| 1 |
On Wed, Mar 6, 2013 at 9:14 PM, Peter Stuge <peter@×××××.se> wrote: |
| 2 |
|
| 3 |
> Carlos Silva wrote: |
| 4 |
> > > > If one wants to create a key himself, it's also possible to use this |
| 5 |
> > > > key, he just has to name it signing_key.priv and siging_key.x509 and |
| 6 |
> > > > put it under /usr/src/linux. |
| 7 |
> > > |
| 8 |
> > > Do you know if this is a sane default? |
| 9 |
> > > |
| 10 |
> > > Where do most users of signed modules store keys so far? |
| 11 |
> > |
| 12 |
> > It's where the kernel build system picks them. |
| 13 |
> |
| 14 |
> Are you sure? I find that hard to believe? Even if I tell an external |
| 15 |
> module to build against a source tree in ~/linux/ the Makefiles will |
| 16 |
> go to look for the keys in /usr/src/linux/ ? |
| 17 |
> |
| 18 |
|
| 19 |
OK, my bad here. The kernel build system looks for them on the root of the |
| 20 |
kernel source. |
| 21 |
To build modules, they can be anywhere as long as you have the correct path |
| 22 |
set on make.conf: |
| 23 |
KERNEL_MODSECKEY="/path/to/privkey" |
| 24 |
KERNEL_MODPUBKEY="/path/to/pubkey" |
| 25 |
|
| 26 |
This only works for modules. |
| 27 |
|
| 28 |
|
| 29 |
> They only have to be there to build the kernel, nothing else. |
| 30 |
> |
| 31 |
> I'm not talking about end users, by users I mean those who use the |
| 32 |
> key files to build kernels and modules. |
| 33 |
> |
| 34 |
|
| 35 |
See above. I even read online that a best practice would be to generate a |
| 36 |
new set of keys on every kernel build actually deleting the keys after the |
| 37 |
kernel and external modules are compiled. |
Archives