12:11 a.m.
I was building kernel 3.7-0.rc6.git.fc19 and during the build
I saw this:
Generating a 4096 bit RSA private key
.....................++
...........................................................................................................................................................................................++
writing new private key to 'signing_key.priv'
-----
###
### Key pair generated.
###
What's this for?
3:22 p.m.
On 11/27/2012 12:42 PM, JD wrote:
>
And that begs another question.
THWAP!
No, it doesn't. It *asks* another question. Begging the question
(http://en.wikipedia.org/wiki/Begging_the_question) is something
entirely different. Please, either learn what the term means or stop
using it!
4:50 p.m.
You used a technical term incorrectly. How is it a waste of
bandwidth
to correct you and show you how it should be used? Or is it simply that
you don't want to learn to use it correctly?
Well you please take your pointless arguing somewhere else. Especially if
you are going to start sentences with the word "or".
Alan
3:57 p.m.
Jared K. Smith wrote:
Yes, as I understand it the kernel key is used for module signing.
The most obvious new use for module signing is Secure Boot, so
that the kernel will only load modules signed with its key.
JD wrote:
If what you say is true, then the kernel config option
CONFIG_MODVERSIONS which is used for:
"Usually, you have to use modules compiled with your kernel.
Saying Y here makes it sometimes possible to use modules
compiled for different kernels, by adding enough information
to the modules to (hopefully) spot any changes which would
make them incompatible with the kernel you are running. If
unsure, say N."
will have to be removed
Module signing is not going to be a mandatory part of building the Linux
kernel (not least because it slows down the process of building kernels,
which is something kernel developers do a lot.)
Even if the modules are signed, that doesn’t mean that the kernel will
necessarily check the signatures. For example,
https://lwn.net/Articles/470906/ says that “the option of building a
kernel that will only allow modules that have been cryptographically
signed to be loaded … has been running in Fedora and RHEL kernels for
years.”
I presume that this option will be forced on if you’re booting in Secure
Boot mode, otherwise you will be able to enable it with something like
enforcemodulesig=1 on the kernel command line.
Hope this helps,
James.
--
E-mail: james@ | A: Because people don’t normally read bottom to top.
aprilcottage.co.uk | Q: Why is top-posting such a bad thing?
| A: Top-posting.
| Q: What is the most annoying thing in e-mail and usenet?
3:32 p.m.
On 11/27/2012 02:22 PM, Joe Zeff wrote:
On 11/27/2012 12:42 PM, JD wrote:
>>
> And that begs another question.
THWAP!
No, it doesn't. It *asks* another question. Begging the question
(http://en.wikipedia.org/wiki/Begging_the_question) is something
entirely different. Please, either learn what the term means or stop
using it!
What a waste of bandwidth :)
2:42 p.m.
On 11/27/2012 01:33 PM, Joe Zeff wrote:
On 11/27/2012 12:21 PM, Jared K. Smith wrote:
> Yes, as I understand it the kernel key is used for module signing.
> The most obvious new use for module signing is Secure Boot, so that
> the kernel will only load modules signed with its key.
Is there one key for each kernel version, or is it specific to the
installation? In the latter case, how do modules get signed when the
kernel updates? (Disclaimer: I'm not trying to start an argument over
module signing, I just want to learn a little more about how it works.)
And that
begs another question.
Will Fedora be signing the kernel and all it's modules?
If so, then every kernel version rpm distributed by Fedora
will have the same key for that particular version or will it
be the same key for all Fedora released kernel rpms?
2:38 p.m.
On 11/27/2012 01:21 PM, Jared K. Smith wrote:
On Tue, Nov 27, 2012 at 12:13 AM, Eddie G. O'Connor Jr.
<eoconnor25(a)gmail.com> wrote:
> Might this be the "UEFI" thing that I've been reading up about? I
> myself don't even understand how it works, but this sounds like
> something that MIGHT be related to that?...just my opinion....
Yes, as I understand it the kernel key is used for module signing. The
most obvious new use for module signing is Secure Boot, so that the
kernel will only load modules signed with its key. -- Jared Smith
If what you say
is true, then the kernel config option
CONFIG_MODVERSIONS which is used for:
"Usually, you have to use modules compiled with your kernel.
Saying Y here makes it sometimes possible to use modules
compiled for different kernels, by adding enough information
to the modules to (hopefully) spot any changes which would
make them incompatible with the kernel you are running. If
unsure, say N."
will have to be removed
2:33 p.m.
On 11/27/2012 12:21 PM, Jared K. Smith wrote:
Yes, as I understand it the kernel key is used for module signing.
The most obvious new use for module signing is Secure Boot, so that
the kernel will only load modules signed with its key.
Is there one key for each kernel version, or is it specific to the
installation? In the latter case, how do modules get signed when the
kernel updates? (Disclaimer: I'm not trying to start an argument over
module signing, I just want to learn a little more about how it works.)
2:21 p.m.
On Tue, Nov 27, 2012 at 12:13 AM, Eddie G. O'Connor Jr.
<eoconnor25(a)gmail.com> wrote:
Might this be the "UEFI" thing that I've been reading
up about? I myself
don't even understand how it works, but this sounds like something that
MIGHT be related to that?...just my opinion....
Yes, as I understand it the kernel key is used for module signing.
The most obvious new use for module signing is Secure Boot, so that
the kernel will only load modules signed with its key.
--
Jared Smith
11:13 p.m.
On 11/26/2012 01:59 AM, JD wrote:
On 11/25/2012 11:46 PM, Robert Moskowitz wrote:
>
> On 11/26/2012 01:11 AM, JD wrote:
>>
>> I was building kernel 3.7-0.rc6.git.fc19 and during the build
>> I saw this:
>>
>> Generating a 4096 bit RSA private key
>
> Only 4096???? Is that strong enough???? Shouldn't it be 8192? :)
>
>
>> .....................++
>>
...........................................................................................................................................................................................++
>>
>> writing new private key to 'signing_key.priv'
>> -----
>> ###
>> ### Key pair generated.
>> ###
>>
>>
>> What's this for?
>>
>
>
Don't ask me :)
Might this be the "UEFI" thing that I've been reading up about? I myself
don't even understand how it works, but this sounds like something that
MIGHT be related to that?...just my opinion....
EGO II
7:34 a.m.
2012/11/26 Christopher Svanefalk <christopher.svanefalk(a)gmail.com>
Linus is watching you.
Best,
Christopher Svanefalk
mob: +46762628251
skype: csvanefalk
On Mon, Nov 26, 2012 at 7:59 AM, JD <jd1008(a)gmail.com> wrote:
>
> On 11/25/2012 11:46 PM, Robert Moskowitz wrote:
>
>>
>> On 11/26/2012 01:11 AM, JD wrote:
>>
>>>
>>> I was building kernel 3.7-0.rc6.git.fc19 and during the build
>>> I saw this:
>>>
>>> Generating a 4096 bit RSA private key
>>>
>>
>> Only 4096???? Is that strong enough???? Shouldn't it be 8192? :)
>>
>>
>> .....................++
>>> ..............................**..............................**
>>> ..............................**..............................**
>>> ..............................**..............................**.......++
>>>
>>> writing new private key to 'signing_key.priv'
>>> -----
>>> ###
>>> ### Key pair generated.
>>> ###
>>>
>>>
>>> What's this for?
>>>
>>>
>>
>> Don't ask me :)
>
>
Maybe I'm wrong, but it is being done due to UEFI boot requirements
--
> users mailing list
> users(a)lists.fedoraproject.org
> To unsubscribe or change subscription options:
>
https://admin.fedoraproject.**org/mailman/listinfo/users<https://admin...
> Guidelines:
http://fedoraproject.org/wiki/**Mailing_list_guidelines<http://fedorap...
> Have a question? Ask away: http://ask.fedoraproject.org
>
--
users mailing list
users(a)lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
7:28 a.m.
Linus is watching you.
Best,
Christopher Svanefalk
mob: +46762628251
skype: csvanefalk
On Mon, Nov 26, 2012 at 7:59 AM, JD <jd1008(a)gmail.com> wrote:
On 11/25/2012 11:46 PM, Robert Moskowitz wrote:
>
> On 11/26/2012 01:11 AM, JD wrote:
>
>>
>> I was building kernel 3.7-0.rc6.git.fc19 and during the build
>> I saw this:
>>
>> Generating a 4096 bit RSA private key
>>
>
> Only 4096???? Is that strong enough???? Shouldn't it be 8192? :)
>
>
> .....................++
>> ..............................**..............................**
>> ..............................**..............................**
>> ..............................**..............................**.......++
>>
>> writing new private key to 'signing_key.priv'
>> -----
>> ###
>> ### Key pair generated.
>> ###
>>
>>
>> What's this for?
>>
>>
>
> Don't ask me :)
--
users mailing list
users(a)lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.**org/mailman/listinfo/users<https://admin...
Guidelines:
http://fedoraproject.org/wiki/**Mailing_list_guidelines<http://fedorap...
Have a question? Ask away: http://ask.fedoraproject.org
12:59 a.m.
On 11/25/2012 11:46 PM, Robert Moskowitz wrote:
On 11/26/2012 01:11 AM, JD wrote:
>
> I was building kernel 3.7-0.rc6.git.fc19 and during the build
> I saw this:
>
> Generating a 4096 bit RSA private key
Only 4096???? Is that strong enough???? Shouldn't it be 8192? :)
> .....................++
>
...........................................................................................................................................................................................++
>
> writing new private key to 'signing_key.priv'
> -----
> ###
> ### Key pair generated.
> ###
>
>
> What's this for?
>
Don't ask me :)
12:46 a.m.
On 11/26/2012 01:11 AM, JD wrote:
I was building kernel 3.7-0.rc6.git.fc19 and during the build
I saw this:
Generating a 4096 bit RSA private key
Only 4096???? Is that strong enough???? Shouldn't it be 8192? :)
.....................++
...........................................................................................................................................................................................++
writing new private key to 'signing_key.priv'
-----
###
### Key pair generated.
###
What's this for?
3:39 p.m.
On 11/27/2012 01:32 PM, JD wrote:
On 11/27/2012 02:22 PM, Joe Zeff wrote:
> On 11/27/2012 12:42 PM, JD wrote:
>>>
>> And that begs another question.
>
> THWAP!
>
> No, it doesn't. It *asks* another question. Begging the question
> (http://en.wikipedia.org/wiki/Begging_the_question) is something
> entirely different. Please, either learn what the term means or stop
> using it!
What a waste of bandwidth :)
You used a technical term incorrectly. How is it a waste of bandwidth
to correct you and show you how it should be used? Or is it simply that
you don't want to learn to use it correctly?
4179
days inactive
4180
days old
14 comments
9 participants
participants (9)
-
Alan Cox -
Alchemist -
Christopher Svanefalk -
EGO-II.1 -
James Wilkinson -
Jared K. Smith -
JD -
Joe Zeff -
Robert Moskowitz