Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755071AbbERXNK (ORCPT ); Mon, 18 May 2015 19:13:10 -0400 Received: from cantor2.suse.de ([195.135.220.15]:52482 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754758AbbERXNI (ORCPT ); Mon, 18 May 2015 19:13:08 -0400 Date: Tue, 19 May 2015 01:13:04 +0200 From: "Luis R. Rodriguez" To: David Howells Cc: rusty@rustcorp.com.au, mmarek@suse.cz, mjg59@srcf.ucam.org, keyrings@linux-nfs.org, dmitry.kasatkin@gmail.com, linux-kernel@vger.kernel.org, seth.forshee@canonical.com, linux-security-module@vger.kernel.org, dwmw2@infradead.org Subject: Re: sign-file and detached PKCS#7 firmware signatures Message-ID: <20150518231304.GZ23057@wotan.suse.de> References: <20150515123610.16723.61913.stgit@warthog.procyon.org.uk> <20150515123513.16723.96340.stgit@warthog.procyon.org.uk> <21177.1431716875@warthog.procyon.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <21177.1431716875@warthog.procyon.org.uk> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1969 Lines: 57 On Fri, May 15, 2015 at 08:07:55PM +0100, David Howells wrote: > Hi Luis, > > As David Woodhouse pointed out to me, you don't need sign-file if you're just > going to create a detached PKCS#7 message as your signature. You can just use > "openssl smime" directly. > > The reason that sign-file is needed for module signing is that the signature > is added to the module with a little bit of metadata to indicate its presence > - but if you're having detached signatures, that isn't relevant. > > You can do this with two steps: > > (1) Require that an X.509 certificate is made available to the kernel to > provide the public key. One way to do this is to convert it to DER form > and place it in the source directory as .x509 when you build the > kernel. OK. > (2) Document that to produce a signature for a firmware blob, you just run > the following command: > > openssl smime -sign \ > -in $FIRMWARE_BLOB_NAME \ > -outform DER \ > -inkey $PRIVATE_KEY_FILE_IN_PEM_FORM \ > -signer $X509_CERT_FILE_IN_PEM_FORM \ > -nocerts \ > -md $DIGEST_ALGORITHM \ There's a missing -binary argument here, other than that this works fine. > >$PKCS7_MESSAGE_FILE_IN_DER_FORM I however cannot figure out how to use openssl to verify this signature. > Note that if you have crypto hardware available that openssl can use, you > can do that in this command. > > > To summarise, what you have to present to the kernel is the following: > > (A) A DER-encoded X.509 certificate containing the public key. > > (B) A DER-encoded PKCS#7 message containing the signatures. > > (C) A binary blob that is the detached data for the PKCS#7 message. Will respin. Lui -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/