Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752467AbbESBi7 (ORCPT ); Mon, 18 May 2015 21:38:59 -0400 Received: from e23smtp01.au.ibm.com ([202.81.31.143]:48100 "EHLO e23smtp01.au.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751076AbbESBiy (ORCPT ); Mon, 18 May 2015 21:38:54 -0400 Message-ID: <1431999474.4510.17.camel@linux.vnet.ibm.com> Subject: Re: [PATCH 3/4] modsign: Allow password to be specified for signing key From: Mimi Zohar To: David Woodhouse Cc: dhowells@redhat.com, rusty@rustcorp.com.au, mmarek@suse.cz, mjg59@srcf.ucam.org, keyrings@linux-nfs.org, dmitry.kasatkin@gmail.com, mcgrof@suse.com, linux-kernel@vger.kernel.org, seth.forshee@canonical.com, linux-security-module@vger.kernel.org Date: Mon, 18 May 2015 21:37:54 -0400 In-Reply-To: <1431708823.4727.11.camel@infradead.org> References: <20150515123513.16723.96340.stgit@warthog.procyon.org.uk> <1431708823.4727.11.camel@infradead.org> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.12.10 (3.12.10-1.fc21) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-TM-AS-MML: disable X-Content-Scanned: Fidelis XPS MAILER x-cbid: 15051901-1618-0000-0000-0000021C67D4 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4770 Lines: 138 On Fri, 2015-05-15 at 17:53 +0100, David Woodhouse wrote: > Signed-off-by: David Woodhouse > --- > Documentation/module-signing.txt | 2 ++ > Makefile | 1 + > init/Kconfig | 6 ++++++ > scripts/sign-file.c | 39 ++++++++++++++++++++++++++++++++++++++- > 4 files changed, 47 insertions(+), 1 deletion(-) > > diff --git a/Documentation/module-signing.txt b/Documentation/module-signing.txt > index c72702e..b0ed080 100644 > --- a/Documentation/module-signing.txt > +++ b/Documentation/module-signing.txt > @@ -194,6 +194,8 @@ The hash algorithm used does not have to match the one configured, but if it > doesn't, you should make sure that hash algorithm is either built into the > kernel or can be loaded without requiring itself. > > +If the private key requires a passphrase or PIN, it can be provided in the > +$CONFIG_MODULE_SIG_KEY_PASSWORD environment variable. This works, but probably is not a good idea. For one, if IKCONFIG is enabled, the pin is readily visible via /proc/config.gz. Mimi > ============================ > SIGNED MODULES AND STRIPPING > diff --git a/Makefile b/Makefile > index 9590e67..70c066c 100644 > --- a/Makefile > +++ b/Makefile > @@ -875,6 +875,7 @@ ifdef CONFIG_MODULE_SIG_ALL > MODSECKEY = $(CONFIG_MODULE_SIG_KEY) > MODPUBKEY = ./signing_key.x509 > export MODPUBKEY > +export CONFIG_MODULE_SIG_KEY_PASSWORD > mod_sign_cmd = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY) > else > mod_sign_cmd = true > diff --git a/init/Kconfig b/init/Kconfig > index 1ca075a..7bbc857 100644 > --- a/init/Kconfig > +++ b/init/Kconfig > @@ -1967,6 +1967,12 @@ config MODULE_SIG_KEY > Provide the file name of a private key in PEM format, or a PKCS#11 > URI according to RFC7512 to specify the key. > > +config MODULE_SIG_KEY_PASSWORD > + string "Passphrase or PIN for module signing key if needed" if MODULE_SIG_EXTERNAL_KEY > + help > + If a passphrase or PIN is required for the private key, provide > + it here. > + > config MODULE_COMPRESS > bool "Compress modules on installation" > depends on MODULES > diff --git a/scripts/sign-file.c b/scripts/sign-file.c > index 39aaabe..9a54acc 100755 > --- a/scripts/sign-file.c > +++ b/scripts/sign-file.c > @@ -80,9 +80,32 @@ static void drain_openssl_errors(void) > } \ > } while(0) > > +static char *key_pass; > + > +static int pem_pw_cb(char *buf, int len, int w, void *v) > +{ > + int pwlen; > + > + if (!key_pass) > + return -1; > + > + pwlen = strlen(key_pass); > + if (pwlen >= len) > + return -1; > + > + strcpy(buf, key_pass); > + > + /* If it's wrong, don't keep trying it. */ > + free(key_pass); > + key_pass = NULL; > + > + return pwlen; > +} > + > int main(int argc, char **argv) > { > struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 }; > + const char *pass_env; > char *hash_algo = NULL; > char *private_key_name, *x509_name, *module_name, *dest_name; > bool save_pkcs7 = false, replace_orig; > @@ -96,6 +119,7 @@ int main(int argc, char **argv) > BIO *b, *bd = NULL, *bm; > int opt, n; > > + OpenSSL_add_all_algorithms(); > ERR_load_crypto_strings(); > ERR_clear_error(); > > @@ -127,12 +151,25 @@ int main(int argc, char **argv) > replace_orig = true; > } > > + pass_env = getenv("CONFIG_MODULE_SIG_KEY_PASSWORD"); > + if (pass_env) { > + int pwlen = strlen(pass_env); > + > + if (pass_env[0] == '\"' && pass_env[pwlen - 1] == '\"') { > + pass_env++; > + pwlen -= 2; > + } > + if (pwlen) > + key_pass = strndup(pass_env, pwlen); > + } > + > /* Read the private key and the X.509 cert the PKCS#7 message > * will point to. > */ > b = BIO_new_file(private_key_name, "rb"); > ERR(!b, "%s", private_key_name); > - private_key = PEM_read_bio_PrivateKey(b, NULL, NULL, NULL); > + private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, NULL); > + ERR(!private_key, "%s", private_key_name); > BIO_free(b); > > b = BIO_new_file(x509_name, "rb"); > -- > 2.4.0 > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/