Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754903AbbEOTIu (ORCPT ); Fri, 15 May 2015 15:08:50 -0400 Received: from mx1.redhat.com ([209.132.183.28]:40752 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753705AbbEOTIt (ORCPT ); Fri, 15 May 2015 15:08:49 -0400 Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: <20150515123610.16723.61913.stgit@warthog.procyon.org.uk> References: <20150515123610.16723.61913.stgit@warthog.procyon.org.uk> <20150515123513.16723.96340.stgit@warthog.procyon.org.uk> To: mcgrof@suse.com Cc: dhowells@redhat.com, rusty@rustcorp.com.au, mmarek@suse.cz, mjg59@srcf.ucam.org, keyrings@linux-nfs.org, dmitry.kasatkin@gmail.com, linux-kernel@vger.kernel.org, seth.forshee@canonical.com, linux-security-module@vger.kernel.org, dwmw2@infradead.org Subject: sign-file and detached PKCS#7 firmware signatures MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <21176.1431716875.1@warthog.procyon.org.uk> Date: Fri, 15 May 2015 20:07:55 +0100 Message-ID: <21177.1431716875@warthog.procyon.org.uk> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1662 Lines: 47 Hi Luis, As David Woodhouse pointed out to me, you don't need sign-file if you're just going to create a detached PKCS#7 message as your signature. You can just use "openssl smime" directly. The reason that sign-file is needed for module signing is that the signature is added to the module with a little bit of metadata to indicate its presence - but if you're having detached signatures, that isn't relevant. You can do this with two steps: (1) Require that an X.509 certificate is made available to the kernel to provide the public key. One way to do this is to convert it to DER form and place it in the source directory as .x509 when you build the kernel. (2) Document that to produce a signature for a firmware blob, you just run the following command: openssl smime -sign \ -in $FIRMWARE_BLOB_NAME \ -outform DER \ -inkey $PRIVATE_KEY_FILE_IN_PEM_FORM \ -signer $X509_CERT_FILE_IN_PEM_FORM \ -nocerts \ -md $DIGEST_ALGORITHM \ >$PKCS7_MESSAGE_FILE_IN_DER_FORM Note that if you have crypto hardware available that openssl can use, you can do that in this command. To summarise, what you have to present to the kernel is the following: (A) A DER-encoded X.509 certificate containing the public key. (B) A DER-encoded PKCS#7 message containing the signatures. (C) A binary blob that is the detached data for the PKCS#7 message. David -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/