aboutsummaryrefslogtreecommitdiff
path: root/Documentation
diff options
context:
space:
mode:
authorDavid Woodhouse <David.Woodhouse@intel.com>2015-07-20 21:16:30 +0100
committerDavid Howells <dhowells@redhat.com>2015-08-07 16:26:14 +0100
commit1329e8cc69b93a0b1bc6d197b30dcff628c18dbf (patch)
treec468b5fe99777d0e5072b1bc41f43ef47253cf8e /Documentation
parent19e91b69d77bab16405cc284b451378e89a4110c (diff)
downloadlinux-stericsson-1329e8cc69b93a0b1bc6d197b30dcff628c18dbf.tar.gz
modsign: Extract signing cert from CONFIG_MODULE_SIG_KEY if needed
Where an external PEM file or PKCS#11 URI is given, we can get the cert from it for ourselves instead of making the user drop signing_key.x509 in place for us. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'Documentation')
-rw-r--r--Documentation/module-signing.txt11
1 files changed, 5 insertions, 6 deletions
diff --git a/Documentation/module-signing.txt b/Documentation/module-signing.txt
index 84597c7ea175..693001920890 100644
--- a/Documentation/module-signing.txt
+++ b/Documentation/module-signing.txt
@@ -93,17 +93,16 @@ This has a number of options available:
Setting this option to something other than its default of
"signing_key.priv" will disable the autogeneration of signing keys and
allow the kernel modules to be signed with a key of your choosing.
- The string provided should identify a file containing a private key
- in PEM form, or — on systems where the OpenSSL ENGINE_pkcs11 is
- appropriately installed — a PKCS#11 URI as defined by RFC7512.
+ The string provided should identify a file containing both a private
+ key and its corresponding X.509 certificate in PEM form, or — on
+ systems where the OpenSSL ENGINE_pkcs11 is functional — a PKCS#11 URI
+ as defined by RFC7512. In the latter case, the PKCS#11 URI should
+ reference both a certificate and a private key.
If the PEM file containing the private key is encrypted, or if the
PKCS#11 token requries a PIN, this can be provided at build time by
means of the KBUILD_SIGN_PIN variable.
- The corresponding X.509 certificate in DER form should still be placed
- in a file named signing_key.x509 in the top-level build directory.
-
=======================
GENERATING SIGNING KEYS