lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 20 May 2015 09:08:40 +0800
From:	Michal Marek <mmarek@...e.cz>
To:	dhowells@...hat.com
Cc:	torvalds@...ux-foundation.org, aricart@...nix.com,
	linux-kernel@...r.kernel.org, sedat.dilek@...il.com,
	keyrings@...ux-nfs.org, rusty@...tcorp.com.au,
	linux-security-module@...r.kernel.org, james.l.morris@...cle.com,
	dwmw2@...radead.org
Subject: [PATCH 3/3] MODSIGN: Split user-supplied and autogenerated signing key

Allow the users to place signing_key.{x509,priv} and x509.genkey in the
source tree. If any of these files is missing, generate the file in the
build tree with an .auto suffix. This avoids problems with overwriting
user-supplied files.

Signed-off-by: Michal Marek <mmarek@...e.cz>
---
 .gitignore                       |  2 ++
 Documentation/module-signing.txt | 10 ++++++---
 Makefile                         |  5 +++--
 kernel/Makefile                  | 46 ++++++++++++++++++++--------------------
 4 files changed, 35 insertions(+), 28 deletions(-)

diff --git a/.gitignore b/.gitignore
index 4ad4a98..92b9bc8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -100,6 +100,8 @@ extra_certificates
 signing_key.priv
 signing_key.x509
 x509.genkey
+signing_key.*.auto
+x509.genkey.auto
 
 # Kconfig presets
 all.config
diff --git a/Documentation/module-signing.txt b/Documentation/module-signing.txt
index c72702e..74121fb 100644
--- a/Documentation/module-signing.txt
+++ b/Documentation/module-signing.txt
@@ -100,18 +100,22 @@ it can be deleted or stored securely.  The public key gets built into the
 kernel so that it can be used to check the signatures as the modules are
 loaded.
 
-Under normal conditions, the kernel build will automatically generate a new
-keypair using openssl if one does not exist in the files:
+The kernel expects the keypair to be stored in the files:
 
 	signing_key.priv
 	signing_key.x509
 
+If the keypair is not supplied, the kernel will generate it as:
+
+	signing_key.priv.auto
+	signing_key.x509.auto
+
 during the building of vmlinux (the public part of the key needs to be built
 into vmlinux) using parameters in the:
 
 	x509.genkey
 
-file (which is also generated if it does not already exist).
+file (which, if not supplied, is also generated as x509.genkey.auto).
 
 It is strongly recommended that you provide your own x509.genkey file.
 
diff --git a/Makefile b/Makefile
index 2da553f..f46e76a 100644
--- a/Makefile
+++ b/Makefile
@@ -872,8 +872,8 @@ INITRD_COMPRESS-$(CONFIG_RD_LZ4)   := lz4
 # export INITRD_COMPRESS := $(INITRD_COMPRESS-y)
 
 ifdef CONFIG_MODULE_SIG_ALL
-MODSECKEY = ./signing_key.priv
-MODPUBKEY = ./signing_key.x509
+MODSECKEY = $(firstword $(wildcard $(srctree)/signing_key.priv) ./signing_key.priv.auto)
+MODPUBKEY = $(firstword $(wildcard $(srctree)/signing_key.x509) ./signing_key.x509.auto)
 export MODPUBKEY
 mod_sign_cmd = perl $(srctree)/scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)
 else
@@ -1176,6 +1176,7 @@ MRPROPER_DIRS  += include/config usr/include include/generated          \
 MRPROPER_FILES += .config .config.old .version .old_version \
 		  Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \
 		  signing_key.priv signing_key.x509 x509.genkey		\
+		  signing_key.*.auto x509.genkey.auto			\
 		  extra_certificates signing_key.x509.keyid		\
 		  signing_key.x509.signer vmlinux-gdb.py
 
diff --git a/kernel/Makefile b/kernel/Makefile
index 3177160..58e6ca7 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -126,7 +126,7 @@ $(obj)/config_data.h: $(obj)/config_data.gz FORCE
 ###############################################################################
 ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
 X509_CERTIFICATES-y := $(wildcard *.x509)
-X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += signing_key.x509
+X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += $(if $(wildcard $(srctree)/signing_key.x509),,signing_key.x509.auto)
 X509_CERTIFICATES := $(sort $(X509_CERTIFICATES-y))
 ifneq ($(objtree),$(srctree))
 X509_CERTIFICATES += $(sort $(wildcard $(srctree)/*.x509))
@@ -167,7 +167,7 @@ ifndef CONFIG_MODULE_SIG_HASH
 $(error Could not determine digest type to use from kernel config)
 endif
 
-signing_key.priv signing_key.x509: x509.genkey
+signing_key.priv.auto signing_key.x509.auto: $(firstword $(wildcard $(srctree)/x509.genkey) x509.genkey.auto)
 	@echo "###"
 	@echo "### Now generating an X.509 key pair to be used for signing modules."
 	@echo "###"
@@ -177,30 +177,30 @@ signing_key.priv signing_key.x509: x509.genkey
 	@echo "### number generator if one is available."
 	@echo "###"
 	openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
-		-batch -x509 -config x509.genkey \
-		-outform DER -out signing_key.x509 \
-		-keyout signing_key.priv 2>&1
+		-batch -x509 -config $< \
+		-outform DER -out signing_key.x509.auto \
+		-keyout signing_key.priv.auto 2>&1
 	@echo "###"
 	@echo "### Key pair generated."
 	@echo "###"
 
-x509.genkey:
+x509.genkey.auto:
 	@echo Generating X.509 key generation config
-	@echo  >x509.genkey "[ req ]"
-	@echo >>x509.genkey "default_bits = 4096"
-	@echo >>x509.genkey "distinguished_name = req_distinguished_name"
-	@echo >>x509.genkey "prompt = no"
-	@echo >>x509.genkey "string_mask = utf8only"
-	@echo >>x509.genkey "x509_extensions = myexts"
-	@echo >>x509.genkey
-	@echo >>x509.genkey "[ req_distinguished_name ]"
-	@echo >>x509.genkey "#O = Unspecified company"
-	@echo >>x509.genkey "CN = Build time autogenerated kernel key"
-	@echo >>x509.genkey "#emailAddress = unspecified.user@...pecified.company"
-	@echo >>x509.genkey
-	@echo >>x509.genkey "[ myexts ]"
-	@echo >>x509.genkey "basicConstraints=critical,CA:FALSE"
-	@echo >>x509.genkey "keyUsage=digitalSignature"
-	@echo >>x509.genkey "subjectKeyIdentifier=hash"
-	@echo >>x509.genkey "authorityKeyIdentifier=keyid"
+	@echo  >$@ "[ req ]"
+	@echo >>$@ "default_bits = 4096"
+	@echo >>$@ "distinguished_name = req_distinguished_name"
+	@echo >>$@ "prompt = no"
+	@echo >>$@ "string_mask = utf8only"
+	@echo >>$@ "x509_extensions = myexts"
+	@echo >>$@
+	@echo >>$@ "[ req_distinguished_name ]"
+	@echo >>$@ "#O = Unspecified company"
+	@echo >>$@ "CN = Build time autogenerated kernel key"
+	@echo >>$@ "#emailAddress = unspecified.user@...pecified.company"
+	@echo >>$@
+	@echo >>$@ "[ myexts ]"
+	@echo >>$@ "basicConstraints=critical,CA:FALSE"
+	@echo >>$@ "keyUsage=digitalSignature"
+	@echo >>$@ "subjectKeyIdentifier=hash"
+	@echo >>$@ "authorityKeyIdentifier=keyid"
 endif
-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ