On Tue, 2015-05-19 at 15:14 -0400, Mimi Zohar wrote: > On Tue, 2015-05-19 at 19:48 +0100, David Howells wrote: > > Mimi Zohar <[email protected]> wrote: > > > > > Definitely better. (FYI, Dmitry's modsig patches from 2012 used the > > > keyring for safely storing a password. ) > > Without the environment variable set, there's a pop up prompt to enter > the pin. A pain to have to enter for each and every kernel module, but > definitely a nice option.
Right. In fact now that sign-file is written in C and not having to call out to /usr/bin/openssl for each signature, we *could* authenticate to the PKCS#11 token (or load the private key from the file) just once and sign all the modules in a *single* invocation. So you'd only be asked for the password *once*. The make rules to achieve that are somewhat non-trivial, but it was an idea we had in our minds when we settled on doing it in C rather than scripting it. -- David Woodhouse Open Source Technology Centre [email protected] Intel Corporation -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
