lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <21177.1431716875@warthog.procyon.org.uk>
Date:	Fri, 15 May 2015 20:07:55 +0100
From:	David Howells <dhowells@...hat.com>
To:	mcgrof@...e.com
Cc:	dhowells@...hat.com, rusty@...tcorp.com.au, mmarek@...e.cz,
	mjg59@...f.ucam.org, keyrings@...ux-nfs.org,
	dmitry.kasatkin@...il.com, linux-kernel@...r.kernel.org,
	seth.forshee@...onical.com, linux-security-module@...r.kernel.org,
	dwmw2@...radead.org
Subject: sign-file and detached PKCS#7 firmware signatures

Hi Luis,

As David Woodhouse pointed out to me, you don't need sign-file if you're just
going to create a detached PKCS#7 message as your signature.  You can just use
"openssl smime" directly.

The reason that sign-file is needed for module signing is that the signature
is added to the module with a little bit of metadata to indicate its presence
- but if you're having detached signatures, that isn't relevant.

You can do this with two steps:

 (1) Require that an X.509 certificate is made available to the kernel to
     provide the public key.  One way to do this is to convert it to DER form
     and place it in the source directory as <name>.x509 when you build the
     kernel.

 (2) Document that to produce a signature for a firmware blob, you just run
     the following command:

		openssl smime -sign \
		 -in $FIRMWARE_BLOB_NAME \
		 -outform DER \
		 -inkey $PRIVATE_KEY_FILE_IN_PEM_FORM \
		 -signer $X509_CERT_FILE_IN_PEM_FORM \
		 -nocerts \
		 -md $DIGEST_ALGORITHM \
		 >$PKCS7_MESSAGE_FILE_IN_DER_FORM

     Note that if you have crypto hardware available that openssl can use, you
     can do that in this command.


To summarise, what you have to present to the kernel is the following:

 (A) A DER-encoded X.509 certificate containing the public key.

 (B) A DER-encoded PKCS#7 message containing the signatures.

 (C) A binary blob that is the detached data for the PKCS#7 message.

David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ