MODSIGN: Add option to not sign modules during modules_install

To allow the builder to sign only a subset of modules, or to sign the
modules using a key that is not available on the build machine, add
CONFIG_MODULE_SIG_ALL. If this option is unset, no modules will be
signed during build. The default is 'y', to preserve the current
behavior.

Signed-off-by: Michal Marek <mmarek@suse.cz>
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

diff --git a/Makefile b/Makefile
index 77ea707d8543b89180aeed8f9199a64dd1415c9f..8e9f9efc5b3925aeaa45b678bd2fdb68c3e6b5d9 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -719,7 +719,7 @@ endif # INSTALL_MOD_STRIP
 export mod_strip_cmd
 
 
-ifeq ($(CONFIG_MODULE_SIG),y)
+ifdef CONFIG_MODULE_SIG_ALL
 MODSECKEY = ./signing_key.priv
 MODPUBKEY = ./signing_key.x509
 export MODPUBKEY

diff --git a/init/Kconfig b/init/Kconfig
index fff4cb1321c5ec843d5d679407061f1345537c1e..88f334fb403b8efa279cdcc96fe527303d8cbdb4 100644 (file)
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1665,6 +1665,17 @@ config MODULE_SIG_FORCE
          Reject unsigned modules or signed modules for which we don't have a
          key.  Without this, such modules will simply taint the kernel.
 
+config MODULE_SIG_ALL
+       bool "Automatically sign all modules"
+       default y
+       depends on MODULE_SIG
+       help
+         Sign all modules during make modules_install. Without this option,
+         modules must be signed manually, using the scripts/sign-file tool.
+
+comment "Do not forget to sign required modules with scripts/sign-file"
+       depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
+
 choice
        prompt "Which hash algorithm should modules be signed with?"
        depends on MODULE_SIG