MODSIGN: Add option to not sign modules during modules_install

To allow the builder to sign only a subset of modules, or to sign the modules using a key that is not available on the build machine, add CONFIG_MODULE_SIG_ALL. If this option is unset, no modules will be signed during build. The default is 'y', to preserve the current behavior. Signed-off-by: Michal Marek <mmarek@suse.cz> Acked-by: David Howells <dhowells@redhat.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

MODSIGN: Add option to not sign modules during modules_install
To allow the builder to sign only a subset of modules, or to sign the modules using a key that is not available on the build machine, add CONFIG_MODULE_SIG_ALL. If this option is unset, no modules will be signed during build. The default is 'y', to preserve the current behavior. Signed-off-by: Michal Marek <mmarek@suse.cz> Acked-by: David Howells <dhowells@redhat.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Michal Marek · Rusty Russell
1 parent 1c37c054a7
Showing 2 changed files with 12 additions and 1 deletions Side-by-side Diff
Makefile
init/Kconfig
@@ -719,7 +719,7 @@
 export mod_strip_cmd
  
  
-ifeq ($(CONFIG_MODULE_SIG),y)
+ifdef CONFIG_MODULE_SIG_ALL
 MODSECKEY = ./signing_key.priv
 MODPUBKEY = ./signing_key.x509
 export MODPUBKEY
@@ -1665,6 +1665,17 @@
 	  Reject unsigned modules or signed modules for which we don't have a
 	  key.  Without this, such modules will simply taint the kernel.
  
+config MODULE_SIG_ALL
+	bool "Automatically sign all modules"
+	default y
+	depends on MODULE_SIG
+	help
+	  Sign all modules during make modules_install. Without this option,
+	  modules must be signed manually, using the scripts/sign-file tool.
+
+comment "Do not forget to sign required modules with scripts/sign-file"
+	depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
+
 choice
 	prompt "Which hash algorithm should modules be signed with?"
 	depends on MODULE_SIG
...	...	@@ -719,7 +719,7 @@
719	719	export mod_strip_cmd
720	720
721	721
722		-ifeq ($(CONFIG_MODULE_SIG),y)
	722	+ifdef CONFIG_MODULE_SIG_ALL
723	723	MODSECKEY = ./signing_key.priv
724	724	MODPUBKEY = ./signing_key.x509
725	725	export MODPUBKEY
...	...	@@ -1665,6 +1665,17 @@
1665	1665	Reject unsigned modules or signed modules for which we don't have a
1666	1666	key. Without this, such modules will simply taint the kernel.
1667	1667
	1668	+config MODULE_SIG_ALL
	1669	+ bool "Automatically sign all modules"
	1670	+ default y
	1671	+ depends on MODULE_SIG
	1672	+ help
	1673	+ Sign all modules during make modules_install. Without this option,
	1674	+ modules must be signed manually, using the scripts/sign-file tool.
	1675	+
	1676	+comment "Do not forget to sign required modules with scripts/sign-file"
	1677	+ depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
	1678	+
1668	1679	choice
1669	1680	prompt "Which hash algorithm should modules be signed with?"
1670	1681	depends on MODULE_SIG