lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Sun, 09 Feb 2014 17:38:03 -0500
From:	Emily Maier <emilymaier@...olab.com>
To:	Rob Landley <rob@...dley.net>, Michal Marek <mmarek@...e.cz>
CC:	linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org,
	linux-kbuild@...r.kernel.org
Subject: [PATCH RFC] kernel build: enable use of password-protected signing
 keys

Currently, the module signing script assumes that the private key is 
not password-protected. This patch makes it slightly more secure by 
allowing it to be passed in on the command line as "make 
modules_install MOD_PASSWORD=abc". It's vulnerable to snooping during 
the build of course, but so is an unprotected signing key.

I'm not sure how to securely give the password to the perl signing 
script. OpenSSL will prompt you for it in stdin if one isn't provided, 
but that's obviously not reasonable if you're building many modules.

Signed-off-by: Emily Maier <emilymaier@...olab.com>
---
 Documentation/dontdiff |    1 +
 Makefile               |    7 ++++++-
 scripts/sign-file      |   18 +++++++++++++-----
 3 files changed, 20 insertions(+), 6 deletions(-)

diff -uprN -X linux-3.13.2-devel/Documentation/dontdiff linux-3.13.2/Documentation/dontdiff linux-3.13.2-devel/Documentation/dontdiff
--- linux-3.13.2/Documentation/dontdiff	2014-02-06 14:42:22.000000000 -0500
+++ linux-3.13.2-devel/Documentation/dontdiff	2014-02-09 15:30:41.719448065 -0500
@@ -214,6 +214,7 @@ setup
 setup.bin
 setup.elf
 sImage
+signing_key.*
 sm_tbl*
 split-include
 syscalltab.h
diff -uprN -X linux-3.13.2-devel/Documentation/dontdiff linux-3.13.2/Makefile linux-3.13.2-devel/Makefile
--- linux-3.13.2/Makefile	2014-02-06 14:42:22.000000000 -0500
+++ linux-3.13.2-devel/Makefile	2014-02-09 16:34:19.727020032 -0500
@@ -742,11 +742,16 @@ INITRD_COMPRESS-$(CONFIG_RD_LZ4)   := lz
 # choose a sane default compression above.
 # export INITRD_COMPRESS := $(INITRD_COMPRESS-y)
 +ifdef MOD_PASSWORD
+mod_sign_cmd = perl $(srctree)/scripts/sign-file -p $(MOD_PASSWORD)
+else
+mod_sign_cmd = perl $(srctree)/scripts/sign-file
+endif
 ifdef CONFIG_MODULE_SIG_ALL
 MODSECKEY = ./signing_key.priv
 MODPUBKEY = ./signing_key.x509
 export MODPUBKEY
-mod_sign_cmd = perl $(srctree)/scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)
+mod_sign_cmd += $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)
 else
 mod_sign_cmd = true
 endif
diff -uprN -X linux-3.13.2-devel/Documentation/dontdiff linux-3.13.2/scripts/sign-file linux-3.13.2-devel/scripts/sign-file
--- linux-3.13.2/scripts/sign-file	2014-02-06 14:42:22.000000000 -0500
+++ linux-3.13.2-devel/scripts/sign-file	2014-02-09 15:16:22.198684877 -0500
@@ -5,7 +5,8 @@
  my $USAGE =
 "Usage: scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]\n" .
-"       scripts/sign-file [-v] -s <raw sig> <hash algo> <x509> <module> [<dest>]\n";
+"       scripts/sign-file [-v] -s <raw sig> <hash algo> <x509> <module> [<dest>]\n" .
+"	scripts/sign-file [-v] -p <password> <hash algo> <x509> <module> [<dest>]";
  use strict;
 use FileHandle;
@@ -13,9 +14,10 @@ use IPC::Open2;
 use Getopt::Std;
  my %opts;
-getopts('vs:', \%opts) or die $USAGE;
+getopts('vs:p:', \%opts) or die $USAGE;
 my $verbose = $opts{'v'};
 my $signature_file = $opts{'s'};
+my $password = $opts{'p'};
  die $USAGE if ($#ARGV > 4);
 die $USAGE if (!$signature_file && $#ARGV < 3 || $signature_file && $#ARGV < 2);
@@ -365,9 +367,15 @@ if ($signature_file) {
 	# comprises the signature with no metadata attached.
 	#
 	my $pid;
-	$pid = open2(*read_from, *write_to,
-		     "openssl rsautl -sign -inkey $private_key -keyform PEM") ||
-	    die "openssl rsautl";
+	if ($password) {
+		$pid = open2(*read_from, *write_to,
+		             "openssl rsautl -sign -inkey $private_key -keyform PEM \\
+		              -passin pass:$password") || die "openssl rsautl";
+	} else {
+		$pid = open2(*read_from, *write_to,
+			     "openssl rsautl -sign -inkey $private_key -keyform PEM") ||
+		    die "openssl rsautl";
+	}
 	binmode write_to;
 	print write_to $prologue . $digest || die "pipe to openssl rsautl";
 	close(write_to) || die "pipe to openssl rsautl";


Download attachment "signature.asc" of type "application/pgp-signature" (902 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ