Age | Commit message (Collapse) | Author |
|
Move to using PKCS#7 messages as module signatures because:
(1) We have to be able to support the use of X.509 certificates that don't
have a subjKeyId set. We're currently relying on this to look up the
X.509 certificate in the trusted keyring list.
(2) PKCS#7 message signed information blocks have a field that supplies the
data required to match with the X.509 certificate that signed it.
(3) The PKCS#7 certificate carries fields that specify the digest algorithm
used to generate the signature in a standardised way and the X.509
certificates specify the public key algorithm in a standardised way - so
we don't need our own methods of specifying these.
(4) We now have PKCS#7 message support in the kernel for signed kexec purposes
and we can make use of this.
To make this work, the old sign-file script has been replaced with a program
that needs compiling in a previous patch. The rules to build it are added
here.
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Vivek Goyal <vgoyal@redhat.com>
|
|
This patch fix spelling typo in printk.
Signed-off-by: Masanari Iida <standby24x7@gmail.com>
Acked-by: Geert Uytterhoeven <geert@linux-m68k.org>
Acked-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
|
This option allows to append an externally computed singature to the
module. This is needed in setups, where the private key is not directly
available, but a service exists that returns signatures for given files.
Signed-off-by: Michal Marek <mmarek@suse.cz>
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
|
|
Make the script usable without a .config file.
Signed-off-by: Michal Marek <mmarek@suse.cz>
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
|
|
There have the following warning message when running modules install
for sign ko files:
# make modules_install
...
INSTALL drivers/input/touchscreen/pcap_ts.ko
Found = in conditional, should be == at scripts/sign-file line 164.
Found = in conditional, should be == at scripts/sign-file line 161.
Found = in conditional, should be == at scripts/sign-file line 159.
This patch change replace '=' by '==' in elsif conditions for avoid the
above warning messages.
Signed-off-by: Chun-Yi Lee <jlee@suse.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
Emit the magic string that indicates a module has a signature after the
signature data instead of before it. This allows module_sig_check() to
be made simpler and faster by the elimination of the search for the
magic string. Instead we just need to do a single memcmp().
This works because at the end of the signature data there is the
fixed-length signature information block. This block then falls
immediately prior to the magic number.
From the contents of the information block, it is trivial to calculate
the size of the signature data and thus the size of the actual module
data.
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
Turn sign-file into perl and merge in x509keyid. The latter doesn't
need to be a separate script as it doesn't actually need to work out the
SHA1 sum of the X.509 certificate itself, since it can get that from the
X.509 certificate.
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
Rusty had clearly not actually tested his module signing changes that I
(trustingly) applied as commit e2a666d52b48 ("kbuild: sign the modules
at install time"). That commit had multiple bugs:
- using "${#VARIABLE}" to get the number of characters in a shell
variable may look clever, but it's locale-dependent: it returns the
number of *characters*, not bytes. And we do need bytes.
So don't use "${#..}" expansion, do the stupid "wc -c" thing instead
(where "c" stands for "bytes", not "characters", despite the letter.
- Rusty had confused "siglen" and "signerlen", and his conversion
didn't set "signerlen" at all, and incorrectly set "siglen" to the
size of the signer, not the size of the signature.
End result: the modified sign-file script did create something that
superficially *looked* like a signature, but didn't actually work at
all, and would fail the signature check. Oops.
Tssk, tssk, Rusty.
But Rusty was definitely right that this whole thing should be rewritten
in perl by somebody who has the perl-fu to do so. That is not me,
though - I'm just doing an emergency fix for the shell script.
Cc: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
Linus deleted the old code and put signing on the install command,
I fixed it to extract the keyid and signer-name within sign-file
and cleaned up that script now it always signs in-place.
Some enthusiast should convert sign-key to perl and pull
x509keyid into it.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
If CONFIG_MODULE_SIG is set, then this patch will cause all modules files to
to have signatures added. The following steps will occur:
(1) The module will be linked to foo.ko.unsigned instead of foo.ko
(2) The module will be stripped using both "strip -x -g" and "eu-strip" to
ensure minimal size for inclusion in an initramfs.
(3) The signature will be generated on the stripped module.
(4) The signature will be appended to the module, along with some information
about the signature and a magic string that indicates the presence of the
signature.
Step (3) requires private and public keys to be available. By default these
are expected to be found in files:
signing_key.priv
signing_key.x509
in the base directory of the build. The first is the private key in PEM form
and the second is the X.509 certificate in DER form as can be generated from
openssl:
openssl req \
-new -x509 -outform PEM -out signing_key.x509 \
-keyout signing_key.priv -nodes \
-subj "/CN=H2G2/O=Magrathea/CN=Slartibartfast"
If the secret key is not found then signing will be skipped and the unsigned
module from (1) will just be copied to foo.ko.
If signing occurs, lines like the following will be seen:
LD [M] fs/foo/foo.ko.unsigned
STRIP [M] fs/foo/foo.ko.stripped
SIGN [M] fs/foo/foo.ko
will appear in the build log. If the signature step will be skipped and the
following will be seen:
LD [M] fs/foo/foo.ko.unsigned
STRIP [M] fs/foo/foo.ko.stripped
NO SIGN [M] fs/foo/foo.ko
NOTE! After the signature step, the signed module _must_not_ be passed through
strip. The unstripped, unsigned module is still available at the name on the
LD [M] line. This restriction may affect packaging tools (such as rpmbuild)
and initramfs composition tools.
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
|