From: Rusty Russell <rusty@rustcorp.com.au>
Date: Tue, 2 Oct 2012 03:25:06 +0000 (+0930)
Subject: MODSIGN: fix expiry of auto-generated certificates on 32-bit systems
X-Git-Tag: next-20121003~46^2~1
X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=dc268ff7b3e68513946dc49eaf56961442f89794;p=karo-tx-linux.git

MODSIGN: fix expiry of auto-generated certificates on 32-bit systems

100-year certificates make time_t wrap, resulting in:

[    2.835272] X.509: Cert a94f6776f3f5483b0764011d1fcc6c0298362e63 has expired
[    2.836346] MODSIGN: Problem loading in-kernel X.509 certificate (-127)

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
---

diff --git a/kernel/Makefile b/kernel/Makefile
index e951adf93567..86336c922930 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -168,6 +168,13 @@ endif
 ifeq ($(sign_key_with_hash),)
 $(error Could not determine digest type to use from kernel config)
 endif
+ifeq ($(CONFIG_64BIT),y)
+# 100 years is beyond my best-before date, anyway.
+end_of_time_days=36500
+else
+# Until 32-bit time_t wraps, with some slack.
+end_of_time_days=$(shell expr \( 2147300000 - `date -u +%s` \) / 86400 )
+endif
 
 signing_key.priv signing_key.x509: x509.genkey
 	@echo "###"
@@ -180,7 +187,8 @@ signing_key.priv signing_key.x509: x509.genkey
 	@echo "###"
 	@echo "###     rngd -r /dev/hwrandom"
 	@echo "###"
-	openssl req -new -nodes -utf8 $(sign_key_with_hash) -days 36500 -batch \
+	openssl req -new -nodes -utf8 $(sign_key_with_hash) \
+		-days $(end_of_time_days) -batch \
 		-x509 -config x509.genkey \
 		-outform DER -out signing_key.x509 \
 		-keyout signing_key.priv