Hi James,
Can you pull this into security/next please? Its aim is twofold: firstly,
make the module signatures of PKCS#7/CMS format rather than a home-brewed
format and secondly to pave the way for use of the signing code for
firmware signatures (to follow later).
Note that the openssl-devel package is now a requirement for building the
kernel if module signing is enabled as the sign-file program now uses the
OpenSSL libraries directly rather than scripting calls to the openssl
program.
To this end, the patchset effects the following changes:
(1) Extracts both parts of an X.509 AuthorityKeyIdentifier (AKID)
extension. We already extract the bit that can match the
subjectKeyIdentifier (SKID) of the parent X.509 cert, but we currently
ignore the bits that can match the issuer and serialNumber.
Looks up an X.509 cert by issuer and serialNumber if those are
provided in the AKID. If the keyIdentifier is also provided, checks
that the subjectKeyIdentifier of the cert found matches that also.
If no issuer and serialNumber are provided in the AKID, looks up an
X.509 cert by SKID using the AKID keyIdentifier.
This allows module signing to be done with certificates that don't
have an SKID by which they can be looked up.
(2) Makes use of the PKCS#7 facility to provide module signatures.
sign-file is replaced with a program that generates a PKCS#7 message
that has no X.509 certs embedded and that has detached data (the
module content) and adds it onto the message with magic string and
descriptor.
(3) The PKCS#7 message supplies all the information that is needed to
select the X.509 cert to be used to verify the signature by standard
means (including selection of digest algorithm and public key
algorithm). No kernel-specific magic values are required.
(4) Makes it possible to get sign-file to just write out a file containing
the PKCS#7 signature blob. This can be used for debugging and
potentially for firmware signing.
(5) Extracts the function that does PKCS#7 signature verification on a
blob from the module signing code and put it somewhere more general so
that other things, such as firmware signing, can make use of it
without depending on module config options.
(6) Adds support for CMS messages in place of PKCS#7 (they're very similar
ASN.1) and makes sign-file create CMS messages instead of PKCS#7.
This allows signatures to refer to the verifying key by X.509 cert
SKID instead of X.509 cert issuer and serial number.
(7) Provides support for providing a password/pin for an encrypted private
key to sign-file.
(8) Makes it possible to use PKCS#11 with sign-file, thus allowing the use
of cryptographic hardware.
(9) Overhauls the way the module signing key is handled. If the name in
CONFIG_MODULE_SIG_KEY is "signing_key.pem" then a key will be
automatically generated and placed in the build directory. If the
name is different, autogeneration is suppressed and the file is
presumed to be a PEM file containing both the private key and X.509
certificate.
(10) Overhauls the way auxiliary trusted keys are added to the kernel.
Files matching the pattern "*.x509" are no longer just gathered up and
cat'd together. Now CONFIG_SYSTEM_TRUSTED_KEYS must be set to point
to a single PEM file containing a set of X.509 certs cat'd together if
this facility is desired.
(11) Severely restricts what authenticateAttributes are permitted in a PKCS#7
or CMS message and what content type may be used. This is selected by
the in-kernel user with the appropriate VERIFYING_*_SIGNATURE constant.
Note that the revised sign-file program no longer supports the "-s
<signature>" option to add an externally generated signature. This is
deprecated in favour of using PKCS#11. Note also that the format of the
signature file that would be passed to -s has changed.
There are two changes since the modsign-pkcs7-20150807 tag: a documentation
patch has been added noting the extra dependency and an extra review line
has been added.
Thanks,
David
---
The following changes since commit 459c15e53cf7e4e88a78ecfb109af5a267c5500a:
Merge tag 'asn1-fixes-20150805' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs into next (2015-08-07 13:27:58 +1000)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git tags/modsign-pkcs7-20150811
for you to fetch changes up to f81977b461ed8e077aa7ad71cb0bb04382f32373:
sign-file: Document dependency on OpenSSL devel libraries (2015-08-11 20:09:06 +0100)
----------------------------------------------------------------
Module signing with PKCS#7
----------------------------------------------------------------
David Howells (17):
ASN.1: Add an ASN.1 compiler option to dump the element tree
ASN.1: Copy string names to tokens in ASN.1 compiler
X.509: Extract both parts of the AuthorityKeyIdentifier
X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier
PKCS#7: Allow detached data to be supplied for signature checking purposes
MODSIGN: Provide a utility to append a PKCS#7 signature to a module
MODSIGN: Use PKCS#7 messages as module signatures
system_keyring.c doesn't need to #include module-internal.h
MODSIGN: Extract the blob PKCS#7 signature verifier from module signing
PKCS#7: Check content type and versions
X.509: Change recorded SKID & AKID to not include Subject or Issuer
PKCS#7: Support CMS messages also [RFC5652]
sign-file: Generate CMS message as signature instead of PKCS#7
PKCS#7: Improve and export the X.509 ASN.1 time object decoder
KEYS: Add a name for PKEY_ID_PKCS7
PKCS#7: Appropriately restrict authenticated attributes and content type
sign-file: Document dependency on OpenSSL devel libraries
David Woodhouse (9):
modsign: Abort modules_install when signing fails
modsign: Allow password to be specified for signing key
modsign: Allow signing key to be PKCS#11
modsign: Allow external signing key to be specified
modsign: Extract signing cert from CONFIG_MODULE_SIG_KEY if needed
modsign: Use single PEM file for autogenerated key
modsign: Add explicit CONFIG_SYSTEM_TRUSTED_KEYS option
extract-cert: Cope with multiple X.509 certificates in a single file
modsign: Use extract-cert to process CONFIG_SYSTEM_TRUSTED_KEYS
Luis R. Rodriguez (1):
sign-file: Add option to only create signature file
.gitignore | 1 +
Documentation/kbuild/kbuild.txt | 5 +
Documentation/module-signing.txt | 54 +++-
Makefile | 8 +-
arch/x86/kernel/kexec-bzimage64.c | 4 +-
crypto/asymmetric_keys/Makefile | 8 +-
crypto/asymmetric_keys/asymmetric_type.c | 11 +
crypto/asymmetric_keys/pkcs7.asn1 | 22 +-
crypto/asymmetric_keys/pkcs7_key_type.c | 14 +-
crypto/asymmetric_keys/pkcs7_parser.c | 269 ++++++++++++++++++-
crypto/asymmetric_keys/pkcs7_parser.h | 20 +-
crypto/asymmetric_keys/pkcs7_trust.c | 10 +-
crypto/asymmetric_keys/pkcs7_verify.c | 145 ++++++++--
crypto/asymmetric_keys/public_key.c | 1 +
crypto/asymmetric_keys/verify_pefile.c | 7 +-
crypto/asymmetric_keys/x509_akid.asn1 | 35 +++
crypto/asymmetric_keys/x509_cert_parser.c | 231 ++++++++++------
crypto/asymmetric_keys/x509_parser.h | 12 +-
crypto/asymmetric_keys/x509_public_key.c | 95 ++++---
include/crypto/pkcs7.h | 13 +-
include/crypto/public_key.h | 18 +-
include/keys/system_keyring.h | 7 +
include/linux/oid_registry.h | 4 +-
include/linux/verify_pefile.h | 6 +-
init/Kconfig | 58 +++-
kernel/Makefile | 112 +++++---
kernel/module_signing.c | 213 ++-------------
kernel/system_certificates.S | 3 +
kernel/system_keyring.c | 53 +++-
scripts/Makefile | 4 +
scripts/Makefile.modinst | 2 +-
scripts/asn1_compiler.c | 229 ++++++++++------
scripts/extract-cert.c | 166 ++++++++++++
scripts/sign-file | 421 ------------------------------
scripts/sign-file.c | 260 ++++++++++++++++++
35 files changed, 1593 insertions(+), 928 deletions(-)
create mode 100644 crypto/asymmetric_keys/x509_akid.asn1
create mode 100644 scripts/extract-cert.c
delete mode 100755 scripts/sign-file
create mode 100755 scripts/sign-file.c
On Tue, 11 Aug 2015, David Howells wrote:
> Hi James,
>
> Can you pull this into security/next please? Its aim is twofold: firstly,
> make the module signatures of PKCS#7/CMS format rather than a home-brewed
> format and secondly to pave the way for use of the signing code for
> firmware signatures (to follow later).
After installing the devel package, I now see these warnings and error:
WARNING: modpost: missing MODULE_LICENSE() in
crypto/asymmetric_keys/pkcs7_test_key.o
scripts/sign-file.c: In function ?main?:
scripts/sign-file.c:188: warning: value computed is not used
At main.c:146:
- SSL error:02001002:system library:fopen:No such file or directory:
bss_file.c:169
- SSL error:2006D080:BIO routines:BIO_new_file:no such file:
bss_file.c:172
extract-cert: signing_key.pem: No such file or directory
rm: cannot remove `signing_key.x509': No such file or directory
--
James Morris
<[email protected]>
On Wed, 2015-08-12 at 14:20 +1000, James Morris wrote:
>
> At main.c:146:
> - SSL error:02001002:system library:fopen:No such file or directory:
> bss_file.c:169
> - SSL error:2006D080:BIO routines:BIO_new_file:no such file:
> bss_file.c:172
> extract-cert: signing_key.pem: No such file or directory
> rm: cannot remove `signing_key.x509': No such file or directory
Hm, how did you do that one? What target was it trying to invoke
extract-cert for? (There are two.)
--
David Woodhouse Open Source Technology Centre
[email protected] Intel Corporation
On Wed, 12 Aug 2015, David Woodhouse wrote:
> On Wed, 2015-08-12 at 14:20 +1000, James Morris wrote:
> >
> > At main.c:146:
> > - SSL error:02001002:system library:fopen:No such file or directory:
> > bss_file.c:169
> > - SSL error:2006D080:BIO routines:BIO_new_file:no such file:
> > bss_file.c:172
> > extract-cert: signing_key.pem: No such file or directory
> > rm: cannot remove `signing_key.x509': No such file or directory
>
> Hm, how did you do that one? What target was it trying to invoke
> extract-cert for? (There are two.)
$ make
CHK include/config/kernel.release
CHK include/generated/uapi/linux/version.h
CHK include/generated/utsrelease.h
CHK include/generated/bounds.h
CHK include/generated/timeconst.h
CHK include/generated/asm-offsets.h
CALL scripts/checksyscalls.sh
CHK include/generated/compile.h
EXTRACT_CERTS signing_key.pem
At main.c:146:
- SSL error:02001002:system library:fopen:No such file or directory:
bss_file.c:169
- SSL error:2006D080:BIO routines:BIO_new_file:no such file:
bss_file.c:172
extract-cert: signing_key.pem: No such file or directory
rm: cannot remove `signing_key.x509': No such file or directory
make[1]: *** [signing_key.x509] Error 1
make: *** [kernel] Error 2
--
James Morris
<[email protected]>
On Wed, 2015-08-12 at 19:08 +1000, James Morris wrote:
>
> CHK include/generated/compile.h
> EXTRACT_CERTS signing_key.pem
> At main.c:146:
> - SSL error:02001002:system library:fopen:No such file or directory:
> bss_file.c:169
> - SSL error:2006D080:BIO routines:BIO_new_file:no such file:
> bss_file.c:172
> extract-cert: signing_key.pem: No such file or directory
> rm: cannot remove `signing_key.x509': No such file or directory
> make[1]: *** [signing_key.x509] Error 1
> make: *** [kernel] Error 2
Hm, but that ought to have a dependency on signing_key.pem.
What is CONFIG_MODULE_SIG_KEY? Its default value of 'signing_key.pem'?
That should mean that the rule in kernel/Makefile to create the signing
key does exist.
At the very end of kernel/Makefile, in the rule for signing_key.x509,
please could you add an 'echo $(X509_DEP)' before the call to
extract_certs? That ought to be correctly depending on the
signing_key.pem file.
There's magic here to work out the precise dependency, since it might
be a filename relative to either the build tree or the source tree.
I'll take another look and work out how it copes in the case where the
file doesn't exist yet... is this an out-of-tree build?
--
dwmw2
On Wed, 12 Aug 2015, David Woodhouse wrote:
> On Wed, 2015-08-12 at 19:08 +1000, James Morris wrote:
> >
> > CHK include/generated/compile.h
> > EXTRACT_CERTS signing_key.pem
> > At main.c:146:
> > - SSL error:02001002:system library:fopen:No such file or directory:
> > bss_file.c:169
> > - SSL error:2006D080:BIO routines:BIO_new_file:no such file:
> > bss_file.c:172
> > extract-cert: signing_key.pem: No such file or directory
> > rm: cannot remove `signing_key.x509': No such file or directory
> > make[1]: *** [signing_key.x509] Error 1
> > make: *** [kernel] Error 2
>
> Hm, but that ought to have a dependency on signing_key.pem.
>
> What is CONFIG_MODULE_SIG_KEY? Its default value of 'signing_key.pem'?
> That should mean that the rule in kernel/Makefile to create the signing
> key does exist.
Yep:
# CONFIG_MODULE_SIG_SHA512 is not set
CONFIG_MODULE_SIG_HASH="sha1"
CONFIG_MODULE_SIG_KEY="signing_key.pem"
# CONFIG_MODULE_COMPRESS is not set
>
> At the very end of kernel/Makefile, in the rule for signing_key.x509,
> please could you add an 'echo $(X509_DEP)' before the call to
> extract_certs? That ought to be correctly depending on the
> signing_key.pem file.
$ make
CHK include/config/kernel.release
CHK include/generated/uapi/linux/version.h
CHK include/generated/utsrelease.h
CHK include/generated/bounds.h
CHK include/generated/timeconst.h
CHK include/generated/asm-offsets.h
CALL scripts/checksyscalls.sh
CHK include/generated/compile.h
echo
EXTRACT_CERTS signing_key.pem
i.e. nothing.
>
> There's magic here to work out the precise dependency, since it might
> be a filename relative to either the build tree or the source tree.
> I'll take another look and work out how it copes in the case where the
> file doesn't exist yet... is this an out-of-tree build?
>
Nope, but try a make mrproper first (as I have) and see if you get the
same result.
--
James Morris
<[email protected]>
On Wed, 2015-08-12 at 19:27 +1000, James Morris wrote:
>
> Yep:
>
> # CONFIG_MODULE_SIG_SHA512 is not set
> CONFIG_MODULE_SIG_HASH="sha1"
> CONFIG_MODULE_SIG_KEY="signing_key.pem"
> # CONFIG_MODULE_COMPRESS is not set
Can I have the full config please? Not that I understand how anything
else would really make much difference.
> >
> > At the very end of kernel/Makefile, in the rule for
> signing_key.x509,
> > please could you add an 'echo $(X509_DEP)' before the call to
> > extract_certs? That ought to be correctly depending on the
> > signing_key.pem file.
>
> $ make
> CHK include/config/kernel.release
> CHK include/generated/uapi/linux/version.h
> CHK include/generated/utsrelease.h
> CHK include/generated/bounds.h
> CHK include/generated/timeconst.h
> CHK include/generated/asm-offsets.h
> CALL scripts/checksyscalls.sh
> CHK include/generated/compile.h
> echo
>
> EXTRACT_CERTS signing_key.pem
>
> i.e. nothing.
Odd.
What are $(MODULE_SIG_KEY_FILENAME) and $(MODULE_SIG_KEY_SRCPREFIX) ?
I'm going to have to make another pot of coffee if I'm going to debug
the config_filename thing today... :)
I'm scared to start thinking this way but... what version of 'make' are
you using? If your precise .config doesn't help, is there any chance I
can log into an affected box to poke at it?
I've also been testing David's tree (commit f81977b46 precisely), so
perhaps I should also try *precisely* the merged tree you're looking
at. Again, not that I can imagine anything that would make this
difference.
> >
> > There's magic here to work out the precise dependency, since it
> might
> > be a filename relative to either the build tree or the source tree.
> > I'll take another look and work out how it copes in the case where
> the
> > file doesn't exist yet... is this an out-of-tree build?
> >
>
> Nope, but try a make mrproper first (as I have) and see if you get
> the same result.
I've been testing that, both in-tree and out-of-tree. I can't make it
*fail* to set X509_DEP and thus depend correctly on the signing_key.pem
file.
--
David Woodhouse Open Source Technology Centre
[email protected] Intel Corporation
On Wed, 12 Aug 2015, David Woodhouse wrote:
> On Wed, 2015-08-12 at 19:27 +1000, James Morris wrote:
> >
> > Yep:
> >
> > # CONFIG_MODULE_SIG_SHA512 is not set
> > CONFIG_MODULE_SIG_HASH="sha1"
> > CONFIG_MODULE_SIG_KEY="signing_key.pem"
> > # CONFIG_MODULE_COMPRESS is not set
>
> Can I have the full config please? Not that I understand how anything
> else would really make much difference.
Attached.
>
> > >
> > > At the very end of kernel/Makefile, in the rule for
> > signing_key.x509,
> > > please could you add an 'echo $(X509_DEP)' before the call to
> > > extract_certs? That ought to be correctly depending on the
> > > signing_key.pem file.
> >
> > $ make
> > CHK include/config/kernel.release
> > CHK include/generated/uapi/linux/version.h
> > CHK include/generated/utsrelease.h
> > CHK include/generated/bounds.h
> > CHK include/generated/timeconst.h
> > CHK include/generated/asm-offsets.h
> > CALL scripts/checksyscalls.sh
> > CHK include/generated/compile.h
> > echo
> >
> > EXTRACT_CERTS signing_key.pem
> >
> > i.e. nothing.
>
> Odd.
>
> What are $(MODULE_SIG_KEY_FILENAME) and $(MODULE_SIG_KEY_SRCPREFIX) ?
They're empty.
>
> I'm going to have to make another pot of coffee if I'm going to debug
> the config_filename thing today... :)
>
> I'm scared to start thinking this way but... what version of 'make' are
> you using? If your precise .config doesn't help, is there any chance I
> can log into an affected box to poke at it?
>
make-3.81-20.el6.x86_64
The machine is not accessible, sorry.
> I've also been testing David's tree (commit f81977b46 precisely), so
> perhaps I should also try *precisely* the merged tree you're looking
> at. Again, not that I can imagine anything that would make this
> difference.
>
It's the next branch of my repo, with his latest pull request.
> > >
> > > There's magic here to work out the precise dependency, since it
> > might
> > > be a filename relative to either the build tree or the source tree.
> > > I'll take another look and work out how it copes in the case where
> > the
> > > file doesn't exist yet... is this an out-of-tree build?
> > >
> >
> > Nope, but try a make mrproper first (as I have) and see if you get
> > the same result.
>
> I've been testing that, both in-tree and out-of-tree. I can't make it
> *fail* to set X509_DEP and thus depend correctly on the signing_key.pem
> file.
Where is MODULE_SIG_KEY_FILENAME assigned?
--
James Morris
<[email protected]>
On Wed, 2015-08-12 at 20:08 +1000, James Morris wrote:
> make-3.81-20.el6.x86_64
>
> The machine is not accessible, sorry.
No matter. I have a CentOS 6 VM in which I can attempt to reproduce.
> Where is MODULE_SIG_KEY_FILENAME assigned?
At about line 243:
$(eval $(call config_filename,MODULE_SIG_KEY))
Or, more to the point, somewhere in here... you may now understand why
I made a new jug of coffee. I had torture-tested this with fairly much
every pathology I could think of. And you've managed to break it with
the *default* case. Congratulations. You just made me cry.
###############################################################################
#
# When a Kconfig string contains a filename, it is suitable for
# passing to shell commands. It is surrounded by double-quotes, and
# any double-quotes or backslashes within it are escaped by
# backslashes.
#
# This is no use for dependencies or $(wildcard). We need to strip the
# surrounding quotes and the escaping from quotes and backslashes, and
# we *do* need to escape any spaces in the string. So, for example:
#
# Usage: $(eval $(call config_filename,FOO))
#
# Defines FOO_FILENAME based on the contents of the CONFIG_FOO option,
# transformed as described above to be suitable for use within the
# makefile.
#
# Also, if the filename is a relative filename and exists in the source
# tree but not the build tree, define FOO_SRCPREFIX as $(srctree)/ to
# be prefixed to *both* command invocation and dependencies.
#
# Note: We also print the filenames in the quiet_cmd_foo text, and
# perhaps ought to have a version specially escaped for that purpose.
# But it's only cosmetic, and $(patsubst "%",%,$(CONFIG_FOO)) is good
# enough. It'll strip the quotes in the common case where there's no
# space and it's a simple filename, and it'll retain the quotes when
# there's a space. There are some esoteric cases in which it'll print
# the wrong thing, but we don't really care. The actual dependencies
# and commands *do* get it right, with various combinations of single
# and double quotes, backslashes and spaces in the filenames.
#
###############################################################################
#
quote := $(firstword " ")
space :=
space +=
space_escape := %%%SPACE%%%
#
define config_filename =
ifneq ($$(CONFIG_$(1)),"")
$(1)_FILENAME := $$(subst \\,\,$$(subst \$$(quote),$$(quote),$$(subst $$(space_escape),\$$(space),$$(patsubst "%",%,$$(subst $$(space),$$(space_escape),$$(CONFIG_$(1)))))))
ifneq ($$(patsubst /%,%,$$(firstword $$($(1)_FILENAME))),$$(firstword $$($(1)_FILENAME)))
else
ifeq ($$(wildcard $$($(1)_FILENAME)),)
ifneq ($$(wildcard $$(srctree)/$$($(1)_FILENAME)),)
$(1)_SRCPREFIX := $(srctree)/
endif
endif
endif
endif
endef
--
dwmw2
On Wed, 12 Aug 2015, David Woodhouse wrote:
> On Wed, 2015-08-12 at 20:08 +1000, James Morris wrote:
> > make-3.81-20.el6.x86_64
> >
> > The machine is not accessible, sorry.
>
> No matter. I have a CentOS 6 VM in which I can attempt to reproduce.
>
> > Where is MODULE_SIG_KEY_FILENAME assigned?
>
> At about line 243:
>
> $(eval $(call config_filename,MODULE_SIG_KEY))
>
> Or, more to the point, somewhere in here... you may now understand why
> I made a new jug of coffee. I had torture-tested this with fairly much
> every pathology I could think of. And you've managed to break it with
> the *default* case. Congratulations. You just made me cry.
You made me read Make documentation -- I think we're even.
> #
> define config_filename =
This may be relevant:
http://stackoverflow.com/questions/13260396/gnu-make-3-81-eval-function-not-working
--
James Morris
<[email protected]>
On Wed, 12 Aug 2015, James Morris wrote:
> > define config_filename =
>
> This may be relevant:
>
> http://stackoverflow.com/questions/13260396/gnu-make-3-81-eval-function-not-working
>
This works for me:
diff --git a/kernel/Makefile b/kernel/Makefile
index 9e31922..65ef384 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -150,7 +150,7 @@ space :=
space +=
space_escape := %%%SPACE%%%
#
-define config_filename =
+define config_filename
ifneq ($$(CONFIG_$(1)),"")
$(1)_FILENAME := $$(subst \\,\,$$(subst \$$(quote),$$(quote),$$(subst $$(space_escape),\$$(space),$$(patsubst "%",%,$$(subst $$(space),$$(space_escape),$$(CONFIG_$(1)))))))
ifneq ($$(patsubst /%,%,$$(firstword $$($(1)_FILENAME))),$$(firstword $$($(1)_FILENAME)))
On Wed, 2015-08-12 at 20:40 +1000, James Morris wrote:
>
> This works for me:
>
> diff --git a/kernel/Makefile b/kernel/Makefile
> index 9e31922..65ef384 100644
> --- a/kernel/Makefile
> +++ b/kernel/Makefile
> @@ -150,7 +150,7 @@ space :=
> space +=
> space_escape := %%%SPACE%%%
> #
> -define config_filename =
> +define config_filename
> ifneq ($$(CONFIG_$(1)),"")
> $(1)_FILENAME := $$(subst \\,\,$$(subst \$$(quote),$$(quote),$$(subst $$(space_escape),\$$(space),$$(patsubst "%",%,$$(subst $$(space),$$(space_escape),$$(CONFIG_$(1)))))))
> ifneq ($$(patsubst /%,%,$$(firstword $$($(1)_FILENAME))),$$(firstword $$($(1)_FILENAME)))
>
Thanks. I believe David is travelling and in GMT-4 at the moment; I
imagine he'll want to roll up this one-line fix into the offending
original commit, and submit a new pull request.
--
David Woodhouse Open Source Technology Centre
[email protected] Intel Corporation
James Morris <[email protected]> wrote:
> -define config_filename =
> +define config_filename
Is this likely to be a problem for newer makes?
David