lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 15 May 2015 17:53:24 +0100
From:	David Woodhouse <David.Woodhouse@...el.com>
To:	dhowells@...hat.com
Cc:	rusty@...tcorp.com.au, mmarek@...e.cz, mjg59@...f.ucam.org,
	keyrings@...ux-nfs.org, dmitry.kasatkin@...il.com, mcgrof@...e.com,
	linux-kernel@...r.kernel.org, dhowells@...hat.com,
	seth.forshee@...onical.com, linux-security-module@...r.kernel.org
Subject: [PATCH 2/4] modsign: Allow external signing key to be specified

Signed-off-by: David Woodhouse <David.Woodhouse@...el.com>
---
 Makefile        |  2 +-
 init/Kconfig    | 13 +++++++++++++
 kernel/Makefile |  6 ++++++
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index ad27fc9..9590e67 100644
--- a/Makefile
+++ b/Makefile
@@ -872,7 +872,7 @@ INITRD_COMPRESS-$(CONFIG_RD_LZ4)   := lz4
 # export INITRD_COMPRESS := $(INITRD_COMPRESS-y)
 
 ifdef CONFIG_MODULE_SIG_ALL
-MODSECKEY = ./signing_key.priv
+MODSECKEY = $(CONFIG_MODULE_SIG_KEY)
 MODPUBKEY = ./signing_key.x509
 export MODPUBKEY
 mod_sign_cmd = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)
diff --git a/init/Kconfig b/init/Kconfig
index c05afd6..1ca075a 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1954,6 +1954,19 @@ config MODULE_SIG_HASH
        default "sha384" if MODULE_SIG_SHA384
        default "sha512" if MODULE_SIG_SHA512
 
+config MODULE_SIG_EXTERNAL_KEY
+       bool "Use external key for module signing"
+       depends on MODULE_SIG_ALL
+       help
+         Use an external private key for module signing.
+
+config MODULE_SIG_KEY
+       string "File name or PKCS#11 URI of module signing key" if MODULE_SIG_EXTERNAL_KEY
+       default "signing_key.priv"
+       help
+         Provide the file name of a private key in PEM format, or a PKCS#11
+         URI according to RFC7512 to specify the key.
+
 config MODULE_COMPRESS
        bool "Compress modules on installation"
        depends on MODULES
diff --git a/kernel/Makefile b/kernel/Makefile
index 60c302c..b1a718c 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -170,6 +170,11 @@ ifndef CONFIG_MODULE_SIG_HASH
 $(error Could not determine digest type to use from kernel config)
 endif
 
+# 'make randconfig' might enable CONFIG_MODULE_SIG_EXTERNAL_KEY but will
+# leave any strings at their default settings. We want to let the automatic
+# key generation work in that case, which is why we check the string here
+# instead of just using 'ifndef CONFIG_MODULE_SIG_EXTERNAL_KEY'.
+ifeq ($(CONFIG_MODULE_SIG_KEY),"signing_key.priv")
 signing_key.priv signing_key.x509: x509.genkey
        @echo "###"
        @echo "### Now generating an X.509 key pair to be used for signing modules."
@@ -207,3 +212,4 @@ x509.genkey:
        @echo >>x509.genkey "subjectKeyIdentifier=hash"
        @echo >>x509.genkey "authorityKeyIdentifier=keyid"
 endif
+endif
-- 
2.4.0

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse@...el.com                              Intel Corporation

Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5691 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ