lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1431697560.4727.4.camel@infradead.org>
Date:	Fri, 15 May 2015 14:46:00 +0100
From:	David Woodhouse <dwmw2@...radead.org>
To:	David Howells <dhowells@...hat.com>
Cc:	rusty@...tcorp.com.au, mmarek@...e.cz, mjg59@...f.ucam.org,
	keyrings@...ux-nfs.org, dmitry.kasatkin@...il.com, mcgrof@...e.com,
	linux-kernel@...r.kernel.org, seth.forshee@...onical.com,
	linux-security-module@...r.kernel.org
Subject: Re: [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4]

On Fri, 2015-05-15 at 13:35 +0100, David Howells wrote:
> Note that David Woodhouse is looking at making
> sign-file work with PKCS#11, so bringing back -s might not be 
> necessary.

I actually already *had* it working with PKCS#11, at 
http://git.infradead.org/users/dwmw2/modsign-pkcs11.git

Then you went and rewrote it in C, so I'm still refactoring it. WIP at 
http://git.infradead.org/users/dwmw2/modsign-pkcs11-c.git just needs
me to add the ENGINE_by_id("pkcs11")... bits to scripts/sign-file.c.

I'm also vacillating about whether to allow an external *cert* to be
specified separately from the key. Do we...

 1. Just require the X.509 DER cert in $(topdir)/signing_key.x509,

 2. Automatically extract it from $CONFIG_MODULE_SIG_EXTERNAL_KEY
    which shall be a file (or PKCS#11 URI) containing *both* key
    and cert, or

 3. Add a separate CONFIG_MODULE_SIG_EXTERNAL_CERT option.

I'm probably inclined towards #2. I'll need to script something to
automatically extract the key from a PEM file or PKCS#11 and drop it
in DER form in $(topdir)/signing_key.x509 where needed. Using
basically the same make rules we already *have* for creating a new
key+cert on demand anyway.

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse@...el.com                              Intel Corporation

Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5691 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ