux) using parameters in the: