Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2992723AbbEPAW2 (ORCPT ); Fri, 15 May 2015 20:22:28 -0400 Received: from ozlabs.org ([103.22.144.67]:41123 "EHLO ozlabs.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1946103AbbEPAWZ (ORCPT ); Fri, 15 May 2015 20:22:25 -0400 From: Rusty Russell To: David Howells Cc: mmarek@suse.cz, mjg59@srcf.ucam.org, keyrings@linux-nfs.org, dmitry.kasatkin@gmail.com, mcgrof@suse.com, linux-kernel@vger.kernel.org, dhowells@redhat.com, seth.forshee@canonical.com, linux-security-module@vger.kernel.org, dwmw2@infradead.org Subject: Re: [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] In-Reply-To: <20150515123513.16723.96340.stgit@warthog.procyon.org.uk> References: <20150515123513.16723.96340.stgit@warthog.procyon.org.uk> User-Agent: Notmuch/0.17 (http://notmuchmail.org) Emacs/24.4.1 (x86_64-pc-linux-gnu) Date: Sat, 16 May 2015 08:21:56 +0930 Message-ID: <87d221laib.fsf@rustcorp.com.au> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4840 Lines: 106 David Howells writes: > Hi Rusty, Hi David, I try to stick my nose into patches which touch module.c/h: this doesn't, so am happy for this via another tree (AFAICT doesn't even need my ack). Thanks, Rusty. > Here's a set of patches that does the following: > > (1) Extracts both parts of an X.509 AuthorityKeyIdentifier (AKID) extension. > We already extract the bit that can match the subjectKeyIdentifier (SKID) > of the parent X.509 cert, but we currently ignore the bits that can match > the issuer and serialNumber. > > Looks up an X.509 cert by issuer and serialNumber if those are provided in > the AKID. If the keyIdentifier is also provided, checks that the > subjectKeyIdentifier of the cert found matches that also. > > If no issuer and serialNumber are provided in the AKID, looks up an X.509 > cert by SKID using the AKID keyIdentifier. > > This allows module signing to be done with certificates that don't have an > SKID by which they can be looked up. > > (2) Makes use of the PKCS#7 facility to provide module signatures. > > sign-file is replaced with a program that generates a PKCS#7 message that > has no X.509 certs embedded and that has detached data (the module > content) and adds it onto the message with magic string and descriptor. > > (3) The PKCS#7 message (and matching X.509 cert) supply all the information > that is needed to select the X.509 cert to be used to verify the signature > by standard means (including selection of digest algorithm and public key > algorithm). No kernel-specific magic values are required. > > (4) Makes it possible to get sign-file to just write out a file containing the > PKCS#7 signature blob. This can be used for debugging and potentially for > firmware signing. > > (5) Extract the function that does PKCS#7 signature verification on a blob > from the module signing code and put it somewhere more general so that > other things, such as firmware signing, can make use of it without > depending on module config options. > > Note that the revised sign-file program no longer supports the "-s " > option as I'm not sure what the best way to deal with this is. Do we generate > a PKCS#7 cert from the signature given, or do we get given a PKCS#7 cert? I > lean towards the latter. Note that David Woodhouse is looking at making > sign-file work with PKCS#11, so bringing back -s might not be necessary. > > They can be found here also: > > http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=modsign-pkcs7 > > and are tagged with: > > modsign-pkcs7-20150515 > > Should these go via the security tree or your tree? > > David > --- > David Howells (7): > X.509: Extract both parts of the AuthorityKeyIdentifier > X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier > PKCS#7: Allow detached data to be supplied for signature checking purposes > MODSIGN: Provide a utility to append a PKCS#7 signature to a module > MODSIGN: Use PKCS#7 messages as module signatures > system_keyring.c doesn't need to #include module-internal.h > MODSIGN: Extract the blob PKCS#7 signature verifier from module signing > > Luis R. Rodriguez (1): > sign-file: Add option to only create signature file > > > Makefile | 2 > crypto/asymmetric_keys/Makefile | 8 - > crypto/asymmetric_keys/pkcs7_trust.c | 10 - > crypto/asymmetric_keys/pkcs7_verify.c | 80 ++++-- > crypto/asymmetric_keys/x509_akid.asn1 | 35 ++ > crypto/asymmetric_keys/x509_cert_parser.c | 142 ++++++---- > crypto/asymmetric_keys/x509_parser.h | 5 > crypto/asymmetric_keys/x509_public_key.c | 86 ++++-- > include/crypto/pkcs7.h | 3 > include/crypto/public_key.h | 4 > include/keys/system_keyring.h | 5 > init/Kconfig | 28 +- > kernel/module_signing.c | 212 +-------------- > kernel/system_keyring.c | 51 +++- > scripts/Makefile | 2 > scripts/sign-file | 421 ----------------------------- > scripts/sign-file.c | 212 +++++++++++++++ > 17 files changed, 578 insertions(+), 728 deletions(-) > create mode 100644 crypto/asymmetric_keys/x509_akid.asn1 > delete mode 100755 scripts/sign-file > create mode 100755 scripts/sign-file.c -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/