On Tue, 2015-05-19 at 15:45 +0100, David Woodhouse wrote: > We don't want this in the Kconfig since it might then get exposed in > /proc/config.gz. So make it a parameter to Kbuild instead. This also > means we don't have to jump through hoops to strip quotes from it, as > we would if it was a config option.
Definitely better. (FYI, Dmitry's modsig patches from 2012 used the keyring for safely storing a password. ) Mimi > Signed-off-by: David Woodhouse <[email protected]> > --- > Documentation/kbuild/kbuild.txt | 5 +++++ > Documentation/module-signing.txt | 3 +++ > scripts/sign-file.c | 27 ++++++++++++++++++++++++++- > 3 files changed, 34 insertions(+), 1 deletion(-) > > diff --git a/Documentation/kbuild/kbuild.txt b/Documentation/kbuild/kbuild.txt > index 6466704..0ff6a46 100644 > --- a/Documentation/kbuild/kbuild.txt > +++ b/Documentation/kbuild/kbuild.txt > @@ -174,6 +174,11 @@ The output directory is often set using "O=..." on the > commandline. > > The value can be overridden in which case the default value is ignored. > > +KBUILD_SIGN_PIN > +-------------------------------------------------- > +This variable allows a passphrase or PIN to be passed to the sign-file > +utility when signing kernel modules, if the private key requires such. > + > KBUILD_MODPOST_WARN > -------------------------------------------------- > KBUILD_MODPOST_WARN can be set to avoid errors in case of undefined > diff --git a/Documentation/module-signing.txt > b/Documentation/module-signing.txt > index c72702e..faaa6ea 100644 > --- a/Documentation/module-signing.txt > +++ b/Documentation/module-signing.txt > @@ -194,6 +194,9 @@ The hash algorithm used does not have to match the one > configured, but if it > doesn't, you should make sure that hash algorithm is either built into the > kernel or can be loaded without requiring itself. > > +If the private key requires a passphrase or PIN, it can be provided in the > +$KBUILD_SIGN_PIN environment variable. > + > > ============================ > SIGNED MODULES AND STRIPPING > diff --git a/scripts/sign-file.c b/scripts/sign-file.c > index 39aaabe..720b9bc 100755 > --- a/scripts/sign-file.c > +++ b/scripts/sign-file.c > @@ -80,6 +80,27 @@ static void drain_openssl_errors(void) > } \ > } while(0) > > +static const char *key_pass; > + > +static int pem_pw_cb(char *buf, int len, int w, void *v) > +{ > + int pwlen; > + > + if (!key_pass) > + return -1; > + > + pwlen = strlen(key_pass); > + if (pwlen >= len) > + return -1; > + > + strcpy(buf, key_pass); > + > + /* If it's wrong, don't keep trying it. */ > + key_pass = NULL; > + > + return pwlen; > +} > + > int main(int argc, char **argv) > { > struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 }; > @@ -96,9 +117,12 @@ int main(int argc, char **argv) > BIO *b, *bd = NULL, *bm; > int opt, n; > > + OpenSSL_add_all_algorithms(); > ERR_load_crypto_strings(); > ERR_clear_error(); > > + key_pass = getenv("KBUILD_SIGN_PIN"); > + > do { > opt = getopt(argc, argv, "dp"); > switch (opt) { > @@ -132,7 +156,8 @@ int main(int argc, char **argv) > */ > b = BIO_new_file(private_key_name, "rb"); > ERR(!b, "%s", private_key_name); > - private_key = PEM_read_bio_PrivateKey(b, NULL, NULL, NULL); > + private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, NULL); > + ERR(!private_key, "%s", private_key_name); > BIO_free(b); > > b = BIO_new_file(x509_name, "rb"); > -- > 2.4.0 > > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
