Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]
Dmitry Kasatkin wrote: > sign-file.c produce lots of annoying noise. Compiling it manually with -Wformat-security found those problems you listed and add -W found yet another problem. Differential patch attached. I've folded it into the patch that adds sign-file.c. David --- diff --git a/scripts/sign-file.c b/scripts/sign-file.c index 3f9bedbd185f..7941f499ddba 100755 --- a/scripts/sign-file.c +++ b/scripts/sign-file.c @@ -62,12 +62,12 @@ static void display_openssl_errors(int l) } -#define ERR(cond, ...) \ +#define ERR(cond, fmt, ...) \ do { \ bool __cond = (cond); \ display_openssl_errors(__LINE__); \ if (__cond) { \ - err(1, ## __VA_ARGS__); \ + err(1, fmt, ## __VA_ARGS__);\ } \ } while(0) @@ -133,7 +133,7 @@ int main(int argc, char **argv) * across as we read it. */ bd = BIO_new_file(dest_name, "wb"); - ERR(!bd, dest_name); + ERR(!bd, "%s", dest_name); /* Digest the module data. */ OpenSSL_add_all_digests(); @@ -149,7 +149,7 @@ int main(int argc, char **argv) PKCS7_NOCERTS | PKCS7_PARTIAL | PKCS7_BINARY | PKCS7_DETACHED | PKCS7_STREAM); ERR(!pkcs7, "PKCS7_sign"); - ERR(PKCS7_sign_add_signer(pkcs7, x509, private_key, digest_algo, PKCS7_NOCERTS | PKCS7_BINARY) < 0, + ERR(!PKCS7_sign_add_signer(pkcs7, x509, private_key, digest_algo, PKCS7_NOCERTS | PKCS7_BINARY), "PKCS7_sign_add_signer"); ERR(PKCS7_final(pkcs7, bm, PKCS7_NOCERTS | PKCS7_BINARY) < 0, "PKCS7_final"); @@ -159,31 +159,31 @@ int main(int argc, char **argv) ERR(asprintf(_name, "%s.pkcs7", module_name) < 0, "asprintf"); b = BIO_new_file(pkcs7_name, "wb"); - ERR(!b, pkcs7_name); - ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) < 0, pkcs7_name); + ERR(!b, "%s", pkcs7_name); + ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) < 0, "%s", pkcs7_name); BIO_free(b); } /* Append the marker and the PKCS#7 message to the destination file */ - ERR(BIO_reset(bm) < 0, module_name); + ERR(BIO_reset(bm) < 0, "%s", module_name); while ((n = BIO_read(bm, buf, sizeof(buf))), n > 0) { - ERR(BIO_write(bd, buf, n) < 0, dest_name); + ERR(BIO_write(bd, buf, n) < 0, "%s", dest_name); } - ERR(n < 0, module_name); + ERR(n < 0, "%s", module_name); module_size = BIO_number_written(bd); - ERR(i2d_PKCS7_bio_stream(bd, pkcs7, NULL, 0) < 0, dest_name); + ERR(i2d_PKCS7_bio_stream(bd, pkcs7, NULL, 0) < 0, "%s", dest_name); pkcs7_size = BIO_number_written(bd) - module_size; sig_info.sig_len = htonl(pkcs7_size); - ERR(BIO_write(bd, _info, sizeof(sig_info)) < 0, dest_name); - ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, dest_name); + ERR(BIO_write(bd, _info, sizeof(sig_info)) < 0, "%s", dest_name); + ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, "%s", dest_name); - ERR(BIO_free(bd) < 0, dest_name); + ERR(BIO_free(bd) < 0, "%s", dest_name); /* Finally, if we're signing in place, replace the original. */ if (replace_orig) - ERR(rename(dest_name, module_name) < 0, dest_name); + ERR(rename(dest_name, module_name) < 0, "%s", dest_name); return 0; } -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]
Dmitry Kasatkin d.kasat...@samsung.com wrote: sign-file.c produce lots of annoying noise. Compiling it manually with -Wformat-security found those problems you listed and add -W found yet another problem. Differential patch attached. I've folded it into the patch that adds sign-file.c. David --- diff --git a/scripts/sign-file.c b/scripts/sign-file.c index 3f9bedbd185f..7941f499ddba 100755 --- a/scripts/sign-file.c +++ b/scripts/sign-file.c @@ -62,12 +62,12 @@ static void display_openssl_errors(int l) } -#define ERR(cond, ...) \ +#define ERR(cond, fmt, ...) \ do { \ bool __cond = (cond); \ display_openssl_errors(__LINE__); \ if (__cond) { \ - err(1, ## __VA_ARGS__); \ + err(1, fmt, ## __VA_ARGS__);\ } \ } while(0) @@ -133,7 +133,7 @@ int main(int argc, char **argv) * across as we read it. */ bd = BIO_new_file(dest_name, wb); - ERR(!bd, dest_name); + ERR(!bd, %s, dest_name); /* Digest the module data. */ OpenSSL_add_all_digests(); @@ -149,7 +149,7 @@ int main(int argc, char **argv) PKCS7_NOCERTS | PKCS7_PARTIAL | PKCS7_BINARY | PKCS7_DETACHED | PKCS7_STREAM); ERR(!pkcs7, PKCS7_sign); - ERR(PKCS7_sign_add_signer(pkcs7, x509, private_key, digest_algo, PKCS7_NOCERTS | PKCS7_BINARY) 0, + ERR(!PKCS7_sign_add_signer(pkcs7, x509, private_key, digest_algo, PKCS7_NOCERTS | PKCS7_BINARY), PKCS7_sign_add_signer); ERR(PKCS7_final(pkcs7, bm, PKCS7_NOCERTS | PKCS7_BINARY) 0, PKCS7_final); @@ -159,31 +159,31 @@ int main(int argc, char **argv) ERR(asprintf(pkcs7_name, %s.pkcs7, module_name) 0, asprintf); b = BIO_new_file(pkcs7_name, wb); - ERR(!b, pkcs7_name); - ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) 0, pkcs7_name); + ERR(!b, %s, pkcs7_name); + ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) 0, %s, pkcs7_name); BIO_free(b); } /* Append the marker and the PKCS#7 message to the destination file */ - ERR(BIO_reset(bm) 0, module_name); + ERR(BIO_reset(bm) 0, %s, module_name); while ((n = BIO_read(bm, buf, sizeof(buf))), n 0) { - ERR(BIO_write(bd, buf, n) 0, dest_name); + ERR(BIO_write(bd, buf, n) 0, %s, dest_name); } - ERR(n 0, module_name); + ERR(n 0, %s, module_name); module_size = BIO_number_written(bd); - ERR(i2d_PKCS7_bio_stream(bd, pkcs7, NULL, 0) 0, dest_name); + ERR(i2d_PKCS7_bio_stream(bd, pkcs7, NULL, 0) 0, %s, dest_name); pkcs7_size = BIO_number_written(bd) - module_size; sig_info.sig_len = htonl(pkcs7_size); - ERR(BIO_write(bd, sig_info, sizeof(sig_info)) 0, dest_name); - ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) 0, dest_name); + ERR(BIO_write(bd, sig_info, sizeof(sig_info)) 0, %s, dest_name); + ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) 0, %s, dest_name); - ERR(BIO_free(bd) 0, dest_name); + ERR(BIO_free(bd) 0, %s, dest_name); /* Finally, if we're signing in place, replace the original. */ if (replace_orig) - ERR(rename(dest_name, module_name) 0, dest_name); + ERR(rename(dest_name, module_name) 0, %s, dest_name); return 0; } -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]
On 05/12/14 16:04, David Howells wrote: > Dmitry Kasatkin wrote: > >> With just "make all" on Ubuntu. > What gcc? I don't see any warnings. > > David > $ gcc -v Using built-in specs. COLLECT_GCC=gcc COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/4.8/lto-wrapper Target: x86_64-linux-gnu Configured with: ../src/configure -v --with-pkgversion='Ubuntu 4.8.2-19ubuntu1' --with-bugurl=file:///usr/share/doc/gcc-4.8/README.Bugs --enable-languages=c,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-4.8 --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.8 --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --enable-gnu-unique-object --disable-libmudflap --enable-plugin --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-4.8-amd64/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-4.8-amd64 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-4.8-amd64 --with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --enable-objc-gc --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu Thread model: posix gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]
Dmitry Kasatkin wrote: > With just "make all" on Ubuntu. What gcc? I don't see any warnings. David -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]
On 05/12/14 12:23, David Howells wrote: > Dmitry Kasatkin wrote: > >> sign-file.c produce lots of annoying noise. > How did you get it to produce that? > > David > With just "make all" on Ubuntu. - Dmitry -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]
Dmitry Kasatkin wrote: > sign-file.c produce lots of annoying noise. How did you get it to produce that? David -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]
Hi David, sign-file.c produce lots of annoying noise. scripts/sign-file.c:153:2: warning: format not a string literal and no format arguments [-Wformat-security] ERR(!bd, dest_name); ^ scripts/sign-file.c:179:3: warning: format not a string literal and no format arguments [-Wformat-security] ERR(!b, pkcs7_name); ^ scripts/sign-file.c:180:3: warning: format not a string literal and no format arguments [-Wformat-security] ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) < 0, pkcs7_name); ^ scripts/sign-file.c:185:2: warning: format not a string literal and no format arguments [-Wformat-security] ERR(BIO_reset(bm) < 0, module_name); ^ Would be great to fix it. Thanks, Dmitry On 26/11/14 16:17, David Howells wrote: > Provide a utility that: > > (1) Digests a module using the specified hash algorithm (typically sha256). > > [The digest can be dumped into a file by passing the '-d' flag] > > (2) Generates a PKCS#7 message that: > > (a) Has detached data (ie. the module content). > > (b) Is signed with the specified private key. > > (c) Refers to the specified X.509 certificate. > > (d) Has an empty X.509 certificate list. > > [The PKCS#7 message can be dumped into a file by passing the '-p' flag] > > (3) Generates a signed module by concatenating the old module, the PKCS#7 > message, a descriptor and a magic string. The descriptor contains the > size of the PKCS#7 message and indicates the id_type as PKEY_ID_PKCS7. > > (4) Either writes the signed module to the specified destination or renames > it over the source module. > > This allows module signing to reuse the PKCS#7 handling code that was added > for PE file parsing for signed kexec. > > Note that the utility is written in C and must be linked against the OpenSSL > crypto library. > > Note further that I have temporarily dropped support for handling externally > created signatures until we can work out the best way to do those. Hopefully, > whoever creates the signature can give me a PKCS#7 certificate. > > Signed-off-by: David Howells > --- > > include/crypto/public_key.h |1 > scripts/sign-file.c | 189 > +++ > 2 files changed, 190 insertions(+) > create mode 100755 scripts/sign-file.c > > diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h > index b6f27a240856..fda097e079a4 100644 > --- a/include/crypto/public_key.h > +++ b/include/crypto/public_key.h > @@ -33,6 +33,7 @@ extern const struct public_key_algorithm > *pkey_algo[PKEY_ALGO__LAST]; > enum pkey_id_type { > PKEY_ID_PGP,/* OpenPGP generated key ID */ > PKEY_ID_X509, /* X.509 arbitrary subjectKeyIdentifier */ > + PKEY_ID_PKCS7, /* Signature in PKCS#7 message */ > PKEY_ID_TYPE__LAST > }; > > diff --git a/scripts/sign-file.c b/scripts/sign-file.c > new file mode 100755 > index ..3f9bedbd185f > --- /dev/null > +++ b/scripts/sign-file.c > @@ -0,0 +1,189 @@ > +/* Sign a module file using the given key. > + * > + * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved. > + * Written by David Howells (dhowe...@redhat.com) > + * > + * This program is free software; you can redistribute it and/or > + * modify it under the terms of the GNU General Public Licence > + * as published by the Free Software Foundation; either version > + * 2 of the Licence, or (at your option) any later version. > + */ > +#define _GNU_SOURCE > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > + > +struct module_signature { > + uint8_t algo; /* Public-key crypto algorithm [0] */ > + uint8_t hash; /* Digest algorithm [0] */ > + uint8_t id_type;/* Key identifier type [PKEY_ID_PKCS7] > */ > + uint8_t signer_len; /* Length of signer's name [0] */ > + uint8_t key_id_len; /* Length of key identifier [0] */ > + uint8_t __pad[3]; > + uint32_tsig_len;/* Length of signature data */ > +}; > + > +#define PKEY_ID_PKCS7 2 > + > +static char magic_number[] = "~Module signature appended~\n"; > + > +static __attribute__((noreturn)) > +void format(void) > +{ > + fprintf(stderr, > + "Usage: scripts/sign-file [-dp] > []\n"); > + exit(2); > +} > + > +static void display_openssl_errors(int l) > +{ > + const char *file; > + char buf[120]; > + int e, line; > + > + if (ERR_peek_error() == 0) > + return; > + fprintf(stderr, "At main.c:%d:\n", l); > + > + while ((e = ERR_get_error_line(, ))) { > + ERR_error_string(e, buf); > + fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line); > + } > +} > + > + > +#define ERR(cond, ...) \ > + do { \ >
Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]
Hi David, sign-file.c produce lots of annoying noise. scripts/sign-file.c:153:2: warning: format not a string literal and no format arguments [-Wformat-security] ERR(!bd, dest_name); ^ scripts/sign-file.c:179:3: warning: format not a string literal and no format arguments [-Wformat-security] ERR(!b, pkcs7_name); ^ scripts/sign-file.c:180:3: warning: format not a string literal and no format arguments [-Wformat-security] ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) 0, pkcs7_name); ^ scripts/sign-file.c:185:2: warning: format not a string literal and no format arguments [-Wformat-security] ERR(BIO_reset(bm) 0, module_name); ^ Would be great to fix it. Thanks, Dmitry On 26/11/14 16:17, David Howells wrote: Provide a utility that: (1) Digests a module using the specified hash algorithm (typically sha256). [The digest can be dumped into a file by passing the '-d' flag] (2) Generates a PKCS#7 message that: (a) Has detached data (ie. the module content). (b) Is signed with the specified private key. (c) Refers to the specified X.509 certificate. (d) Has an empty X.509 certificate list. [The PKCS#7 message can be dumped into a file by passing the '-p' flag] (3) Generates a signed module by concatenating the old module, the PKCS#7 message, a descriptor and a magic string. The descriptor contains the size of the PKCS#7 message and indicates the id_type as PKEY_ID_PKCS7. (4) Either writes the signed module to the specified destination or renames it over the source module. This allows module signing to reuse the PKCS#7 handling code that was added for PE file parsing for signed kexec. Note that the utility is written in C and must be linked against the OpenSSL crypto library. Note further that I have temporarily dropped support for handling externally created signatures until we can work out the best way to do those. Hopefully, whoever creates the signature can give me a PKCS#7 certificate. Signed-off-by: David Howells dhowe...@redhat.com --- include/crypto/public_key.h |1 scripts/sign-file.c | 189 +++ 2 files changed, 190 insertions(+) create mode 100755 scripts/sign-file.c diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index b6f27a240856..fda097e079a4 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -33,6 +33,7 @@ extern const struct public_key_algorithm *pkey_algo[PKEY_ALGO__LAST]; enum pkey_id_type { PKEY_ID_PGP,/* OpenPGP generated key ID */ PKEY_ID_X509, /* X.509 arbitrary subjectKeyIdentifier */ + PKEY_ID_PKCS7, /* Signature in PKCS#7 message */ PKEY_ID_TYPE__LAST }; diff --git a/scripts/sign-file.c b/scripts/sign-file.c new file mode 100755 index ..3f9bedbd185f --- /dev/null +++ b/scripts/sign-file.c @@ -0,0 +1,189 @@ +/* Sign a module file using the given key. + * + * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowe...@redhat.com) + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public Licence + * as published by the Free Software Foundation; either version + * 2 of the Licence, or (at your option) any later version. + */ +#define _GNU_SOURCE +#include stdio.h +#include stdlib.h +#include stdint.h +#include stdbool.h +#include string.h +#include getopt.h +#include err.h +#include arpa/inet.h +#include openssl/bio.h +#include openssl/evp.h +#include openssl/pem.h +#include openssl/pkcs7.h +#include openssl/err.h + +struct module_signature { + uint8_t algo; /* Public-key crypto algorithm [0] */ + uint8_t hash; /* Digest algorithm [0] */ + uint8_t id_type;/* Key identifier type [PKEY_ID_PKCS7] */ + uint8_t signer_len; /* Length of signer's name [0] */ + uint8_t key_id_len; /* Length of key identifier [0] */ + uint8_t __pad[3]; + uint32_tsig_len;/* Length of signature data */ +}; + +#define PKEY_ID_PKCS7 2 + +static char magic_number[] = ~Module signature appended~\n; + +static __attribute__((noreturn)) +void format(void) +{ + fprintf(stderr, + Usage: scripts/sign-file [-dp] hash algo key x509 module [dest]\n); + exit(2); +} + +static void display_openssl_errors(int l) +{ + const char *file; + char buf[120]; + int e, line; + + if (ERR_peek_error() == 0) + return; + fprintf(stderr, At main.c:%d:\n, l); + + while ((e = ERR_get_error_line(file, line))) { + ERR_error_string(e, buf); + fprintf(stderr, - SSL %s: %s:%d\n, buf, file, line); + } +} + + +#define ERR(cond, ...) \ + do
Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]
Dmitry Kasatkin d.kasat...@samsung.com wrote: sign-file.c produce lots of annoying noise. How did you get it to produce that? David -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]
On 05/12/14 12:23, David Howells wrote: Dmitry Kasatkin d.kasat...@samsung.com wrote: sign-file.c produce lots of annoying noise. How did you get it to produce that? David With just make all on Ubuntu. - Dmitry -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]
Dmitry Kasatkin d.kasat...@samsung.com wrote: With just make all on Ubuntu. What gcc? I don't see any warnings. David -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]
On 05/12/14 16:04, David Howells wrote: Dmitry Kasatkin d.kasat...@samsung.com wrote: With just make all on Ubuntu. What gcc? I don't see any warnings. David $ gcc -v Using built-in specs. COLLECT_GCC=gcc COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/4.8/lto-wrapper Target: x86_64-linux-gnu Configured with: ../src/configure -v --with-pkgversion='Ubuntu 4.8.2-19ubuntu1' --with-bugurl=file:///usr/share/doc/gcc-4.8/README.Bugs --enable-languages=c,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-4.8 --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.8 --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --enable-gnu-unique-object --disable-libmudflap --enable-plugin --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-4.8-amd64/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-4.8-amd64 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-4.8-amd64 --with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --enable-objc-gc --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu Thread model: posix gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]
Provide a utility that: (1) Digests a module using the specified hash algorithm (typically sha256). [The digest can be dumped into a file by passing the '-d' flag] (2) Generates a PKCS#7 message that: (a) Has detached data (ie. the module content). (b) Is signed with the specified private key. (c) Refers to the specified X.509 certificate. (d) Has an empty X.509 certificate list. [The PKCS#7 message can be dumped into a file by passing the '-p' flag] (3) Generates a signed module by concatenating the old module, the PKCS#7 message, a descriptor and a magic string. The descriptor contains the size of the PKCS#7 message and indicates the id_type as PKEY_ID_PKCS7. (4) Either writes the signed module to the specified destination or renames it over the source module. This allows module signing to reuse the PKCS#7 handling code that was added for PE file parsing for signed kexec. Note that the utility is written in C and must be linked against the OpenSSL crypto library. Note further that I have temporarily dropped support for handling externally created signatures until we can work out the best way to do those. Hopefully, whoever creates the signature can give me a PKCS#7 certificate. Signed-off-by: David Howells --- include/crypto/public_key.h |1 scripts/sign-file.c | 189 +++ 2 files changed, 190 insertions(+) create mode 100755 scripts/sign-file.c diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index b6f27a240856..fda097e079a4 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -33,6 +33,7 @@ extern const struct public_key_algorithm *pkey_algo[PKEY_ALGO__LAST]; enum pkey_id_type { PKEY_ID_PGP,/* OpenPGP generated key ID */ PKEY_ID_X509, /* X.509 arbitrary subjectKeyIdentifier */ + PKEY_ID_PKCS7, /* Signature in PKCS#7 message */ PKEY_ID_TYPE__LAST }; diff --git a/scripts/sign-file.c b/scripts/sign-file.c new file mode 100755 index ..3f9bedbd185f --- /dev/null +++ b/scripts/sign-file.c @@ -0,0 +1,189 @@ +/* Sign a module file using the given key. + * + * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowe...@redhat.com) + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public Licence + * as published by the Free Software Foundation; either version + * 2 of the Licence, or (at your option) any later version. + */ +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +struct module_signature { + uint8_t algo; /* Public-key crypto algorithm [0] */ + uint8_t hash; /* Digest algorithm [0] */ + uint8_t id_type;/* Key identifier type [PKEY_ID_PKCS7] */ + uint8_t signer_len; /* Length of signer's name [0] */ + uint8_t key_id_len; /* Length of key identifier [0] */ + uint8_t __pad[3]; + uint32_tsig_len;/* Length of signature data */ +}; + +#define PKEY_ID_PKCS7 2 + +static char magic_number[] = "~Module signature appended~\n"; + +static __attribute__((noreturn)) +void format(void) +{ + fprintf(stderr, + "Usage: scripts/sign-file [-dp] []\n"); + exit(2); +} + +static void display_openssl_errors(int l) +{ + const char *file; + char buf[120]; + int e, line; + + if (ERR_peek_error() == 0) + return; + fprintf(stderr, "At main.c:%d:\n", l); + + while ((e = ERR_get_error_line(, ))) { + ERR_error_string(e, buf); + fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line); + } +} + + +#define ERR(cond, ...) \ + do { \ + bool __cond = (cond); \ + display_openssl_errors(__LINE__); \ + if (__cond) { \ + err(1, ## __VA_ARGS__); \ + } \ + } while(0) + +int main(int argc, char **argv) +{ + struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 }; + char *hash_algo = NULL; + char *private_key_name, *x509_name, *module_name, *dest_name; + bool save_pkcs7 = false, replace_orig; + unsigned char buf[4096]; + unsigned long module_size, pkcs7_size; + const EVP_MD *digest_algo; + EVP_PKEY *private_key; + PKCS7 *pkcs7; + X509 *x509; + BIO *b, *bd, *bm; + int opt, n; + + do { + opt = getopt(argc, argv, "dp"); + switch (opt) { + case 'p': save_pkcs7 = true; break; + case -1:
[PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #2]
Provide a utility that: (1) Digests a module using the specified hash algorithm (typically sha256). [The digest can be dumped into a file by passing the '-d' flag] (2) Generates a PKCS#7 message that: (a) Has detached data (ie. the module content). (b) Is signed with the specified private key. (c) Refers to the specified X.509 certificate. (d) Has an empty X.509 certificate list. [The PKCS#7 message can be dumped into a file by passing the '-p' flag] (3) Generates a signed module by concatenating the old module, the PKCS#7 message, a descriptor and a magic string. The descriptor contains the size of the PKCS#7 message and indicates the id_type as PKEY_ID_PKCS7. (4) Either writes the signed module to the specified destination or renames it over the source module. This allows module signing to reuse the PKCS#7 handling code that was added for PE file parsing for signed kexec. Note that the utility is written in C and must be linked against the OpenSSL crypto library. Note further that I have temporarily dropped support for handling externally created signatures until we can work out the best way to do those. Hopefully, whoever creates the signature can give me a PKCS#7 certificate. Signed-off-by: David Howells dhowe...@redhat.com --- include/crypto/public_key.h |1 scripts/sign-file.c | 189 +++ 2 files changed, 190 insertions(+) create mode 100755 scripts/sign-file.c diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index b6f27a240856..fda097e079a4 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -33,6 +33,7 @@ extern const struct public_key_algorithm *pkey_algo[PKEY_ALGO__LAST]; enum pkey_id_type { PKEY_ID_PGP,/* OpenPGP generated key ID */ PKEY_ID_X509, /* X.509 arbitrary subjectKeyIdentifier */ + PKEY_ID_PKCS7, /* Signature in PKCS#7 message */ PKEY_ID_TYPE__LAST }; diff --git a/scripts/sign-file.c b/scripts/sign-file.c new file mode 100755 index ..3f9bedbd185f --- /dev/null +++ b/scripts/sign-file.c @@ -0,0 +1,189 @@ +/* Sign a module file using the given key. + * + * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowe...@redhat.com) + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public Licence + * as published by the Free Software Foundation; either version + * 2 of the Licence, or (at your option) any later version. + */ +#define _GNU_SOURCE +#include stdio.h +#include stdlib.h +#include stdint.h +#include stdbool.h +#include string.h +#include getopt.h +#include err.h +#include arpa/inet.h +#include openssl/bio.h +#include openssl/evp.h +#include openssl/pem.h +#include openssl/pkcs7.h +#include openssl/err.h + +struct module_signature { + uint8_t algo; /* Public-key crypto algorithm [0] */ + uint8_t hash; /* Digest algorithm [0] */ + uint8_t id_type;/* Key identifier type [PKEY_ID_PKCS7] */ + uint8_t signer_len; /* Length of signer's name [0] */ + uint8_t key_id_len; /* Length of key identifier [0] */ + uint8_t __pad[3]; + uint32_tsig_len;/* Length of signature data */ +}; + +#define PKEY_ID_PKCS7 2 + +static char magic_number[] = ~Module signature appended~\n; + +static __attribute__((noreturn)) +void format(void) +{ + fprintf(stderr, + Usage: scripts/sign-file [-dp] hash algo key x509 module [dest]\n); + exit(2); +} + +static void display_openssl_errors(int l) +{ + const char *file; + char buf[120]; + int e, line; + + if (ERR_peek_error() == 0) + return; + fprintf(stderr, At main.c:%d:\n, l); + + while ((e = ERR_get_error_line(file, line))) { + ERR_error_string(e, buf); + fprintf(stderr, - SSL %s: %s:%d\n, buf, file, line); + } +} + + +#define ERR(cond, ...) \ + do { \ + bool __cond = (cond); \ + display_openssl_errors(__LINE__); \ + if (__cond) { \ + err(1, ## __VA_ARGS__); \ + } \ + } while(0) + +int main(int argc, char **argv) +{ + struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 }; + char *hash_algo = NULL; + char *private_key_name, *x509_name, *module_name, *dest_name; + bool save_pkcs7 = false, replace_orig; + unsigned char buf[4096]; + unsigned long module_size, pkcs7_size; + const EVP_MD *digest_algo; + EVP_PKEY *private_key; + PKCS7 *pkcs7; + X509 *x509; + BIO *b, *bd, *bm; + int opt,