Re: [GIT PULL] MODSIGN: Use PKCS#7 for module signatures [ver #8a]
On Thu, 13 Aug 2015, David Howells wrote: > Hi James, > > Can you pull this into security/next please? Its aim is twofold: firstly, > make the module signatures of PKCS#7/CMS format rather than a home-brewed > format and secondly to pave the way for use of the signing code for > firmware signatures (to follow later). Pulled into -next. -- James Morris -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[GIT PULL] MODSIGN: Use PKCS#7 for module signatures [ver #8a]
Hi James, Can you pull this into security/next please? Its aim is twofold: firstly, make the module signatures of PKCS#7/CMS format rather than a home-brewed format and secondly to pave the way for use of the signing code for firmware signatures (to follow later). Note that the OpenSSL development packages are now a requirement for building the kernel if module signing is enabled as the sign-file program now uses the OpenSSL libraries directly rather than scripting calls to the openssl program. To this end, the patchset effects the following changes: (1) Extracts both parts of an X.509 AuthorityKeyIdentifier (AKID) extension. We already extract the bit that can match the subjectKeyIdentifier (SKID) of the parent X.509 cert, but we currently ignore the bits that can match the issuer and serialNumber. Looks up an X.509 cert by issuer and serialNumber if those are provided in the AKID. If the keyIdentifier is also provided, checks that the subjectKeyIdentifier of the cert found matches that also. If no issuer and serialNumber are provided in the AKID, looks up an X.509 cert by SKID using the AKID keyIdentifier. This allows module signing to be done with certificates that don't have an SKID by which they can be looked up. (2) Makes use of the PKCS#7 facility to provide module signatures. sign-file is replaced with a program that generates a PKCS#7 message that has no X.509 certs embedded and that has detached data (the module content) and adds it onto the message with magic string and descriptor. (3) The PKCS#7 message supplies all the information that is needed to select the X.509 cert to be used to verify the signature by standard means (including selection of digest algorithm and public key algorithm). No kernel-specific magic values are required. (4) Makes it possible to get sign-file to just write out a file containing the PKCS#7 signature blob. This can be used for debugging and potentially for firmware signing. (5) Extracts the function that does PKCS#7 signature verification on a blob from the module signing code and put it somewhere more general so that other things, such as firmware signing, can make use of it without depending on module config options. (6) Adds support for CMS messages in place of PKCS#7 (they're very similar ASN.1) and makes sign-file create CMS messages instead of PKCS#7. This allows signatures to refer to the verifying key by X.509 cert SKID instead of X.509 cert issuer and serial number. (7) Provides support for providing a password/pin for an encrypted private key to sign-file. (8) Makes it possible to use PKCS#11 with sign-file, thus allowing the use of cryptographic hardware. (9) Overhauls the way the module signing key is handled. If the name in CONFIG_MODULE_SIG_KEY is "signing_key.pem" then a key will be automatically generated and placed in the build directory. If the name is different, autogeneration is suppressed and the file is presumed to be a PEM file containing both the private key and X.509 certificate. (10) Overhauls the way auxiliary trusted keys are added to the kernel. Files matching the pattern "*.x509" are no longer just gathered up and cat'd together. Now CONFIG_SYSTEM_TRUSTED_KEYS must be set to point to a single PEM file containing a set of X.509 certs cat'd together if this facility is desired. (11) Severely restricts what authenticateAttributes are permitted in a PKCS#7 or CMS message and what content type may be used. This is selected by the in-kernel user with the appropriate VERIFYING_*_SIGNATURE constant. Note that the revised sign-file program no longer supports the "-s " option to add an externally generated signature. This is deprecated in favour of using PKCS#11. Note also that the format of the signature file that would be passed to -s has changed. There are two additions since the modsign-pkcs7-20150812 tag: the PKCS#7 test module has acquired a module licence and description and we now check the return of BIO_reset() for error in sign-file. Thanks, David --- The following changes since commit 459c15e53cf7e4e88a78ecfb109af5a267c5500a: Merge tag 'asn1-fixes-20150805' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs into next (2015-08-07 13:27:58 +1000) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git tags/modsign-pkcs7-20150812-3 for you to fetch changes up to e9a5e8cc55286941503f36c5b7485a5aa923b3f1: sign-file: Fix warning about BIO_reset() return value (2015-08-13 04:03:12 +0100) Module signing with PKCS#7 David Howells (19): ASN.1: Add an ASN.1 compiler option to dump the element tree
Re: [GIT PULL] MODSIGN: Use PKCS#7 for module signatures [ver #8a]
On Thu, 13 Aug 2015, David Howells wrote: Hi James, Can you pull this into security/next please? Its aim is twofold: firstly, make the module signatures of PKCS#7/CMS format rather than a home-brewed format and secondly to pave the way for use of the signing code for firmware signatures (to follow later). Pulled into -next. -- James Morris jmor...@namei.org -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[GIT PULL] MODSIGN: Use PKCS#7 for module signatures [ver #8a]
Hi James, Can you pull this into security/next please? Its aim is twofold: firstly, make the module signatures of PKCS#7/CMS format rather than a home-brewed format and secondly to pave the way for use of the signing code for firmware signatures (to follow later). Note that the OpenSSL development packages are now a requirement for building the kernel if module signing is enabled as the sign-file program now uses the OpenSSL libraries directly rather than scripting calls to the openssl program. To this end, the patchset effects the following changes: (1) Extracts both parts of an X.509 AuthorityKeyIdentifier (AKID) extension. We already extract the bit that can match the subjectKeyIdentifier (SKID) of the parent X.509 cert, but we currently ignore the bits that can match the issuer and serialNumber. Looks up an X.509 cert by issuer and serialNumber if those are provided in the AKID. If the keyIdentifier is also provided, checks that the subjectKeyIdentifier of the cert found matches that also. If no issuer and serialNumber are provided in the AKID, looks up an X.509 cert by SKID using the AKID keyIdentifier. This allows module signing to be done with certificates that don't have an SKID by which they can be looked up. (2) Makes use of the PKCS#7 facility to provide module signatures. sign-file is replaced with a program that generates a PKCS#7 message that has no X.509 certs embedded and that has detached data (the module content) and adds it onto the message with magic string and descriptor. (3) The PKCS#7 message supplies all the information that is needed to select the X.509 cert to be used to verify the signature by standard means (including selection of digest algorithm and public key algorithm). No kernel-specific magic values are required. (4) Makes it possible to get sign-file to just write out a file containing the PKCS#7 signature blob. This can be used for debugging and potentially for firmware signing. (5) Extracts the function that does PKCS#7 signature verification on a blob from the module signing code and put it somewhere more general so that other things, such as firmware signing, can make use of it without depending on module config options. (6) Adds support for CMS messages in place of PKCS#7 (they're very similar ASN.1) and makes sign-file create CMS messages instead of PKCS#7. This allows signatures to refer to the verifying key by X.509 cert SKID instead of X.509 cert issuer and serial number. (7) Provides support for providing a password/pin for an encrypted private key to sign-file. (8) Makes it possible to use PKCS#11 with sign-file, thus allowing the use of cryptographic hardware. (9) Overhauls the way the module signing key is handled. If the name in CONFIG_MODULE_SIG_KEY is signing_key.pem then a key will be automatically generated and placed in the build directory. If the name is different, autogeneration is suppressed and the file is presumed to be a PEM file containing both the private key and X.509 certificate. (10) Overhauls the way auxiliary trusted keys are added to the kernel. Files matching the pattern *.x509 are no longer just gathered up and cat'd together. Now CONFIG_SYSTEM_TRUSTED_KEYS must be set to point to a single PEM file containing a set of X.509 certs cat'd together if this facility is desired. (11) Severely restricts what authenticateAttributes are permitted in a PKCS#7 or CMS message and what content type may be used. This is selected by the in-kernel user with the appropriate VERIFYING_*_SIGNATURE constant. Note that the revised sign-file program no longer supports the -s signature option to add an externally generated signature. This is deprecated in favour of using PKCS#11. Note also that the format of the signature file that would be passed to -s has changed. There are two additions since the modsign-pkcs7-20150812 tag: the PKCS#7 test module has acquired a module licence and description and we now check the return of BIO_reset() for error in sign-file. Thanks, David --- The following changes since commit 459c15e53cf7e4e88a78ecfb109af5a267c5500a: Merge tag 'asn1-fixes-20150805' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs into next (2015-08-07 13:27:58 +1000) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git tags/modsign-pkcs7-20150812-3 for you to fetch changes up to e9a5e8cc55286941503f36c5b7485a5aa923b3f1: sign-file: Fix warning about BIO_reset() return value (2015-08-13 04:03:12 +0100) Module signing with PKCS#7 David Howells (19): ASN.1: Add an ASN.1 compiler option to dump the element tree