David Howells writes:
> Rusty Russell wrote:
>
>> > (Side note: I hope people realize that the random key is generated
>> > with a 100-year lifespan. So if you build a kernel today, you do
>> > potentially have a "year-2112 problem". I'm not horribly worried, but
>> > I *am* a bit worried about
Linus Torvalds writes:
> On Fri, Oct 19, 2012 at 12:58 PM, Linus Torvalds
> wrote:
>>
>> Tssk. I fixed it up, and now it works-for-me(tm), but some perl person
>> probably really should try to make that sign-file and x509keyid merge.
>> My fix made the thing even slower, doing two extra "wc -c"
David Howells dhowe...@redhat.com writes:
Rusty Russell ru...@rustcorp.com.au wrote:
(Side note: I hope people realize that the random key is generated
with a 100-year lifespan. So if you build a kernel today, you do
potentially have a year-2112 problem. I'm not horribly worried, but
I
Linus Torvalds torva...@linux-foundation.org writes:
On Fri, Oct 19, 2012 at 12:58 PM, Linus Torvalds
torva...@linux-foundation.org wrote:
Tssk. I fixed it up, and now it works-for-me(tm), but some perl person
probably really should try to make that sign-file and x509keyid merge.
My fix made
On Sat, Oct 20, 2012 at 9:41 AM, Romain Francoise wrote:
>
> Yes, however the key generation itself is horribly verbose and doesn't mix
> very well with the output of a parallel build. Now that the modules are
> signed at install time, presumably the key should be generated then as
> well, and
Linus Torvalds writes:
> I like how the default makefiles do that "create and use random key"
> thing by default. THAT is what I want to see.
Yes, however the key generation itself is horribly verbose and doesn't mix
very well with the output of a parallel build. Now that the modules are
signed
Linus Torvalds torva...@linux-foundation.org writes:
I like how the default makefiles do that create and use random key
thing by default. THAT is what I want to see.
Yes, however the key generation itself is horribly verbose and doesn't mix
very well with the output of a parallel build. Now
On Sat, Oct 20, 2012 at 9:41 AM, Romain Francoise rom...@orebokech.com wrote:
Yes, however the key generation itself is horribly verbose and doesn't mix
very well with the output of a parallel build. Now that the modules are
signed at install time, presumably the key should be generated then
Stephen Rothwell writes:
> Hi Rusty,
>
> On Fri, 19 Oct 2012 11:53:15 +1030 Rusty Russell
> wrote:
>>
>> Linus Torvalds writes:
>> > On Wed, Oct 17, 2012 at 10:34 PM, Rusty Russell
>> > wrote:
>> >>
>> >> Hacking the keyid and signer-name to be extracted every time by
>> >> sign-file takes
On Fri, Oct 19, 2012 at 12:58 PM, Linus Torvalds
wrote:
>
> Tssk. I fixed it up, and now it works-for-me(tm), but some perl person
> probably really should try to make that sign-file and x509keyid merge.
> My fix made the thing even slower, doing two extra "wc -c" invocations
> since it can't do
On Thu, Oct 18, 2012 at 6:23 PM, Rusty Russell wrote:
>
> Smerged them together: no point moving the x509keyid script now.
> I dropped the optional dst arg, since we don't use it.
>
> Thanks,
> Rusty.
> ===
> From: Rusty Russell
> Subject: [PATCH] kbuild: sign the modules at install time
>
>
On Thu, Oct 18, 2012 at 9:16 PM, Rusty Russell wrote:
> Josh Boyer writes:
>> On Thu, Oct 18, 2012 at 2:46 PM, Linus Torvalds
>> wrote:
>>> On Wed, Oct 17, 2012 at 10:34 PM, Rusty Russell
>>> wrote:
Hacking the keyid and signer-name to be extracted every time by
sign-file takes
On Thu, Oct 18, 2012 at 8:48 PM, Rusty Russell wrote:
> Josh Boyer writes:
>> It might even be able to be moved entirely into scripts/Makefile.modinst
>> but I haven't gotten that far yet.
>
> Thanks, I'll add this.
Excellent.
> Note it was word-wrapped here though :(
Sigh. Sorry, Rusty. I
Am 19.10.2012 13:25, schrieb David Howells:
Stephen Rothwell wrote:
So, this still generates the keys during the normal build, right? That
would be a problem for build servers that have limited randomness
available to them, I think.
openssl uses /dev/urandom (unlike gpg), so that's less of
Hi David,
On Fri, 19 Oct 2012 12:25:23 +0100 David Howells wrote:
>
> Stephen Rothwell wrote:
>
> > So, this still generates the keys during the normal build, right? That
> > would be a problem for build servers that have limited randomness
> > available to them, I think.
>
> openssl uses
Stephen Rothwell wrote:
> So, this still generates the keys during the normal build, right? That
> would be a problem for build servers that have limited randomness
> available to them, I think.
openssl uses /dev/urandom (unlike gpg), so that's less of a problem.
David
--
To unsubscribe from
Rusty Russell wrote:
> > (Side note: I hope people realize that the random key is generated
> > with a 100-year lifespan. So if you build a kernel today, you do
> > potentially have a "year-2112 problem". I'm not horribly worried, but
> > I *am* a bit worried about 32-bit time_t overflow and I
Rusty Russell ru...@rustcorp.com.au wrote:
(Side note: I hope people realize that the random key is generated
with a 100-year lifespan. So if you build a kernel today, you do
potentially have a year-2112 problem. I'm not horribly worried, but
I *am* a bit worried about 32-bit time_t
Stephen Rothwell s...@canb.auug.org.au wrote:
So, this still generates the keys during the normal build, right? That
would be a problem for build servers that have limited randomness
available to them, I think.
openssl uses /dev/urandom (unlike gpg), so that's less of a problem.
David
--
To
Hi David,
On Fri, 19 Oct 2012 12:25:23 +0100 David Howells dhowe...@redhat.com wrote:
Stephen Rothwell s...@canb.auug.org.au wrote:
So, this still generates the keys during the normal build, right? That
would be a problem for build servers that have limited randomness
available to
Am 19.10.2012 13:25, schrieb David Howells:
Stephen Rothwell s...@canb.auug.org.au wrote:
So, this still generates the keys during the normal build, right? That
would be a problem for build servers that have limited randomness
available to them, I think.
openssl uses /dev/urandom (unlike
On Thu, Oct 18, 2012 at 8:48 PM, Rusty Russell ru...@rustcorp.com.au wrote:
Josh Boyer jwbo...@gmail.com writes:
It might even be able to be moved entirely into scripts/Makefile.modinst
but I haven't gotten that far yet.
Thanks, I'll add this.
Excellent.
Note it was word-wrapped here
On Thu, Oct 18, 2012 at 9:16 PM, Rusty Russell ru...@rustcorp.com.au wrote:
Josh Boyer jwbo...@gmail.com writes:
On Thu, Oct 18, 2012 at 2:46 PM, Linus Torvalds
torva...@linux-foundation.org wrote:
On Wed, Oct 17, 2012 at 10:34 PM, Rusty Russell ru...@rustcorp.com.au
wrote:
Hacking the
On Thu, Oct 18, 2012 at 6:23 PM, Rusty Russell ru...@rustcorp.com.au wrote:
Smerged them together: no point moving the x509keyid script now.
I dropped the optional dst arg, since we don't use it.
Thanks,
Rusty.
===
From: Rusty Russell ru...@rustcorp.com.au
Subject: [PATCH] kbuild: sign
On Fri, Oct 19, 2012 at 12:58 PM, Linus Torvalds
torva...@linux-foundation.org wrote:
Tssk. I fixed it up, and now it works-for-me(tm), but some perl person
probably really should try to make that sign-file and x509keyid merge.
My fix made the thing even slower, doing two extra wc -c
Stephen Rothwell s...@canb.auug.org.au writes:
Hi Rusty,
On Fri, 19 Oct 2012 11:53:15 +1030 Rusty Russell ru...@rustcorp.com.au
wrote:
Linus Torvalds torva...@linux-foundation.org writes:
On Wed, Oct 17, 2012 at 10:34 PM, Rusty Russell ru...@rustcorp.com.au
wrote:
Hacking the keyid
Hi Rusty,
On Fri, 19 Oct 2012 11:53:15 +1030 Rusty Russell wrote:
>
> Linus Torvalds writes:
> > On Wed, Oct 17, 2012 at 10:34 PM, Rusty Russell
> > wrote:
> >>
> >> Hacking the keyid and signer-name to be extracted every time by
> >> sign-file takes my modules_install time from 18.6 seconds
Linus Torvalds writes:
> On Wed, Oct 17, 2012 at 10:34 PM, Rusty Russell wrote:
>>
>> Hacking the keyid and signer-name to be extracted every time by
>> sign-file takes my modules_install time from 18.6 seconds to 19.1. We'd
>> get that back easily by making sign-file a perl script anyway; it
Josh Boyer writes:
> On Thu, Oct 18, 2012 at 2:46 PM, Linus Torvalds
> wrote:
>> On Wed, Oct 17, 2012 at 10:34 PM, Rusty Russell
>> wrote:
>>>
>>> Hacking the keyid and signer-name to be extracted every time by
>>> sign-file takes my modules_install time from 18.6 seconds to 19.1. We'd
>>>
Josh Boyer writes:
> It might even be able to be moved entirely into scripts/Makefile.modinst
> but I haven't gotten that far yet.
Thanks, I'll add this.
Note it was word-wrapped here though :(
Cheers,
Rusty.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the
Linus Torvalds writes:
> So signing is the nice flexible option, and technically the right
> thing to do.
Meh It's 52k of extra text to get that 'nice flexible'; 1% of my
kernel image. That's a lot of bug free code.
> (Side note: I hope people realize that the random key is generated
>
The micturator of the Holy Penguin Pee spake:
> (Side note: I hope people realize that the random key is generated
> with a 100-year lifespan. So if you build a kernel today, you do
> potentially have a "year-2112 problem". I'm not horribly worried, but
> I *am* a bit worried about 32-bit time_t
On Thu, Oct 18, 2012 at 2:46 PM, Linus Torvalds
wrote:
> On Wed, Oct 17, 2012 at 10:34 PM, Rusty Russell wrote:
>>
>> Hacking the keyid and signer-name to be extracted every time by
>> sign-file takes my modules_install time from 18.6 seconds to 19.1. We'd
>> get that back easily by making
On Wed, Oct 17, 2012 at 10:34 PM, Rusty Russell wrote:
>
> Hacking the keyid and signer-name to be extracted every time by
> sign-file takes my modules_install time from 18.6 seconds to 19.1. We'd
> get that back easily by making sign-file a perl script anyway; it calls
> out to perl 3 times
On Thu, Oct 18, 2012 at 03:04:26PM +1030, Rusty Russell wrote:
> Linus Torvalds writes:
> > On Wed, Oct 17, 2012 at 5:54 PM, Greg KH wrote:
> >>>
> >>> One of the main sane use-cases for module signing is:
> >>>
> >>> - CONFIG_CHECK_SIGNATURE=y
> >>> - randomly generated one-time key
> >>> -
On Thu, Oct 18, 2012 at 5:11 AM, Josh Boyer wrote:
>
> It also excludes out-of-tree drivers. I wouldn't personally shed a tear
> for them, but it eliminates a use-case that people could have if we just
> stuck to the signed module approach.
>
> I'd prefer if we just cleaned up what we already
On Thu, Oct 18, 2012 at 03:01:08PM +1030, Rusty Russell wrote:
> Linus Torvalds writes:
> > On Wed, Oct 17, 2012 at 3:19 PM, David Howells wrote:
> >>
> >> It's probably even better to just get rid of all the automatic module
> >> signing
> >> stuff completely and leave the sign-file script for
On Thu, Oct 18, 2012 at 03:01:08PM +1030, Rusty Russell wrote:
Linus Torvalds torva...@linux-foundation.org writes:
On Wed, Oct 17, 2012 at 3:19 PM, David Howells dhowe...@redhat.com wrote:
It's probably even better to just get rid of all the automatic module
signing
stuff completely
On Thu, Oct 18, 2012 at 5:11 AM, Josh Boyer jwbo...@redhat.com wrote:
It also excludes out-of-tree drivers. I wouldn't personally shed a tear
for them, but it eliminates a use-case that people could have if we just
stuck to the signed module approach.
I'd prefer if we just cleaned up what
On Thu, Oct 18, 2012 at 03:04:26PM +1030, Rusty Russell wrote:
Linus Torvalds torva...@linux-foundation.org writes:
On Wed, Oct 17, 2012 at 5:54 PM, Greg KH gre...@linuxfoundation.org wrote:
One of the main sane use-cases for module signing is:
- CONFIG_CHECK_SIGNATURE=y
- randomly
On Wed, Oct 17, 2012 at 10:34 PM, Rusty Russell ru...@rustcorp.com.au wrote:
Hacking the keyid and signer-name to be extracted every time by
sign-file takes my modules_install time from 18.6 seconds to 19.1. We'd
get that back easily by making sign-file a perl script anyway; it calls
out to
On Thu, Oct 18, 2012 at 2:46 PM, Linus Torvalds
torva...@linux-foundation.org wrote:
On Wed, Oct 17, 2012 at 10:34 PM, Rusty Russell ru...@rustcorp.com.au wrote:
Hacking the keyid and signer-name to be extracted every time by
sign-file takes my modules_install time from 18.6 seconds to 19.1.
The micturator of the Holy Penguin Pee spake:
(Side note: I hope people realize that the random key is generated
with a 100-year lifespan. So if you build a kernel today, you do
potentially have a year-2112 problem. I'm not horribly worried, but
I *am* a bit worried about 32-bit time_t
Linus Torvalds torva...@linux-foundation.org writes:
So signing is the nice flexible option, and technically the right
thing to do.
Meh It's 52k of extra text to get that 'nice flexible'; 1% of my
kernel image. That's a lot of bug free code.
(Side note: I hope people realize that the
Josh Boyer jwbo...@gmail.com writes:
It might even be able to be moved entirely into scripts/Makefile.modinst
but I haven't gotten that far yet.
Thanks, I'll add this.
Note it was word-wrapped here though :(
Cheers,
Rusty.
--
To unsubscribe from this list: send the line unsubscribe
Josh Boyer jwbo...@gmail.com writes:
On Thu, Oct 18, 2012 at 2:46 PM, Linus Torvalds
torva...@linux-foundation.org wrote:
On Wed, Oct 17, 2012 at 10:34 PM, Rusty Russell ru...@rustcorp.com.au
wrote:
Hacking the keyid and signer-name to be extracted every time by
sign-file takes my
Linus Torvalds torva...@linux-foundation.org writes:
On Wed, Oct 17, 2012 at 10:34 PM, Rusty Russell ru...@rustcorp.com.au wrote:
Hacking the keyid and signer-name to be extracted every time by
sign-file takes my modules_install time from 18.6 seconds to 19.1. We'd
get that back easily by
Hi Rusty,
On Fri, 19 Oct 2012 11:53:15 +1030 Rusty Russell ru...@rustcorp.com.au wrote:
Linus Torvalds torva...@linux-foundation.org writes:
On Wed, Oct 17, 2012 at 10:34 PM, Rusty Russell ru...@rustcorp.com.au
wrote:
Hacking the keyid and signer-name to be extracted every time by
Linus Torvalds writes:
> On Wed, Oct 17, 2012 at 6:17 PM, Rusty Russell wrote:
>>
>> You cut too much: you need genkeyid.
>
> Yeah, I sent out a fixed version later, but I much prefer your version
> that generates those files earlier, not a "make modules_install".
Still committing a minor crime
Linus Torvalds writes:
> On Wed, Oct 17, 2012 at 3:19 PM, David Howells wrote:
>>
>> It's probably even better to just get rid of all the automatic module signing
>> stuff completely and leave the sign-file script for the builder to use
>> manually. The module verification code will still be
Linus Torvalds writes:
>Ta-daa, you have your debuginfo modules installed, and they are
> signed. Create the debuginfo rpm.
>
> - now, strip the modules. This obviously destroys the signatures
Note this doesn't remove them. You'll need something like:
dd if=$k of=$k.nosig bs=$(grep -cba
Linus Torvalds writes:
> On Wed, Oct 17, 2012 at 5:54 PM, Greg KH wrote:
>>>
>>> One of the main sane use-cases for module signing is:
>>>
>>> - CONFIG_CHECK_SIGNATURE=y
>>> - randomly generated one-time key
>>> - "make modules_install; make install"
>>> - "make clean" to get rid of the
On Wed, Oct 17, 2012 at 6:17 PM, Rusty Russell wrote:
>
> You cut too much: you need genkeyid.
Yeah, I sent out a fixed version later, but I much prefer your version
that generates those files earlier, not a "make modules_install".
[ Btw, your email "Date:" field is from 2+ hours ago, but it
On Wed, Oct 17, 2012 at 8:14 PM, Linus Torvalds
wrote:
>
> Oh, yes, we should make sure the key file gets cleaned up at "make clean".
Ooh, double-checked.
Actually, we have documented "make clean" to leave around "enough
build support to build external modules".
So technically, I guess what we
Linus Torvalds writes:
> This was based on the complaint from Davem that the "make
> allmodconfig" build got way slower because module signing takes a
> while.
>
> And quite frankly, the whole "extra strip and sign" thing at modpost
> time was just nasty ugly code.
>
> Why don't we do something
On Wed, Oct 17, 2012 at 5:54 PM, Greg KH wrote:
>>
>> One of the main sane use-cases for module signing is:
>>
>> - CONFIG_CHECK_SIGNATURE=y
>> - randomly generated one-time key
>> - "make modules_install; make install"
>> - "make clean" to get rid of the keys.
>> - reboot.
>
> I want that
On Wed, Oct 17, 2012 at 03:44:28PM -0700, Linus Torvalds wrote:
> On Wed, Oct 17, 2012 at 3:19 PM, David Howells wrote:
> >
> > It's probably even better to just get rid of all the automatic module
> > signing
> > stuff completely and leave the sign-file script for the builder to use
> >
On Wed, Oct 17, 2012 at 7:21 PM, Linus Torvalds
wrote:
> On Wed, Oct 17, 2012 at 4:07 PM, Linus Torvalds
> wrote:
>>
>> Hmm. It *should* work for them too, because the debuginfo modules stay
>> around in the object tree, and never get stripped there. None of this
>> is different from what we
On Wed, Oct 17, 2012 at 4:44 PM, Linus Torvalds
wrote:
>
> I'll send out a fixed patch asap,
Ok, this is not pretty, and I think it generates the .signer and
.keyid files at the wrong time.
I do the kernel build as a regular user, and just "make install" as
root, and now it generates those
On Wed, Oct 17, 2012 at 4:25 PM, Linus Torvalds
wrote:
>
> It really should work fine with the much simplified module-signing
> rules too.
Actually, my "much simplified modules-install" is a bit broken.
It worked for me last time (I'm running that kernel and modules now),
but I just triggered
On Wed, Oct 17, 2012 at 4:20 PM, Josh Boyer wrote:
>
> Debuginfo is run on the installed tree ($RPM_BUILD_ROOT), not the
> object tree. It's how RPM works. It kind of has to because it should
> only create debuginfo files for files that are actually installed by
> the RPM.
Yeah, I just read
On Wed, Oct 17, 2012 at 4:07 PM, Linus Torvalds
wrote:
>
> Hmm. It *should* work for them too, because the debuginfo modules stay
> around in the object tree, and never get stripped there. None of this
> is different from what we used to do before: we stripped the modules
> as we copied them to
On Wed, Oct 17, 2012 at 7:07 PM, Linus Torvalds
wrote:
> On Wed, Oct 17, 2012 at 3:26 PM, Josh Boyer wrote:
>>
>> The downside is that it won't work for distros. Or at least the distros
>> using RPM's debuginfo subpackage mechanism.
>
> Hmm. It *should* work for them too, because the debuginfo
On Wed, Oct 17, 2012 at 3:26 PM, Josh Boyer wrote:
>
> The downside is that it won't work for distros. Or at least the distros
> using RPM's debuginfo subpackage mechanism.
Hmm. It *should* work for them too, because the debuginfo modules stay
around in the object tree, and never get stripped
On Wed, Oct 17, 2012 at 3:19 PM, David Howells wrote:
>
> It's probably even better to just get rid of all the automatic module signing
> stuff completely and leave the sign-file script for the builder to use
> manually. The module verification code will still be present.
That's just disgusting
On Wed, Oct 17, 2012 at 4:36 PM, Linus Torvalds
wrote:
> This was based on the complaint from Davem that the "make
> allmodconfig" build got way slower because module signing takes a
> while.
>
> And quite frankly, the whole "extra strip and sign" thing at modpost
> time was just nasty ugly code.
Linus Torvalds wrote:
> This was based on the complaint from Davem that the "make
> allmodconfig" build got way slower because module signing takes a
> while.
>
> And quite frankly, the whole "extra strip and sign" thing at modpost
> time was just nasty ugly code.
>
> Why don't we do
This was based on the complaint from Davem that the "make
allmodconfig" build got way slower because module signing takes a
while.
And quite frankly, the whole "extra strip and sign" thing at modpost
time was just nasty ugly code.
Why don't we do something *much* simpler? We already have a
This was based on the complaint from Davem that the make
allmodconfig build got way slower because module signing takes a
while.
And quite frankly, the whole extra strip and sign thing at modpost
time was just nasty ugly code.
Why don't we do something *much* simpler? We already have a
Linus Torvalds torva...@linux-foundation.org wrote:
This was based on the complaint from Davem that the make
allmodconfig build got way slower because module signing takes a
while.
And quite frankly, the whole extra strip and sign thing at modpost
time was just nasty ugly code.
Why
On Wed, Oct 17, 2012 at 4:36 PM, Linus Torvalds
torva...@linux-foundation.org wrote:
This was based on the complaint from Davem that the make
allmodconfig build got way slower because module signing takes a
while.
And quite frankly, the whole extra strip and sign thing at modpost
time was
On Wed, Oct 17, 2012 at 3:19 PM, David Howells dhowe...@redhat.com wrote:
It's probably even better to just get rid of all the automatic module signing
stuff completely and leave the sign-file script for the builder to use
manually. The module verification code will still be present.
That's
On Wed, Oct 17, 2012 at 3:26 PM, Josh Boyer jwbo...@gmail.com wrote:
The downside is that it won't work for distros. Or at least the distros
using RPM's debuginfo subpackage mechanism.
Hmm. It *should* work for them too, because the debuginfo modules stay
around in the object tree, and never
On Wed, Oct 17, 2012 at 7:07 PM, Linus Torvalds
torva...@linux-foundation.org wrote:
On Wed, Oct 17, 2012 at 3:26 PM, Josh Boyer jwbo...@gmail.com wrote:
The downside is that it won't work for distros. Or at least the distros
using RPM's debuginfo subpackage mechanism.
Hmm. It *should* work
On Wed, Oct 17, 2012 at 4:07 PM, Linus Torvalds
torva...@linux-foundation.org wrote:
Hmm. It *should* work for them too, because the debuginfo modules stay
around in the object tree, and never get stripped there. None of this
is different from what we used to do before: we stripped the modules
On Wed, Oct 17, 2012 at 4:20 PM, Josh Boyer jwbo...@gmail.com wrote:
Debuginfo is run on the installed tree ($RPM_BUILD_ROOT), not the
object tree. It's how RPM works. It kind of has to because it should
only create debuginfo files for files that are actually installed by
the RPM.
Yeah, I
On Wed, Oct 17, 2012 at 4:25 PM, Linus Torvalds
torva...@linux-foundation.org wrote:
It really should work fine with the much simplified module-signing
rules too.
Actually, my much simplified modules-install is a bit broken.
It worked for me last time (I'm running that kernel and modules
On Wed, Oct 17, 2012 at 4:44 PM, Linus Torvalds
torva...@linux-foundation.org wrote:
I'll send out a fixed patch asap,
Ok, this is not pretty, and I think it generates the .signer and
.keyid files at the wrong time.
I do the kernel build as a regular user, and just make install as
root, and
On Wed, Oct 17, 2012 at 7:21 PM, Linus Torvalds
torva...@linux-foundation.org wrote:
On Wed, Oct 17, 2012 at 4:07 PM, Linus Torvalds
torva...@linux-foundation.org wrote:
Hmm. It *should* work for them too, because the debuginfo modules stay
around in the object tree, and never get stripped
On Wed, Oct 17, 2012 at 03:44:28PM -0700, Linus Torvalds wrote:
On Wed, Oct 17, 2012 at 3:19 PM, David Howells dhowe...@redhat.com wrote:
It's probably even better to just get rid of all the automatic module
signing
stuff completely and leave the sign-file script for the builder to use
On Wed, Oct 17, 2012 at 5:54 PM, Greg KH gre...@linuxfoundation.org wrote:
One of the main sane use-cases for module signing is:
- CONFIG_CHECK_SIGNATURE=y
- randomly generated one-time key
- make modules_install; make install
- make clean to get rid of the keys.
- reboot.
I want
Linus Torvalds torva...@linux-foundation.org writes:
This was based on the complaint from Davem that the make
allmodconfig build got way slower because module signing takes a
while.
And quite frankly, the whole extra strip and sign thing at modpost
time was just nasty ugly code.
Why don't
On Wed, Oct 17, 2012 at 8:14 PM, Linus Torvalds
torva...@linux-foundation.org wrote:
Oh, yes, we should make sure the key file gets cleaned up at make clean.
Ooh, double-checked.
Actually, we have documented make clean to leave around enough
build support to build external modules.
So
On Wed, Oct 17, 2012 at 6:17 PM, Rusty Russell ru...@rustcorp.com.au wrote:
You cut too much: you need genkeyid.
Yeah, I sent out a fixed version later, but I much prefer your version
that generates those files earlier, not a make modules_install.
[ Btw, your email Date: field is from 2+ hours
Linus Torvalds torva...@linux-foundation.org writes:
On Wed, Oct 17, 2012 at 5:54 PM, Greg KH gre...@linuxfoundation.org wrote:
One of the main sane use-cases for module signing is:
- CONFIG_CHECK_SIGNATURE=y
- randomly generated one-time key
- make modules_install; make install
- make
Linus Torvalds torva...@linux-foundation.org writes:
Ta-daa, you have your debuginfo modules installed, and they are
signed. Create the debuginfo rpm.
- now, strip the modules. This obviously destroys the signatures
Note this doesn't remove them. You'll need something like:
dd if=$k
Linus Torvalds torva...@linux-foundation.org writes:
On Wed, Oct 17, 2012 at 3:19 PM, David Howells dhowe...@redhat.com wrote:
It's probably even better to just get rid of all the automatic module signing
stuff completely and leave the sign-file script for the builder to use
manually. The
Linus Torvalds torva...@linux-foundation.org writes:
On Wed, Oct 17, 2012 at 6:17 PM, Rusty Russell ru...@rustcorp.com.au wrote:
You cut too much: you need genkeyid.
Yeah, I sent out a fixed version later, but I much prefer your version
that generates those files earlier, not a make
88 matches
Mail list logo
