[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1416837968.25352.34.camel@dhcp-9-2-203-236.watson.ibm.com>
Date: Mon, 24 Nov 2014 09:06:08 -0500
From: Mimi Zohar <zohar@...ux.vnet.ibm.com>
To: David Howells <dhowells@...hat.com>
Cc: mmarek@...e.cz, d.kasatkin@...sung.com, rusty@...tcorp.com.au,
vgoyal@...hat.com, keyrings@...ux-nfs.org,
linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 5/5] MODSIGN: Use PKCS#7 messages as module signatures
On Thu, 2014-11-20 at 16:54 +0000, David Howells wrote:
>
> /*
> @@ -186,12 +81,8 @@ static struct key *request_asymmetric_key(const char *signer, size_t signer_len,
> */
> int mod_verify_sig(const void *mod, unsigned long *_modlen)
> {
> - struct public_key_signature *pks;
> struct module_signature ms;
> - struct key *key;
> - const void *sig;
> size_t modlen = *_modlen, sig_len;
> - int ret;
>
> pr_devel("==>%s(,%zu)\n", __func__, modlen);
>
> @@ -205,46 +96,23 @@ int mod_verify_sig(const void *mod, unsigned long *_modlen)
> if (sig_len >= modlen)
> return -EBADMSG;
> modlen -= sig_len;
> - if ((size_t)ms.signer_len + ms.key_id_len >= modlen)
> - return -EBADMSG;
> - modlen -= (size_t)ms.signer_len + ms.key_id_len;
> -
> *_modlen = modlen;
> - sig = mod + modlen;
> -
> - /* For the moment, only support RSA and X.509 identifiers */
> - if (ms.algo != PKEY_ALGO_RSA ||
> - ms.id_type != PKEY_ID_X509)
> - return -ENOPKG;
>
> - if (ms.hash >= PKEY_HASH__LAST ||
> - !hash_algo_name[ms.hash])
> + if (ms.id_type != PKEY_ID_PKCS7) {
> + pr_err("Module is not signed with expected PKCS#7 message\n");
> return -ENOPKG;
Perhaps because modules are resigned with each kernel build, it is
acceptable to totally replace one signature format with another like
this, and fail the old method.
Mimi
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists