Hi David, I just applied these 3 patches, but got build problems.. sign-file.c cannot be build. Log attached...
Any ideas? Thanks - Dmitry On 03/10/14 17:30, David Howells wrote: > Hi Rusty, > > In the current module signing code, we try to use the subject and subjKeyId > fields from X.509 certificate representing the key used to sign the modules to > locate the X.509 certificate containing the public key required to verify the > signature. > > Unfortunately, we have situations where we have to deal with signatures > generated from keys that don't have a subjKeyId (it is, after all, optional in > the X.509 spec for none CA keys). > > Now that we have PKCS#7 message handling code in the kernel for kexec(), we > can > make use of this for module signing. By using a PKCS#7 message with detached > data and no embedded X.509 certs as the signature blob, we can forgo > specifying > all the signature parameters (eg. hash algo, pubkey algo, name, id) elsewhere > and rely instead on the PKCS#7 message to supply all of those. > > PKCS#7 doesn't use the subjKeyId, but rather matches issuer name and > certificate serial number, both of which are mandatory in an X.509 > certificate. > > We leave out the embedded X.509 certs to make the signature smaller and use > detached data so that we don't have to put the module content in there. > > The patches are as follows: > > (1) Provide a function to pass detached data to the PKCS#7 verifier, rather > than always requiring the data to be contained therein. > > (2) Provide a utility to sign modules (a drop-in replacement for > scripts/sign-file). This does need to be built against -lcrypto from > OpenSSL. I couldn't work out how to make a PKCS#7 message with no > embedded X.509 certs from the openssl command line. > > I also haven't provided a way to externally specify the signature - > that's > something that will need to be worked out. Quite likely it will involve > taking a PKCS#7 message rather than generating one. > > (3) Make use of the above and the PKCS#7 handling to sign modules and verify > signatures. > > Note that this does make signatures generated by previous kernels incompatible > with newer kernels, but since the modules being signed may no longer be > compatible anyway for other reasons, I'm not sure how much of a problem that > will actually be. > > I have provided a function, mod_verify_pkcs7(), that takes a buffer containing > the actual module data, sans signature, and a buffer containing the PKCS#7 > message that does the actual work. This could be called, for instance, if > modules are ever loaded with detached signatures. > > The patches can be found here also: > > > http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=modsign-pkcs7 > > This is based on James Morris's security/next branch as there are some keyring > and PKCS#7 changes in there that are prerequisites for this. > > David > --- > David Howells (3): > PKCS#7: Allow detached data to be supplied for signature checking > purposes > MODSIGN: Provide a utility to append a PKCS#7 signature to a module > MODSIGN: Use PKCS#7 messages as module signatures > > > crypto/asymmetric_keys/pkcs7_verify.c | 26 ++ > include/crypto/pkcs7.h | 3 > include/crypto/public_key.h | 1 > init/Kconfig | 1 > kernel/module_signing.c | 220 +++-------------- > scripts/Makefile | 2 > scripts/sign-file | 421 > --------------------------------- > scripts/sign-file.c | 189 +++++++++++++++ > 8 files changed, 266 insertions(+), 597 deletions(-) > delete mode 100755 scripts/sign-file > create mode 100755 scripts/sign-file.c > > -- > To unsubscribe from this list: send the line "unsubscribe > linux-security-module" in > the body of a message to [email protected] > More majordomo info at http://vger.kernel.org/majordomo-info.html >
EXTRAVERSION=-kds ARCH: x86_64 CHK include/config/kernel.release CHK include/generated/uapi/linux/version.h CHK include/generated/utsrelease.h CALL scripts/checksyscalls.sh <stdin>:1226:2: warning: #warning syscall finit_module not implemented [-Wcpp] <stdin>:1229:2: warning: #warning syscall sched_setattr not implemented [-Wcpp] <stdin>:1232:2: warning: #warning syscall sched_getattr not implemented [-Wcpp] <stdin>:1235:2: warning: #warning syscall renameat2 not implemented [-Wcpp] <stdin>:1238:2: warning: #warning syscall seccomp not implemented [-Wcpp] HOSTCC scripts/sign-file scripts/sign-file.c: In function �쁬ain��: scripts/sign-file.c:136:2: warning: format not a string literal and no format arguments [-Wformat-security] ERR(!bd, dest_name); ^ scripts/sign-file.c:162:3: warning: format not a string literal and no format arguments [-Wformat-security] ERR(!b, pkcs7_name); ^ scripts/sign-file.c:163:3: warning: format not a string literal and no format arguments [-Wformat-security] ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) < 0, pkcs7_name); ^ scripts/sign-file.c:168:2: warning: format not a string literal and no format arguments [-Wformat-security] ERR(BIO_reset(bm) < 0, module_name); ^ scripts/sign-file.c:171:3: warning: format not a string literal and no format arguments [-Wformat-security] ERR(BIO_write(bd, buf, n) < 0, dest_name); ^ scripts/sign-file.c:173:2: warning: format not a string literal and no format arguments [-Wformat-security] ERR(n < 0, module_name); ^ scripts/sign-file.c:176:2: warning: format not a string literal and no format arguments [-Wformat-security] ERR(i2d_PKCS7_bio_stream(bd, pkcs7, NULL, 0) < 0, dest_name); ^ scripts/sign-file.c:179:2: warning: format not a string literal and no format arguments [-Wformat-security] ERR(BIO_write(bd, &sig_info, sizeof(sig_info)) < 0, dest_name); ^ scripts/sign-file.c:180:2: warning: format not a string literal and no format arguments [-Wformat-security] ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, dest_name); ^ scripts/sign-file.c:182:2: warning: format not a string literal and no format arguments [-Wformat-security] ERR(BIO_free(bd) < 0, dest_name); ^ scripts/sign-file.c:186:3: warning: format not a string literal and no format arguments [-Wformat-security] ERR(rename(dest_name, module_name) < 0, dest_name); ^ /tmp/ccgSFKJd.o: In function `display_openssl_errors': sign-file.c:(.text+0x4e): undefined reference to `ERR_peek_error' sign-file.c:(.text+0xa1): undefined reference to `ERR_error_string' sign-file.c:(.text+0xd7): undefined reference to `ERR_get_error_line' /tmp/ccgSFKJd.o: In function `main': sign-file.c:(.text.startup+0xd5): undefined reference to `ERR_load_crypto_strings' sign-file.c:(.text.startup+0xda): undefined reference to `ERR_clear_error' sign-file.c:(.text.startup+0xe7): undefined reference to `BIO_new_file' sign-file.c:(.text.startup+0x10b): undefined reference to `PEM_read_bio_PrivateKey' sign-file.c:(.text.startup+0x118): undefined reference to `BIO_free' sign-file.c:(.text.startup+0x125): undefined reference to `BIO_new_file' sign-file.c:(.text.startup+0x149): undefined reference to `PEM_read_bio_X509' sign-file.c:(.text.startup+0x156): undefined reference to `BIO_free' sign-file.c:(.text.startup+0x165): undefined reference to `BIO_new_file' sign-file.c:(.text.startup+0x180): undefined reference to `OpenSSL_add_all_digests' sign-file.c:(.text.startup+0x192): undefined reference to `EVP_get_digestbyname' sign-file.c:(.text.startup+0x1b5): undefined reference to `BIO_new_file' sign-file.c:(.text.startup+0x1de): undefined reference to `PKCS7_sign' sign-file.c:(.text.startup+0x20f): undefined reference to `PKCS7_sign_add_signer' sign-file.c:(.text.startup+0x229): undefined reference to `PKCS7_final' sign-file.c:(.text.startup+0x286): undefined reference to `BIO_new_file' sign-file.c:(.text.startup+0x2ab): undefined reference to `i2d_PKCS7_bio_stream' sign-file.c:(.text.startup+0x2c9): undefined reference to `BIO_free' sign-file.c:(.text.startup+0x2da): undefined reference to `BIO_ctrl' sign-file.c:(.text.startup+0x303): undefined reference to `BIO_write' sign-file.c:(.text.startup+0x32b): undefined reference to `BIO_read' sign-file.c:(.text.startup+0x351): undefined reference to `BIO_number_written' sign-file.c:(.text.startup+0x363): undefined reference to `i2d_PKCS7_bio_stream' sign-file.c:(.text.startup+0x381): undefined reference to `BIO_number_written' sign-file.c:(.text.startup+0x39e): undefined reference to `BIO_write' sign-file.c:(.text.startup+0x3c4): undefined reference to `BIO_write' sign-file.c:(.text.startup+0x3dc): undefined reference to `BIO_free' collect2: error: ld returned 1 exit status make[1]: *** [scripts/sign-file] Error 1 make: *** [scripts] Error 2
