Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]
Dmitry Kasatkin wrote:
> sign-file.c produce lots of annoying noise.
Compiling it manually with -Wformat-security found those problems you listed
and add -W found yet another problem. Differential patch attached. I've
folded it into the patch that adds sign-file.c.
David
---
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index 3f9bedbd185f..7941f499ddba 100755
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -62,12 +62,12 @@ static void display_openssl_errors(int l)
}
-#define ERR(cond, ...) \
+#define ERR(cond, fmt, ...) \
do { \
bool __cond = (cond); \
display_openssl_errors(__LINE__); \
if (__cond) { \
- err(1, ## __VA_ARGS__); \
+ err(1, fmt, ## __VA_ARGS__);\
} \
} while(0)
@@ -133,7 +133,7 @@ int main(int argc, char **argv)
* across as we read it.
*/
bd = BIO_new_file(dest_name, "wb");
- ERR(!bd, dest_name);
+ ERR(!bd, "%s", dest_name);
/* Digest the module data. */
OpenSSL_add_all_digests();
@@ -149,7 +149,7 @@ int main(int argc, char **argv)
PKCS7_NOCERTS | PKCS7_PARTIAL | PKCS7_BINARY |
PKCS7_DETACHED | PKCS7_STREAM);
ERR(!pkcs7, "PKCS7_sign");
- ERR(PKCS7_sign_add_signer(pkcs7, x509, private_key, digest_algo,
PKCS7_NOCERTS | PKCS7_BINARY) < 0,
+ ERR(!PKCS7_sign_add_signer(pkcs7, x509, private_key, digest_algo,
PKCS7_NOCERTS | PKCS7_BINARY),
"PKCS7_sign_add_signer");
ERR(PKCS7_final(pkcs7, bm, PKCS7_NOCERTS | PKCS7_BINARY) < 0,
"PKCS7_final");
@@ -159,31 +159,31 @@ int main(int argc, char **argv)
ERR(asprintf(_name, "%s.pkcs7", module_name) < 0,
"asprintf");
b = BIO_new_file(pkcs7_name, "wb");
- ERR(!b, pkcs7_name);
- ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) < 0, pkcs7_name);
+ ERR(!b, "%s", pkcs7_name);
+ ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) < 0, "%s",
pkcs7_name);
BIO_free(b);
}
/* Append the marker and the PKCS#7 message to the destination file */
- ERR(BIO_reset(bm) < 0, module_name);
+ ERR(BIO_reset(bm) < 0, "%s", module_name);
while ((n = BIO_read(bm, buf, sizeof(buf))),
n > 0) {
- ERR(BIO_write(bd, buf, n) < 0, dest_name);
+ ERR(BIO_write(bd, buf, n) < 0, "%s", dest_name);
}
- ERR(n < 0, module_name);
+ ERR(n < 0, "%s", module_name);
module_size = BIO_number_written(bd);
- ERR(i2d_PKCS7_bio_stream(bd, pkcs7, NULL, 0) < 0, dest_name);
+ ERR(i2d_PKCS7_bio_stream(bd, pkcs7, NULL, 0) < 0, "%s", dest_name);
pkcs7_size = BIO_number_written(bd) - module_size;
sig_info.sig_len = htonl(pkcs7_size);
- ERR(BIO_write(bd, _info, sizeof(sig_info)) < 0, dest_name);
- ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0,
dest_name);
+ ERR(BIO_write(bd, _info, sizeof(sig_info)) < 0, "%s", dest_name);
+ ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, "%s",
dest_name);
- ERR(BIO_free(bd) < 0, dest_name);
+ ERR(BIO_free(bd) < 0, "%s", dest_name);
/* Finally, if we're signing in place, replace the original. */
if (replace_orig)
- ERR(rename(dest_name, module_name) < 0, dest_name);
+ ERR(rename(dest_name, module_name) < 0, "%s", dest_name);
return 0;
}
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]
Dmitry Kasatkin d.kasat...@samsung.com wrote:
sign-file.c produce lots of annoying noise.
Compiling it manually with -Wformat-security found those problems you listed
and add -W found yet another problem. Differential patch attached. I've
folded it into the patch that adds sign-file.c.
David
---
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index 3f9bedbd185f..7941f499ddba 100755
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -62,12 +62,12 @@ static void display_openssl_errors(int l)
}
-#define ERR(cond, ...) \
+#define ERR(cond, fmt, ...) \
do { \
bool __cond = (cond); \
display_openssl_errors(__LINE__); \
if (__cond) { \
- err(1, ## __VA_ARGS__); \
+ err(1, fmt, ## __VA_ARGS__);\
} \
} while(0)
@@ -133,7 +133,7 @@ int main(int argc, char **argv)
* across as we read it.
*/
bd = BIO_new_file(dest_name, wb);
- ERR(!bd, dest_name);
+ ERR(!bd, %s, dest_name);
/* Digest the module data. */
OpenSSL_add_all_digests();
@@ -149,7 +149,7 @@ int main(int argc, char **argv)
PKCS7_NOCERTS | PKCS7_PARTIAL | PKCS7_BINARY |
PKCS7_DETACHED | PKCS7_STREAM);
ERR(!pkcs7, PKCS7_sign);
- ERR(PKCS7_sign_add_signer(pkcs7, x509, private_key, digest_algo,
PKCS7_NOCERTS | PKCS7_BINARY) 0,
+ ERR(!PKCS7_sign_add_signer(pkcs7, x509, private_key, digest_algo,
PKCS7_NOCERTS | PKCS7_BINARY),
PKCS7_sign_add_signer);
ERR(PKCS7_final(pkcs7, bm, PKCS7_NOCERTS | PKCS7_BINARY) 0,
PKCS7_final);
@@ -159,31 +159,31 @@ int main(int argc, char **argv)
ERR(asprintf(pkcs7_name, %s.pkcs7, module_name) 0,
asprintf);
b = BIO_new_file(pkcs7_name, wb);
- ERR(!b, pkcs7_name);
- ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) 0, pkcs7_name);
+ ERR(!b, %s, pkcs7_name);
+ ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) 0, %s,
pkcs7_name);
BIO_free(b);
}
/* Append the marker and the PKCS#7 message to the destination file */
- ERR(BIO_reset(bm) 0, module_name);
+ ERR(BIO_reset(bm) 0, %s, module_name);
while ((n = BIO_read(bm, buf, sizeof(buf))),
n 0) {
- ERR(BIO_write(bd, buf, n) 0, dest_name);
+ ERR(BIO_write(bd, buf, n) 0, %s, dest_name);
}
- ERR(n 0, module_name);
+ ERR(n 0, %s, module_name);
module_size = BIO_number_written(bd);
- ERR(i2d_PKCS7_bio_stream(bd, pkcs7, NULL, 0) 0, dest_name);
+ ERR(i2d_PKCS7_bio_stream(bd, pkcs7, NULL, 0) 0, %s, dest_name);
pkcs7_size = BIO_number_written(bd) - module_size;
sig_info.sig_len = htonl(pkcs7_size);
- ERR(BIO_write(bd, sig_info, sizeof(sig_info)) 0, dest_name);
- ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) 0,
dest_name);
+ ERR(BIO_write(bd, sig_info, sizeof(sig_info)) 0, %s, dest_name);
+ ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) 0, %s,
dest_name);
- ERR(BIO_free(bd) 0, dest_name);
+ ERR(BIO_free(bd) 0, %s, dest_name);
/* Finally, if we're signing in place, replace the original. */
if (replace_orig)
- ERR(rename(dest_name, module_name) 0, dest_name);
+ ERR(rename(dest_name, module_name) 0, %s, dest_name);
return 0;
}
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]
On 05/12/14 16:04, David Howells wrote: > Dmitry Kasatkin wrote: > >> With just "make all" on Ubuntu. > What gcc? I don't see any warnings. > > David > $ gcc -v Using built-in specs. COLLECT_GCC=gcc COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/4.8/lto-wrapper Target: x86_64-linux-gnu Configured with: ../src/configure -v --with-pkgversion='Ubuntu 4.8.2-19ubuntu1' --with-bugurl=file:///usr/share/doc/gcc-4.8/README.Bugs --enable-languages=c,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-4.8 --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.8 --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --enable-gnu-unique-object --disable-libmudflap --enable-plugin --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-4.8-amd64/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-4.8-amd64 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-4.8-amd64 --with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --enable-objc-gc --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu Thread model: posix gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]
Dmitry Kasatkin wrote: > With just "make all" on Ubuntu. What gcc? I don't see any warnings. David -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]
On 05/12/14 12:23, David Howells wrote: > Dmitry Kasatkin wrote: > >> sign-file.c produce lots of annoying noise. > How did you get it to produce that? > > David > With just "make all" on Ubuntu. - Dmitry -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]
Dmitry Kasatkin wrote: > sign-file.c produce lots of annoying noise. How did you get it to produce that? David -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]
Hi David,
sign-file.c produce lots of annoying noise.
scripts/sign-file.c:153:2: warning: format not a string literal and no
format arguments [-Wformat-security]
ERR(!bd, dest_name);
^
scripts/sign-file.c:179:3: warning: format not a string literal and no
format arguments [-Wformat-security]
ERR(!b, pkcs7_name);
^
scripts/sign-file.c:180:3: warning: format not a string literal and no
format arguments [-Wformat-security]
ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) < 0, pkcs7_name);
^
scripts/sign-file.c:185:2: warning: format not a string literal and no
format arguments [-Wformat-security]
ERR(BIO_reset(bm) < 0, module_name);
^
Would be great to fix it.
Thanks,
Dmitry
On 26/11/14 16:17, David Howells wrote:
> Provide a utility that:
>
> (1) Digests a module using the specified hash algorithm (typically sha256).
>
> [The digest can be dumped into a file by passing the '-d' flag]
>
> (2) Generates a PKCS#7 message that:
>
> (a) Has detached data (ie. the module content).
>
> (b) Is signed with the specified private key.
>
> (c) Refers to the specified X.509 certificate.
>
> (d) Has an empty X.509 certificate list.
>
> [The PKCS#7 message can be dumped into a file by passing the '-p' flag]
>
> (3) Generates a signed module by concatenating the old module, the PKCS#7
> message, a descriptor and a magic string. The descriptor contains the
> size of the PKCS#7 message and indicates the id_type as PKEY_ID_PKCS7.
>
> (4) Either writes the signed module to the specified destination or renames
> it over the source module.
>
> This allows module signing to reuse the PKCS#7 handling code that was added
> for PE file parsing for signed kexec.
>
> Note that the utility is written in C and must be linked against the OpenSSL
> crypto library.
>
> Note further that I have temporarily dropped support for handling externally
> created signatures until we can work out the best way to do those. Hopefully,
> whoever creates the signature can give me a PKCS#7 certificate.
>
> Signed-off-by: David Howells
> ---
>
> include/crypto/public_key.h |1
> scripts/sign-file.c | 189
> +++
> 2 files changed, 190 insertions(+)
> create mode 100755 scripts/sign-file.c
>
> diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h
> index b6f27a240856..fda097e079a4 100644
> --- a/include/crypto/public_key.h
> +++ b/include/crypto/public_key.h
> @@ -33,6 +33,7 @@ extern const struct public_key_algorithm
> *pkey_algo[PKEY_ALGO__LAST];
> enum pkey_id_type {
> PKEY_ID_PGP,/* OpenPGP generated key ID */
> PKEY_ID_X509, /* X.509 arbitrary subjectKeyIdentifier */
> + PKEY_ID_PKCS7, /* Signature in PKCS#7 message */
> PKEY_ID_TYPE__LAST
> };
>
> diff --git a/scripts/sign-file.c b/scripts/sign-file.c
> new file mode 100755
> index ..3f9bedbd185f
> --- /dev/null
> +++ b/scripts/sign-file.c
> @@ -0,0 +1,189 @@
> +/* Sign a module file using the given key.
> + *
> + * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
> + * Written by David Howells (dhowe...@redhat.com)
> + *
> + * This program is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU General Public Licence
> + * as published by the Free Software Foundation; either version
> + * 2 of the Licence, or (at your option) any later version.
> + */
> +#define _GNU_SOURCE
> +#include
> +#include
> +#include
> +#include
> +#include
> +#include
> +#include
> +#include
> +#include
> +#include
> +#include
> +#include
> +#include
> +
> +struct module_signature {
> + uint8_t algo; /* Public-key crypto algorithm [0] */
> + uint8_t hash; /* Digest algorithm [0] */
> + uint8_t id_type;/* Key identifier type [PKEY_ID_PKCS7]
> */
> + uint8_t signer_len; /* Length of signer's name [0] */
> + uint8_t key_id_len; /* Length of key identifier [0] */
> + uint8_t __pad[3];
> + uint32_tsig_len;/* Length of signature data */
> +};
> +
> +#define PKEY_ID_PKCS7 2
> +
> +static char magic_number[] = "~Module signature appended~\n";
> +
> +static __attribute__((noreturn))
> +void format(void)
> +{
> + fprintf(stderr,
> + "Usage: scripts/sign-file [-dp]
> []\n");
> + exit(2);
> +}
> +
> +static void display_openssl_errors(int l)
> +{
> + const char *file;
> + char buf[120];
> + int e, line;
> +
> + if (ERR_peek_error() == 0)
> + return;
> + fprintf(stderr, "At main.c:%d:\n", l);
> +
> + while ((e = ERR_get_error_line(, ))) {
> + ERR_error_string(e, buf);
> + fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
> + }
> +}
> +
> +
> +#define ERR(cond, ...) \
> + do { \
>
Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]
Hi David,
sign-file.c produce lots of annoying noise.
scripts/sign-file.c:153:2: warning: format not a string literal and no
format arguments [-Wformat-security]
ERR(!bd, dest_name);
^
scripts/sign-file.c:179:3: warning: format not a string literal and no
format arguments [-Wformat-security]
ERR(!b, pkcs7_name);
^
scripts/sign-file.c:180:3: warning: format not a string literal and no
format arguments [-Wformat-security]
ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) 0, pkcs7_name);
^
scripts/sign-file.c:185:2: warning: format not a string literal and no
format arguments [-Wformat-security]
ERR(BIO_reset(bm) 0, module_name);
^
Would be great to fix it.
Thanks,
Dmitry
On 26/11/14 16:17, David Howells wrote:
Provide a utility that:
(1) Digests a module using the specified hash algorithm (typically sha256).
[The digest can be dumped into a file by passing the '-d' flag]
(2) Generates a PKCS#7 message that:
(a) Has detached data (ie. the module content).
(b) Is signed with the specified private key.
(c) Refers to the specified X.509 certificate.
(d) Has an empty X.509 certificate list.
[The PKCS#7 message can be dumped into a file by passing the '-p' flag]
(3) Generates a signed module by concatenating the old module, the PKCS#7
message, a descriptor and a magic string. The descriptor contains the
size of the PKCS#7 message and indicates the id_type as PKEY_ID_PKCS7.
(4) Either writes the signed module to the specified destination or renames
it over the source module.
This allows module signing to reuse the PKCS#7 handling code that was added
for PE file parsing for signed kexec.
Note that the utility is written in C and must be linked against the OpenSSL
crypto library.
Note further that I have temporarily dropped support for handling externally
created signatures until we can work out the best way to do those. Hopefully,
whoever creates the signature can give me a PKCS#7 certificate.
Signed-off-by: David Howells dhowe...@redhat.com
---
include/crypto/public_key.h |1
scripts/sign-file.c | 189
+++
2 files changed, 190 insertions(+)
create mode 100755 scripts/sign-file.c
diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h
index b6f27a240856..fda097e079a4 100644
--- a/include/crypto/public_key.h
+++ b/include/crypto/public_key.h
@@ -33,6 +33,7 @@ extern const struct public_key_algorithm
*pkey_algo[PKEY_ALGO__LAST];
enum pkey_id_type {
PKEY_ID_PGP,/* OpenPGP generated key ID */
PKEY_ID_X509, /* X.509 arbitrary subjectKeyIdentifier */
+ PKEY_ID_PKCS7, /* Signature in PKCS#7 message */
PKEY_ID_TYPE__LAST
};
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
new file mode 100755
index ..3f9bedbd185f
--- /dev/null
+++ b/scripts/sign-file.c
@@ -0,0 +1,189 @@
+/* Sign a module file using the given key.
+ *
+ * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowe...@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+#define _GNU_SOURCE
+#include stdio.h
+#include stdlib.h
+#include stdint.h
+#include stdbool.h
+#include string.h
+#include getopt.h
+#include err.h
+#include arpa/inet.h
+#include openssl/bio.h
+#include openssl/evp.h
+#include openssl/pem.h
+#include openssl/pkcs7.h
+#include openssl/err.h
+
+struct module_signature {
+ uint8_t algo; /* Public-key crypto algorithm [0] */
+ uint8_t hash; /* Digest algorithm [0] */
+ uint8_t id_type;/* Key identifier type [PKEY_ID_PKCS7]
*/
+ uint8_t signer_len; /* Length of signer's name [0] */
+ uint8_t key_id_len; /* Length of key identifier [0] */
+ uint8_t __pad[3];
+ uint32_tsig_len;/* Length of signature data */
+};
+
+#define PKEY_ID_PKCS7 2
+
+static char magic_number[] = ~Module signature appended~\n;
+
+static __attribute__((noreturn))
+void format(void)
+{
+ fprintf(stderr,
+ Usage: scripts/sign-file [-dp] hash algo key x509
module [dest]\n);
+ exit(2);
+}
+
+static void display_openssl_errors(int l)
+{
+ const char *file;
+ char buf[120];
+ int e, line;
+
+ if (ERR_peek_error() == 0)
+ return;
+ fprintf(stderr, At main.c:%d:\n, l);
+
+ while ((e = ERR_get_error_line(file, line))) {
+ ERR_error_string(e, buf);
+ fprintf(stderr, - SSL %s: %s:%d\n, buf, file, line);
+ }
+}
+
+
+#define ERR(cond, ...) \
+ do
Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]
Dmitry Kasatkin d.kasat...@samsung.com wrote: sign-file.c produce lots of annoying noise. How did you get it to produce that? David -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]
On 05/12/14 12:23, David Howells wrote: Dmitry Kasatkin d.kasat...@samsung.com wrote: sign-file.c produce lots of annoying noise. How did you get it to produce that? David With just make all on Ubuntu. - Dmitry -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]
Dmitry Kasatkin d.kasat...@samsung.com wrote: With just make all on Ubuntu. What gcc? I don't see any warnings. David -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]
On 05/12/14 16:04, David Howells wrote: Dmitry Kasatkin d.kasat...@samsung.com wrote: With just make all on Ubuntu. What gcc? I don't see any warnings. David $ gcc -v Using built-in specs. COLLECT_GCC=gcc COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/4.8/lto-wrapper Target: x86_64-linux-gnu Configured with: ../src/configure -v --with-pkgversion='Ubuntu 4.8.2-19ubuntu1' --with-bugurl=file:///usr/share/doc/gcc-4.8/README.Bugs --enable-languages=c,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-4.8 --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.8 --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --enable-gnu-unique-object --disable-libmudflap --enable-plugin --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-4.8-amd64/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-4.8-amd64 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-4.8-amd64 --with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --enable-objc-gc --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu Thread model: posix gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]
Provide a utility that:
(1) Digests a module using the specified hash algorithm (typically sha256).
[The digest can be dumped into a file by passing the '-d' flag]
(2) Generates a PKCS#7 message that:
(a) Has detached data (ie. the module content).
(b) Is signed with the specified private key.
(c) Refers to the specified X.509 certificate.
(d) Has an empty X.509 certificate list.
[The PKCS#7 message can be dumped into a file by passing the '-p' flag]
(3) Generates a signed module by concatenating the old module, the PKCS#7
message, a descriptor and a magic string. The descriptor contains the
size of the PKCS#7 message and indicates the id_type as PKEY_ID_PKCS7.
(4) Either writes the signed module to the specified destination or renames
it over the source module.
This allows module signing to reuse the PKCS#7 handling code that was added
for PE file parsing for signed kexec.
Note that the utility is written in C and must be linked against the OpenSSL
crypto library.
Note further that I have temporarily dropped support for handling externally
created signatures until we can work out the best way to do those. Hopefully,
whoever creates the signature can give me a PKCS#7 certificate.
Signed-off-by: David Howells
---
include/crypto/public_key.h |1
scripts/sign-file.c | 189 +++
2 files changed, 190 insertions(+)
create mode 100755 scripts/sign-file.c
diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h
index b6f27a240856..fda097e079a4 100644
--- a/include/crypto/public_key.h
+++ b/include/crypto/public_key.h
@@ -33,6 +33,7 @@ extern const struct public_key_algorithm
*pkey_algo[PKEY_ALGO__LAST];
enum pkey_id_type {
PKEY_ID_PGP,/* OpenPGP generated key ID */
PKEY_ID_X509, /* X.509 arbitrary subjectKeyIdentifier */
+ PKEY_ID_PKCS7, /* Signature in PKCS#7 message */
PKEY_ID_TYPE__LAST
};
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
new file mode 100755
index ..3f9bedbd185f
--- /dev/null
+++ b/scripts/sign-file.c
@@ -0,0 +1,189 @@
+/* Sign a module file using the given key.
+ *
+ * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowe...@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+#define _GNU_SOURCE
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+struct module_signature {
+ uint8_t algo; /* Public-key crypto algorithm [0] */
+ uint8_t hash; /* Digest algorithm [0] */
+ uint8_t id_type;/* Key identifier type [PKEY_ID_PKCS7]
*/
+ uint8_t signer_len; /* Length of signer's name [0] */
+ uint8_t key_id_len; /* Length of key identifier [0] */
+ uint8_t __pad[3];
+ uint32_tsig_len;/* Length of signature data */
+};
+
+#define PKEY_ID_PKCS7 2
+
+static char magic_number[] = "~Module signature appended~\n";
+
+static __attribute__((noreturn))
+void format(void)
+{
+ fprintf(stderr,
+ "Usage: scripts/sign-file [-dp]
[]\n");
+ exit(2);
+}
+
+static void display_openssl_errors(int l)
+{
+ const char *file;
+ char buf[120];
+ int e, line;
+
+ if (ERR_peek_error() == 0)
+ return;
+ fprintf(stderr, "At main.c:%d:\n", l);
+
+ while ((e = ERR_get_error_line(, ))) {
+ ERR_error_string(e, buf);
+ fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
+ }
+}
+
+
+#define ERR(cond, ...) \
+ do { \
+ bool __cond = (cond); \
+ display_openssl_errors(__LINE__); \
+ if (__cond) { \
+ err(1, ## __VA_ARGS__); \
+ } \
+ } while(0)
+
+int main(int argc, char **argv)
+{
+ struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };
+ char *hash_algo = NULL;
+ char *private_key_name, *x509_name, *module_name, *dest_name;
+ bool save_pkcs7 = false, replace_orig;
+ unsigned char buf[4096];
+ unsigned long module_size, pkcs7_size;
+ const EVP_MD *digest_algo;
+ EVP_PKEY *private_key;
+ PKCS7 *pkcs7;
+ X509 *x509;
+ BIO *b, *bd, *bm;
+ int opt, n;
+
+ do {
+ opt = getopt(argc, argv, "dp");
+ switch (opt) {
+ case 'p': save_pkcs7 = true; break;
+ case -1:
[PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]
Provide a utility that:
(1) Digests a module using the specified hash algorithm (typically sha256).
[The digest can be dumped into a file by passing the '-d' flag]
(2) Generates a PKCS#7 message that:
(a) Has detached data (ie. the module content).
(b) Is signed with the specified private key.
(c) Refers to the specified X.509 certificate.
(d) Has an empty X.509 certificate list.
[The PKCS#7 message can be dumped into a file by passing the '-p' flag]
(3) Generates a signed module by concatenating the old module, the PKCS#7
message, a descriptor and a magic string. The descriptor contains the
size of the PKCS#7 message and indicates the id_type as PKEY_ID_PKCS7.
(4) Either writes the signed module to the specified destination or renames
it over the source module.
This allows module signing to reuse the PKCS#7 handling code that was added
for PE file parsing for signed kexec.
Note that the utility is written in C and must be linked against the OpenSSL
crypto library.
Note further that I have temporarily dropped support for handling externally
created signatures until we can work out the best way to do those. Hopefully,
whoever creates the signature can give me a PKCS#7 certificate.
Signed-off-by: David Howells dhowe...@redhat.com
---
include/crypto/public_key.h |1
scripts/sign-file.c | 189 +++
2 files changed, 190 insertions(+)
create mode 100755 scripts/sign-file.c
diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h
index b6f27a240856..fda097e079a4 100644
--- a/include/crypto/public_key.h
+++ b/include/crypto/public_key.h
@@ -33,6 +33,7 @@ extern const struct public_key_algorithm
*pkey_algo[PKEY_ALGO__LAST];
enum pkey_id_type {
PKEY_ID_PGP,/* OpenPGP generated key ID */
PKEY_ID_X509, /* X.509 arbitrary subjectKeyIdentifier */
+ PKEY_ID_PKCS7, /* Signature in PKCS#7 message */
PKEY_ID_TYPE__LAST
};
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
new file mode 100755
index ..3f9bedbd185f
--- /dev/null
+++ b/scripts/sign-file.c
@@ -0,0 +1,189 @@
+/* Sign a module file using the given key.
+ *
+ * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowe...@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+#define _GNU_SOURCE
+#include stdio.h
+#include stdlib.h
+#include stdint.h
+#include stdbool.h
+#include string.h
+#include getopt.h
+#include err.h
+#include arpa/inet.h
+#include openssl/bio.h
+#include openssl/evp.h
+#include openssl/pem.h
+#include openssl/pkcs7.h
+#include openssl/err.h
+
+struct module_signature {
+ uint8_t algo; /* Public-key crypto algorithm [0] */
+ uint8_t hash; /* Digest algorithm [0] */
+ uint8_t id_type;/* Key identifier type [PKEY_ID_PKCS7]
*/
+ uint8_t signer_len; /* Length of signer's name [0] */
+ uint8_t key_id_len; /* Length of key identifier [0] */
+ uint8_t __pad[3];
+ uint32_tsig_len;/* Length of signature data */
+};
+
+#define PKEY_ID_PKCS7 2
+
+static char magic_number[] = ~Module signature appended~\n;
+
+static __attribute__((noreturn))
+void format(void)
+{
+ fprintf(stderr,
+ Usage: scripts/sign-file [-dp] hash algo key x509
module [dest]\n);
+ exit(2);
+}
+
+static void display_openssl_errors(int l)
+{
+ const char *file;
+ char buf[120];
+ int e, line;
+
+ if (ERR_peek_error() == 0)
+ return;
+ fprintf(stderr, At main.c:%d:\n, l);
+
+ while ((e = ERR_get_error_line(file, line))) {
+ ERR_error_string(e, buf);
+ fprintf(stderr, - SSL %s: %s:%d\n, buf, file, line);
+ }
+}
+
+
+#define ERR(cond, ...) \
+ do { \
+ bool __cond = (cond); \
+ display_openssl_errors(__LINE__); \
+ if (__cond) { \
+ err(1, ## __VA_ARGS__); \
+ } \
+ } while(0)
+
+int main(int argc, char **argv)
+{
+ struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };
+ char *hash_algo = NULL;
+ char *private_key_name, *x509_name, *module_name, *dest_name;
+ bool save_pkcs7 = false, replace_orig;
+ unsigned char buf[4096];
+ unsigned long module_size, pkcs7_size;
+ const EVP_MD *digest_algo;
+ EVP_PKEY *private_key;
+ PKCS7 *pkcs7;
+ X509 *x509;
+ BIO *b, *bd, *bm;
+ int opt,
