Bug 38214 - Customize kernel module signing key
Customize kernel module signing key
Status: NEW
Product: UCS
Classification: Unclassified
Component: Kernel
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.x
Assigned To: UCS maintainers
:
Depends on: 36335
Blocks: 36383 39527
  Show dependency treegraph
 
Reported: 2015-04-08 14:01 CEST by Philipp Hahn
Modified: 2018-04-14 14:09 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2015-04-08 14:01:17 CEST
Our signed kernel modules use the default "Magrathea" key, which just looks trange.
We should generate a customized "Univention" key following <https://www.kernel.org/doc/Documentation/module-signing.txt> → "GENERATING SIGNING KEYS", as this (currently) generates some strange errors like
> kernel: Request for unknown module key 'Magrathea: Glacier sining key: ...' err -11

See end of kernel/Makefile: it is enough to provide a custom file x509.genkey.

+++ This bug was initially created as a clone of Bug #36335 +++
Comment 1 Philipp Hahn univentionstaff 2016-02-11 09:12:55 CET
With dd2f6c4481debfa389c1f2b2b1d5bd6449c42611 (v3.18-rc1) but without e7c87bef7de2417b219d4dbfe8d33a0098a8df54 (v4.3-rc4) this breaks loading signed modules:
>  Request for unknown module key 'Build time autogenerated kernel key: 006416f63733d99e57be1fd3a06d66c85b9e2c23' err -11

I requested the inclusion of said patch into 3.18-4.2
Comment 2 Philipp Hahn univentionstaff 2017-04-21 10:53:17 CEST
This would allow us to build custom modules for already released kernels.
On the other hand NSA can't force us to give them a key we don't have.

FYI: The name was changed from "O=Magrathea,CN=Glacier signing key" to "CN = Build time autogenerated kernel key" by git:9c4249c8e0221e5cfae758d35b768aee84abf6c0