Commits · cdd750bfb1f76fe9be8cfb53cbe77b2e811081ab · Tobias Schramm / linux-pinebook-pro

Sep 25, 2015

KEYS: Remove unnecessary header #inclusions from extract-cert.c · 292c6091

David Howells authored 9 years ago


Remove headers #included unnecessarily from extract-cert.c lest they cause
compilation of the tool to fail against an older OpenSSL library.

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: David Woodhouse <David.Woodhouse@intel.com>

292c6091

Sep 15, 2015

modsign: Fix GPL/OpenSSL licence incompatibility · 09a77a88

David Woodhouse authored 9 years ago


The GPL does not permit us to link against the OpenSSL library. Use
LGPL for sign-file and extract-file instead.

[ The whole "openssl isn't compatible with gpl" is really just
  fear-mongering, but there's no reason not to make modsign LGPL, so
  nobody cares.  - Linus ]

Reported-by: Julian Andres Klode <jak@jak-linux.org>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Julian Andres Klode <jak@jak-linux.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

09a77a88

Sep 11, 2015

MODSIGN: fix a compilation warning in extract-cert · 7c0d35a3

David Howells authored 9 years ago


Fix the following warning when compiling extract-cert:

  scripts/extract-cert.c: In function `write_cert':
  scripts/extract-cert.c:89:2: warning: format not a string literal and no format arguments [-Wformat-security]
    ERR(!i2d_X509_bio(wb, x509), cert_dst);
    ^

whereby the ERR() macro is taking cert_dst as the format string.  "%s"
should be used as the format string as the path could contain special
characters.

Signed-off-by: David Howells <dhowells@redhat.com>
Reported-by: Jim Davis <jim.epost@gmail.com>
Acked-by : David Woodhouse <david.woodhouse@intel.com>
Cc: James Morris <jmorris@namei.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

7c0d35a3

Aug 12, 2015

extract-cert: Cope with multiple X.509 certificates in a single file · 84706caa

David Woodhouse authored 9 years ago


This is not required for the module signing key, although it doesn't do any
harm — it just means that any additional certs in the PEM file are also
trusted by the kernel.

But it does allow us to use the extract-cert tool for processing the extra
certs from CONFIG_SYSTEM_TRUSTED_KEYS, instead of that horrid awk|base64
hack.

Also cope with being invoked with no input file, creating an empty output
file as a result.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: David Howells <dhowells@redhat.com>

84706caa

Aug 07, 2015

modsign: Extract signing cert from CONFIG_MODULE_SIG_KEY if needed · 1329e8cc

David Woodhouse authored 9 years ago


Where an external PEM file or PKCS#11 URI is given, we can get the cert
from it for ourselves instead of making the user drop signing_key.x509
in place for us.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: David Howells <dhowells@redhat.com>

1329e8cc

Admin message