Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751906AbbHMCL2 (ORCPT <rfc822;w@1wt.eu>);
	Wed, 12 Aug 2015 22:11:28 -0400
Received: from mx1.redhat.com ([209.132.183.28]:43139 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751495AbbHMCL0 convert rfc822-to-8bit (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Wed, 12 Aug 2015 22:11:26 -0400
Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley
	Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United
	Kingdom.
	Registered in England and Wales under Company Registration No. 3798903
From: David Howells <dhowells@redhat.com>
In-Reply-To: <alpine.LRH.2.20.1508131058380.7538@namei.org>
References: <alpine.LRH.2.20.1508131058380.7538@namei.org> <10418.1439399192@warthog.procyon.org.uk>
To: James Morris <jmorris@namei.org>
Cc: dhowells@redhat.com, mcgrof@gmail.com, zohar@linux.vnet.ibm.com,
        dwmw2@infradead.org, linux-kernel@vger.kernel.org,
        linux-security-module@vger.kernel.org
Subject: Re: [GIT PULL] MODSIGN: Use PKCS#7 for module signatures [ver #8]
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8BIT
Date: Thu, 13 Aug 2015 03:11:21 +0100
Message-ID: <28281.1439431881@warthog.procyon.org.uk>
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 6142
Lines: 128

James Morris <jmorris@namei.org> wrote:

> I'm still seeing these warnings:
> 
> scripts/sign-file.c: In function ‘main’:
> scripts/sign-file.c:188: warning: value computed is not used

Ummm...  What do you see on line 188?  "BIO_reset(b);"?  If so, that seems to
be an openssl bug.  b is created four lines above and definitely used on the
following line, so the problem must lie with the BIO_reset() function or
macro.

You're using an older version of openssl-devel than I am (1.0.1e rather than
1.0.1k) so I suspect this has been fixed.

Can you have a look how this is defined for you?  I see:

   /usr/include/openssl/bio.h:#define BIO_reset(b)         (int)BIO_ctrl(b,BIO_CTRL_RESET,0,NULL)

and:

   /usr/include/openssl/bio.h:long BIO_ctrl(BIO *bp,int cmd,long larg,void *parg);

> WARNING: modpost: missing MODULE_LICENSE() in 
> crypto/asymmetric_keys/pkcs7_test_key.o

The issue actually pre-dates this patchset so is independent of it.  I can
stack a patch onto the end of my series to fix this.  I've pushed a new tag
with this patch (revised request-pull below in case you feel inclined to pull
it - or I can generate a whole new request message if you'd prefer).

David
---
The following changes since commit 459c15e53cf7e4e88a78ecfb109af5a267c5500a:

  Merge tag 'asn1-fixes-20150805' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs into next (2015-08-07 13:27:58 +1000)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git tags/modsign-pkcs7-20150812-2

for you to fetch changes up to 772111ab01eace6a7e4cf821a4348cec64a97c92:

  PKCS#7: Add MODULE_LICENSE() to test module (2015-08-13 02:51:33 +0100)

----------------------------------------------------------------
Module signing with PKCS#7

----------------------------------------------------------------
David Howells (18):
      ASN.1: Add an ASN.1 compiler option to dump the element tree
      ASN.1: Copy string names to tokens in ASN.1 compiler
      X.509: Extract both parts of the AuthorityKeyIdentifier
      X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier
      PKCS#7: Allow detached data to be supplied for signature checking purposes
      MODSIGN: Provide a utility to append a PKCS#7 signature to a module
      MODSIGN: Use PKCS#7 messages as module signatures
      system_keyring.c doesn't need to #include module-internal.h
      MODSIGN: Extract the blob PKCS#7 signature verifier from module signing
      PKCS#7: Check content type and versions
      X.509: Change recorded SKID & AKID to not include Subject or Issuer
      PKCS#7: Support CMS messages also [RFC5652]
      sign-file: Generate CMS message as signature instead of PKCS#7
      PKCS#7: Improve and export the X.509 ASN.1 time object decoder
      KEYS: Add a name for PKEY_ID_PKCS7
      PKCS#7: Appropriately restrict authenticated attributes and content type
      sign-file: Document dependency on OpenSSL devel libraries
      PKCS#7: Add MODULE_LICENSE() to test module

David Woodhouse (9):
      modsign: Abort modules_install when signing fails
      modsign: Allow password to be specified for signing key
      modsign: Allow signing key to be PKCS#11
      modsign: Allow external signing key to be specified
      modsign: Extract signing cert from CONFIG_MODULE_SIG_KEY if needed
      modsign: Use single PEM file for autogenerated key
      modsign: Add explicit CONFIG_SYSTEM_TRUSTED_KEYS option
      extract-cert: Cope with multiple X.509 certificates in a single file
      modsign: Use extract-cert to process CONFIG_SYSTEM_TRUSTED_KEYS

Luis R. Rodriguez (1):
      sign-file: Add option to only create signature file

 .gitignore                                |   1 +
 Documentation/kbuild/kbuild.txt           |   5 +
 Documentation/module-signing.txt          |  54 +++-
 Makefile                                  |   8 +-
 arch/x86/kernel/kexec-bzimage64.c         |   4 +-
 crypto/asymmetric_keys/Makefile           |   8 +-
 crypto/asymmetric_keys/asymmetric_type.c  |  11 +
 crypto/asymmetric_keys/pkcs7.asn1         |  22 +-
 crypto/asymmetric_keys/pkcs7_key_type.c   |  17 +-
 crypto/asymmetric_keys/pkcs7_parser.c     | 269 ++++++++++++++++++-
 crypto/asymmetric_keys/pkcs7_parser.h     |  20 +-
 crypto/asymmetric_keys/pkcs7_trust.c      |  10 +-
 crypto/asymmetric_keys/pkcs7_verify.c     | 145 ++++++++--
 crypto/asymmetric_keys/public_key.c       |   1 +
 crypto/asymmetric_keys/verify_pefile.c    |   7 +-
 crypto/asymmetric_keys/x509_akid.asn1     |  35 +++
 crypto/asymmetric_keys/x509_cert_parser.c | 231 ++++++++++------
 crypto/asymmetric_keys/x509_parser.h      |  12 +-
 crypto/asymmetric_keys/x509_public_key.c  |  95 ++++---
 include/crypto/pkcs7.h                    |  13 +-
 include/crypto/public_key.h               |  18 +-
 include/keys/system_keyring.h             |   7 +
 include/linux/oid_registry.h              |   4 +-
 include/linux/verify_pefile.h             |   6 +-
 init/Kconfig                              |  59 ++++-
 kernel/Makefile                           | 112 +++++---
 kernel/module_signing.c                   | 213 ++-------------
 kernel/system_certificates.S              |   3 +
 kernel/system_keyring.c                   |  53 +++-
 scripts/Makefile                          |   4 +
 scripts/Makefile.modinst                  |   2 +-
 scripts/asn1_compiler.c                   | 229 ++++++++++------
 scripts/extract-cert.c                    | 166 ++++++++++++
 scripts/sign-file                         | 421 ------------------------------
 scripts/sign-file.c                       | 260 ++++++++++++++++++
 35 files changed, 1597 insertions(+), 928 deletions(-)
 create mode 100644 crypto/asymmetric_keys/x509_akid.asn1
 create mode 100644 scripts/extract-cert.c
 delete mode 100755 scripts/sign-file
 create mode 100755 scripts/sign-file.c
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/