1 |
On Wed, Mar 6, 2013 at 9:14 PM, Peter Stuge <peter@×××××.se> wrote: |
2 |
|
3 |
> Carlos Silva wrote: |
4 |
> > > > If one wants to create a key himself, it's also possible to use this |
5 |
> > > > key, he just has to name it signing_key.priv and siging_key.x509 and |
6 |
> > > > put it under /usr/src/linux. |
7 |
> > > |
8 |
> > > Do you know if this is a sane default? |
9 |
> > > |
10 |
> > > Where do most users of signed modules store keys so far? |
11 |
> > |
12 |
> > It's where the kernel build system picks them. |
13 |
> |
14 |
> Are you sure? I find that hard to believe? Even if I tell an external |
15 |
> module to build against a source tree in ~/linux/ the Makefiles will |
16 |
> go to look for the keys in /usr/src/linux/ ? |
17 |
> |
18 |
|
19 |
OK, my bad here. The kernel build system looks for them on the root of the |
20 |
kernel source. |
21 |
To build modules, they can be anywhere as long as you have the correct path |
22 |
set on make.conf: |
23 |
KERNEL_MODSECKEY="/path/to/privkey" |
24 |
KERNEL_MODPUBKEY="/path/to/pubkey" |
25 |
|
26 |
This only works for modules. |
27 |
|
28 |
|
29 |
> They only have to be there to build the kernel, nothing else. |
30 |
> |
31 |
> I'm not talking about end users, by users I mean those who use the |
32 |
> key files to build kernels and modules. |
33 |
> |
34 |
|
35 |
See above. I even read online that a best practice would be to generate a |
36 |
new set of keys on every kernel build actually deleting the keys after the |
37 |
kernel and external modules are compiled. |