• David Howells's avatar
    MODSIGN: Sign modules during the build process · 80d65e58
    David Howells authored
    If CONFIG_MODULE_SIG is set, then this patch will cause all modules files to
    to have signatures added.  The following steps will occur:
    
     (1) The module will be linked to foo.ko.unsigned instead of foo.ko
    
     (2) The module will be stripped using both "strip -x -g" and "eu-strip" to
         ensure minimal size for inclusion in an initramfs.
    
     (3) The signature will be generated on the stripped module.
    
     (4) The signature will be appended to the module, along with some information
         about the signature and a magic string that indicates the presence of the
         signature.
    
    Step (3) requires private and public keys to be available.  By default these
    are expected to be found in files:
    
    	signing_key.priv
    	signing_key.x509
    
    in the base directory of the build.  The first is the private key in PEM form
    and the second is the X.509 certificate in DER form as can be generated from
    openssl:
    
    	openssl req \
    		-new -x509 -outform PEM -out signing_key.x509 \
    		-keyout signing_key.priv -nodes \
    		-subj "/CN=H2G2/O=Magrathea/CN=Slartibartfast"
    
    If the secret key is not found then signing will be skipped and the unsigned
    module from (1) will just be copied to foo.ko.
    
    If signing occurs, lines like the following will be seen:
    
    	LD [M]  fs/foo/foo.ko.unsigned
    	STRIP [M] fs/foo/foo.ko.stripped
    	SIGN [M] fs/foo/foo.ko
    
    will appear in the build log.  If the signature step will be skipped and the
    following will be seen:
    
    	LD [M]  fs/foo/foo.ko.unsigned
    	STRIP [M] fs/foo/foo.ko.stripped
    	NO SIGN [M] fs/foo/foo.ko
    
    NOTE!  After the signature step, the signed module _must_not_ be passed through
    strip.  The unstripped, unsigned module is still available at the name on the
    LD [M] line.  This restriction may affect packaging tools (such as rpmbuild)
    and initramfs composition tools.
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
    80d65e58
sign-file 2.72 KB