Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751877AbbHMDNz (ORCPT ); Wed, 12 Aug 2015 23:13:55 -0400 Received: from mx1.redhat.com ([209.132.183.28]:39563 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751546AbbHMDNy convert rfc822-to-8bit (ORCPT ); Wed, 12 Aug 2015 23:13:54 -0400 Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: References: <10418.1439399192@warthog.procyon.org.uk> To: James Morris Cc: dhowells@redhat.com, mcgrof@gmail.com, zohar@linux.vnet.ibm.com, dwmw2@infradead.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: Re: [GIT PULL] MODSIGN: Use PKCS#7 for module signatures [ver #8] MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <4345.1439435629.1@warthog.procyon.org.uk> Content-Transfer-Encoding: 8BIT Date: Thu, 13 Aug 2015 04:13:49 +0100 Message-ID: <4346.1439435629@warthog.procyon.org.uk> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 5227 Lines: 102 Okay, I've fixed both of those bugs with patches tagged on the end of the commit sequence. Here's a revised pull request with a new tag. Do you want me to generate a complete new request message? David --- The following changes since commit 459c15e53cf7e4e88a78ecfb109af5a267c5500a: Merge tag 'asn1-fixes-20150805' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs into next (2015-08-07 13:27:58 +1000) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git tags/modsign-pkcs7-20150812-3 for you to fetch changes up to e9a5e8cc55286941503f36c5b7485a5aa923b3f1: sign-file: Fix warning about BIO_reset() return value (2015-08-13 04:03:12 +0100) ---------------------------------------------------------------- Module signing with PKCS#7 ---------------------------------------------------------------- David Howells (19): ASN.1: Add an ASN.1 compiler option to dump the element tree ASN.1: Copy string names to tokens in ASN.1 compiler X.509: Extract both parts of the AuthorityKeyIdentifier X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier PKCS#7: Allow detached data to be supplied for signature checking purposes MODSIGN: Provide a utility to append a PKCS#7 signature to a module MODSIGN: Use PKCS#7 messages as module signatures system_keyring.c doesn't need to #include module-internal.h MODSIGN: Extract the blob PKCS#7 signature verifier from module signing PKCS#7: Check content type and versions X.509: Change recorded SKID & AKID to not include Subject or Issuer PKCS#7: Support CMS messages also [RFC5652] sign-file: Generate CMS message as signature instead of PKCS#7 PKCS#7: Improve and export the X.509 ASN.1 time object decoder KEYS: Add a name for PKEY_ID_PKCS7 PKCS#7: Appropriately restrict authenticated attributes and content type sign-file: Document dependency on OpenSSL devel libraries PKCS#7: Add MODULE_LICENSE() to test module sign-file: Fix warning about BIO_reset() return value David Woodhouse (9): modsign: Abort modules_install when signing fails modsign: Allow password to be specified for signing key modsign: Allow signing key to be PKCS#11 modsign: Allow external signing key to be specified modsign: Extract signing cert from CONFIG_MODULE_SIG_KEY if needed modsign: Use single PEM file for autogenerated key modsign: Add explicit CONFIG_SYSTEM_TRUSTED_KEYS option extract-cert: Cope with multiple X.509 certificates in a single file modsign: Use extract-cert to process CONFIG_SYSTEM_TRUSTED_KEYS Luis R. Rodriguez (1): sign-file: Add option to only create signature file .gitignore | 1 + Documentation/kbuild/kbuild.txt | 5 + Documentation/module-signing.txt | 54 +++- Makefile | 8 +- arch/x86/kernel/kexec-bzimage64.c | 4 +- crypto/asymmetric_keys/Makefile | 8 +- crypto/asymmetric_keys/asymmetric_type.c | 11 + crypto/asymmetric_keys/pkcs7.asn1 | 22 +- crypto/asymmetric_keys/pkcs7_key_type.c | 17 +- crypto/asymmetric_keys/pkcs7_parser.c | 269 ++++++++++++++++++- crypto/asymmetric_keys/pkcs7_parser.h | 20 +- crypto/asymmetric_keys/pkcs7_trust.c | 10 +- crypto/asymmetric_keys/pkcs7_verify.c | 145 ++++++++-- crypto/asymmetric_keys/public_key.c | 1 + crypto/asymmetric_keys/verify_pefile.c | 7 +- crypto/asymmetric_keys/x509_akid.asn1 | 35 +++ crypto/asymmetric_keys/x509_cert_parser.c | 231 ++++++++++------ crypto/asymmetric_keys/x509_parser.h | 12 +- crypto/asymmetric_keys/x509_public_key.c | 95 ++++--- include/crypto/pkcs7.h | 13 +- include/crypto/public_key.h | 18 +- include/keys/system_keyring.h | 7 + include/linux/oid_registry.h | 4 +- include/linux/verify_pefile.h | 6 +- init/Kconfig | 59 ++++- kernel/Makefile | 112 +++++--- kernel/module_signing.c | 213 ++------------- kernel/system_certificates.S | 3 + kernel/system_keyring.c | 53 +++- scripts/Makefile | 4 + scripts/Makefile.modinst | 2 +- scripts/asn1_compiler.c | 229 ++++++++++------ scripts/extract-cert.c | 166 ++++++++++++ scripts/sign-file | 421 ------------------------------ scripts/sign-file.c | 260 ++++++++++++++++++ 35 files changed, 1597 insertions(+), 928 deletions(-) create mode 100644 crypto/asymmetric_keys/x509_akid.asn1 create mode 100644 scripts/extract-cert.c delete mode 100755 scripts/sign-file create mode 100755 scripts/sign-file.c -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/