lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1352396109-3989-2-git-send-email-tiwai@suse.de>
Date:	Thu,  8 Nov 2012 18:35:06 +0100
From:	Takashi Iwai <tiwai@...e.de>
To:	Matthew Garrett <mjg59@...f.ucam.org>
Cc:	Alan Cox <alan@...rguk.ukuu.org.uk>, joeyli <jlee@...e.com>,
	Jiri Kosina <jkosina@...e.cz>,
	David Howells <dhowells@...hat.com>,
	Rusty Russell <rusty@...tcorp.com.au>,
	Ming Lei <tom.leiming@...il.com>, linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org, linux-efi@...r.kernel.org,
	Takashi Iwai <tiwai@...e.de>
Subject: [PATCH RFC v2 1/4] firmware: Add the firmware signing support to scripts/sign-file

Add -f option to sign-file script for generating a firmware signature
file.

A firmware signature file contains a pretty similar structure like a
signed module but in a different order (because it's a separate file
while the module signature is embedded at the tail of unsigned module
contents).  The file consists of
 - the magic string
 - the signature information, which is identical with the module
   signature
 - signer's name
 - key id
 - signature bytes

Signed-off-by: Takashi Iwai <tiwai@...e.de>
---
 scripts/sign-file | 48 +++++++++++++++++++++++++++++++++++-------------
 1 file changed, 35 insertions(+), 13 deletions(-)

diff --git a/scripts/sign-file b/scripts/sign-file
index 87ca59d..5b9d44d 100755
--- a/scripts/sign-file
+++ b/scripts/sign-file
@@ -4,30 +4,40 @@
 #
 # Format:
 #
-#	./scripts/sign-file [-v] <key> <x509> <module> [<dest>]
+#	./scripts/sign-file [-v] [-f] <key> <x509> <module> [<dest>]
 #
 #
 use strict;
 use FileHandle;
 use IPC::Open2;
+use Getopt::Long;
 
-my $verbose = 0;
-if ($#ARGV >= 0 && $ARGV[0] eq "-v") {
-    $verbose = 1;
-    shift;
+sub usage()
+{
+    print "Format: ./scripts/sign-file [options] <key> <x509> <module> [<dest>]
+    -v       verbose output
+    -f       create a firmware signature file
+";
+    exit;
 }
 
-die "Format: ./scripts/sign-file [-v] <key> <x509> <module> [<dest>]\n"
-    if ($#ARGV != 2 && $#ARGV != 3);
+my $verbose = 0;
+my $sign_fw = 0;
+
+GetOptions(
+    'v|verbose' => \$verbose,
+    'f|firmware' => \$sign_fw) || usage();
+usage() if ($#ARGV != 2 && $#ARGV != 3);
 
 my $private_key = $ARGV[0];
 my $x509 = $ARGV[1];
 my $module = $ARGV[2];
-my $dest = ($#ARGV == 3) ? $ARGV[3] : $ARGV[2] . "~";
+my $dest = $ARGV[3] ? $ARGV[3] : $ARGV[2] . ($sign_fw ? ".sig" : "~");
+my $mode_name = $sign_fw ? "firmware" : "module";
 
 die "Can't read private key\n" unless (-r $private_key);
 die "Can't read X.509 certificate\n" unless (-r $x509);
-die "Can't read module\n" unless (-r $module);
+die "Can't read $mode_name\n" unless (-r $module);
 
 #
 # Read the kernel configuration
@@ -393,7 +403,9 @@ die "openssl rsautl died: $?" if ($? >> 8);
 #
 my $unsigned_module = read_file($module);
 
-my $magic_number = "~Module signature appended~\n";
+my $magic_number = $sign_fw ?
+    "~Linux firmware signature~\n" :
+    "~Module signature appended~\n";
 
 my $info = pack("CCCCCxxxN",
 		$algo, $hash, $id_type,
@@ -402,7 +414,7 @@ my $info = pack("CCCCCxxxN",
 		length($signature));
 
 if ($verbose) {
-    print "Size of unsigned module: ", length($unsigned_module), "\n";
+    print "Size of unsigned $mode_name: ", length($unsigned_module), "\n";
     print "Size of signer's name  : ", length($signers_name), "\n";
     print "Size of key identifier : ", length($key_identifier), "\n";
     print "Size of signature      : ", length($signature), "\n";
@@ -414,7 +426,16 @@ if ($verbose) {
 
 open(FD, ">$dest") || die $dest;
 binmode FD;
-print FD
+if ($sign_fw) {
+    print FD
+    $magic_number,
+    $info,
+    $signers_name,
+    $key_identifier,
+    $signature
+    ;
+} else {
+    print FD
     $unsigned_module,
     $signers_name,
     $key_identifier,
@@ -422,8 +443,9 @@ print FD
     $info,
     $magic_number
     ;
+}
 close FD || die $dest;
 
-if ($#ARGV != 3) {
+if (!$sign_fw && $#ARGV != 3) {
     rename($dest, $module) || die $module;
 }
-- 
1.8.0

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ