[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1431999474.4510.17.camel@linux.vnet.ibm.com>
Date: Mon, 18 May 2015 21:37:54 -0400
From: Mimi Zohar <zohar@...ux.vnet.ibm.com>
To: David Woodhouse <David.Woodhouse@...el.com>
Cc: dhowells@...hat.com, rusty@...tcorp.com.au, mmarek@...e.cz,
mjg59@...f.ucam.org, keyrings@...ux-nfs.org,
dmitry.kasatkin@...il.com, mcgrof@...e.com,
linux-kernel@...r.kernel.org, seth.forshee@...onical.com,
linux-security-module@...r.kernel.org
Subject: Re: [PATCH 3/4] modsign: Allow password to be specified for signing
key
On Fri, 2015-05-15 at 17:53 +0100, David Woodhouse wrote:
> Signed-off-by: David Woodhouse <David.Woodhouse@...el.com>
> ---
> Documentation/module-signing.txt | 2 ++
> Makefile | 1 +
> init/Kconfig | 6 ++++++
> scripts/sign-file.c | 39 ++++++++++++++++++++++++++++++++++++++-
> 4 files changed, 47 insertions(+), 1 deletion(-)
>
> diff --git a/Documentation/module-signing.txt b/Documentation/module-signing.txt
> index c72702e..b0ed080 100644
> --- a/Documentation/module-signing.txt
> +++ b/Documentation/module-signing.txt
> @@ -194,6 +194,8 @@ The hash algorithm used does not have to match the one configured, but if it
> doesn't, you should make sure that hash algorithm is either built into the
> kernel or can be loaded without requiring itself.
>
> +If the private key requires a passphrase or PIN, it can be provided in the
> +$CONFIG_MODULE_SIG_KEY_PASSWORD environment variable.
This works, but probably is not a good idea. For one, if IKCONFIG is
enabled, the pin is readily visible via /proc/config.gz.
Mimi
> ============================
> SIGNED MODULES AND STRIPPING
> diff --git a/Makefile b/Makefile
> index 9590e67..70c066c 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -875,6 +875,7 @@ ifdef CONFIG_MODULE_SIG_ALL
> MODSECKEY = $(CONFIG_MODULE_SIG_KEY)
> MODPUBKEY = ./signing_key.x509
> export MODPUBKEY
> +export CONFIG_MODULE_SIG_KEY_PASSWORD
> mod_sign_cmd = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)
> else
> mod_sign_cmd = true
> diff --git a/init/Kconfig b/init/Kconfig
> index 1ca075a..7bbc857 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -1967,6 +1967,12 @@ config MODULE_SIG_KEY
> Provide the file name of a private key in PEM format, or a PKCS#11
> URI according to RFC7512 to specify the key.
>
> +config MODULE_SIG_KEY_PASSWORD
> + string "Passphrase or PIN for module signing key if needed" if MODULE_SIG_EXTERNAL_KEY
> + help
> + If a passphrase or PIN is required for the private key, provide
> + it here.
> +
> config MODULE_COMPRESS
> bool "Compress modules on installation"
> depends on MODULES
> diff --git a/scripts/sign-file.c b/scripts/sign-file.c
> index 39aaabe..9a54acc 100755
> --- a/scripts/sign-file.c
> +++ b/scripts/sign-file.c
> @@ -80,9 +80,32 @@ static void drain_openssl_errors(void)
> } \
> } while(0)
>
> +static char *key_pass;
> +
> +static int pem_pw_cb(char *buf, int len, int w, void *v)
> +{
> + int pwlen;
> +
> + if (!key_pass)
> + return -1;
> +
> + pwlen = strlen(key_pass);
> + if (pwlen >= len)
> + return -1;
> +
> + strcpy(buf, key_pass);
> +
> + /* If it's wrong, don't keep trying it. */
> + free(key_pass);
> + key_pass = NULL;
> +
> + return pwlen;
> +}
> +
> int main(int argc, char **argv)
> {
> struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };
> + const char *pass_env;
> char *hash_algo = NULL;
> char *private_key_name, *x509_name, *module_name, *dest_name;
> bool save_pkcs7 = false, replace_orig;
> @@ -96,6 +119,7 @@ int main(int argc, char **argv)
> BIO *b, *bd = NULL, *bm;
> int opt, n;
>
> + OpenSSL_add_all_algorithms();
> ERR_load_crypto_strings();
> ERR_clear_error();
>
> @@ -127,12 +151,25 @@ int main(int argc, char **argv)
> replace_orig = true;
> }
>
> + pass_env = getenv("CONFIG_MODULE_SIG_KEY_PASSWORD");
> + if (pass_env) {
> + int pwlen = strlen(pass_env);
> +
> + if (pass_env[0] == '\"' && pass_env[pwlen - 1] == '\"') {
> + pass_env++;
> + pwlen -= 2;
> + }
> + if (pwlen)
> + key_pass = strndup(pass_env, pwlen);
> + }
> +
> /* Read the private key and the X.509 cert the PKCS#7 message
> * will point to.
> */
> b = BIO_new_file(private_key_name, "rb");
> ERR(!b, "%s", private_key_name);
> - private_key = PEM_read_bio_PrivateKey(b, NULL, NULL, NULL);
> + private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, NULL);
> + ERR(!private_key, "%s", private_key_name);
> BIO_free(b);
>
> b = BIO_new_file(x509_name, "rb");
> --
> 2.4.0
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists