Am 07.02.2013 00:42, schrieb Alexander Holler:
Hello,I wanted to try out MODSIGN with kernel 3.7.6 and I've just got hit by: [ 1.346445] X.509: Cert 6a23533cec71c4c52a1618fb4d830e06aa90474e is not yet valid The reason is likely that the (ARM) device in question doesn't have a RTC (oh, that topic again ;) ) and gets it's time on boot through NTP. The used certificate was generated automatically. Having a look at it, the following is shown: Validity Not Before: Feb 6 02:56:46 2013 GMT Not After : Jan 13 02:56:46 2113 GMT Without having thought about possible security problems, my first idea would be to let the validity start at 1970. As I never did such I never had thought about possible implications when doing such (e.g. I don't know if someone checks the start date for plausabilitiy) Another solution would be to retry loading of the certificate if the time gets set (and e.g. differs more than a year). Has someone already thought about how to solve that problem? Or did everyone use sane systems which have a (working) RTC?
Another option would be to make a configure option to just ignore the date. I'm not sure if I would like to use MODSIGN when I have to fear that the machine wouldn't start when the RTC fails or got set to a wrong date.
Regards, Alexander -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
