• David Howells's avatar
    MODSIGN: Provide module signing public keys to the kernel · 631cc66e
    David Howells authored
    Include a PGP keyring containing the public keys required to perform module
    verification in the kernel image during build and create a special keyring
    during boot which is then populated with keys of crypto type holding the public
    keys found in the PGP keyring.
    
    These can be seen by root:
    
    [root@andromeda ~]# cat /proc/keys
    07ad4ee0 I-----     1 perm 3f010000     0     0 crypto    modsign.0: RSA 87b9b3bd []
    15c7f8c3 I-----     1 perm 1f030000     0     0 keyring   .module_sign: 1/4
    ...
    
    It is probably worth permitting root to invalidate these keys, resulting in
    their removal and preventing further modules from being loaded with that key.
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
    631cc66e
Makefile 6.65 KB