lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1431999474.4510.17.camel@linux.vnet.ibm.com>
Date:	Mon, 18 May 2015 21:37:54 -0400
From:	Mimi Zohar <zohar@...ux.vnet.ibm.com>
To:	David Woodhouse <David.Woodhouse@...el.com>
Cc:	dhowells@...hat.com, rusty@...tcorp.com.au, mmarek@...e.cz,
	mjg59@...f.ucam.org, keyrings@...ux-nfs.org,
	dmitry.kasatkin@...il.com, mcgrof@...e.com,
	linux-kernel@...r.kernel.org, seth.forshee@...onical.com,
	linux-security-module@...r.kernel.org
Subject: Re: [PATCH 3/4] modsign: Allow password to be specified for signing
 key

On Fri, 2015-05-15 at 17:53 +0100, David Woodhouse wrote:
> Signed-off-by: David Woodhouse <David.Woodhouse@...el.com>
> ---
>  Documentation/module-signing.txt |  2 ++
>  Makefile                         |  1 +
>  init/Kconfig                     |  6 ++++++
>  scripts/sign-file.c              | 39 ++++++++++++++++++++++++++++++++++++++-
>  4 files changed, 47 insertions(+), 1 deletion(-)
> 
> diff --git a/Documentation/module-signing.txt b/Documentation/module-signing.txt
> index c72702e..b0ed080 100644
> --- a/Documentation/module-signing.txt
> +++ b/Documentation/module-signing.txt
> @@ -194,6 +194,8 @@ The hash algorithm used does not have to match the one configured, but if it
>  doesn't, you should make sure that hash algorithm is either built into the
>  kernel or can be loaded without requiring itself.
>  
> +If the private key requires a passphrase or PIN, it can be provided in the
> +$CONFIG_MODULE_SIG_KEY_PASSWORD environment variable.

This works, but probably is not a good idea.  For one, if IKCONFIG is
enabled, the pin is readily visible via /proc/config.gz. 

Mimi

>  ============================
>  SIGNED MODULES AND STRIPPING
> diff --git a/Makefile b/Makefile
> index 9590e67..70c066c 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -875,6 +875,7 @@ ifdef CONFIG_MODULE_SIG_ALL
>  MODSECKEY = $(CONFIG_MODULE_SIG_KEY)
>  MODPUBKEY = ./signing_key.x509
>  export MODPUBKEY
> +export CONFIG_MODULE_SIG_KEY_PASSWORD
>  mod_sign_cmd = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)
>  else
>  mod_sign_cmd = true
> diff --git a/init/Kconfig b/init/Kconfig
> index 1ca075a..7bbc857 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -1967,6 +1967,12 @@ config MODULE_SIG_KEY
>           Provide the file name of a private key in PEM format, or a PKCS#11
>           URI according to RFC7512 to specify the key.
>  
> +config MODULE_SIG_KEY_PASSWORD
> +       string "Passphrase or PIN for module signing key if needed" if MODULE_SIG_EXTERNAL_KEY
> +       help
> +         If a passphrase or PIN is required for the private key, provide
> +         it here.
> +
>  config MODULE_COMPRESS
>         bool "Compress modules on installation"
>         depends on MODULES
> diff --git a/scripts/sign-file.c b/scripts/sign-file.c
> index 39aaabe..9a54acc 100755
> --- a/scripts/sign-file.c
> +++ b/scripts/sign-file.c
> @@ -80,9 +80,32 @@ static void drain_openssl_errors(void)
>                 }                                       \
>         } while(0)
>  
> +static char *key_pass;
> +
> +static int pem_pw_cb(char *buf, int len, int w, void *v)
> +{
> +       int pwlen;
> +
> +       if (!key_pass)
> +               return -1;
> +
> +       pwlen = strlen(key_pass);
> +       if (pwlen >= len)
> +               return -1;
> +
> +       strcpy(buf, key_pass);
> +
> +       /* If it's wrong, don't keep trying it. */
> +       free(key_pass);
> +       key_pass = NULL;
> +
> +       return pwlen;
> +}
> +
>  int main(int argc, char **argv)
>  {
>         struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };
> +       const char *pass_env;
>         char *hash_algo = NULL;
>         char *private_key_name, *x509_name, *module_name, *dest_name;
>         bool save_pkcs7 = false, replace_orig;
> @@ -96,6 +119,7 @@ int main(int argc, char **argv)
>         BIO *b, *bd = NULL, *bm;
>         int opt, n;
>  
> +       OpenSSL_add_all_algorithms();
>         ERR_load_crypto_strings();
>         ERR_clear_error();
>  
> @@ -127,12 +151,25 @@ int main(int argc, char **argv)
>                 replace_orig = true;
>         }
>  
> +       pass_env = getenv("CONFIG_MODULE_SIG_KEY_PASSWORD");
> +       if (pass_env) {
> +               int pwlen = strlen(pass_env);
> +
> +               if (pass_env[0] == '\"' && pass_env[pwlen - 1] == '\"') {
> +                       pass_env++;
> +                       pwlen -= 2;
> +               }
> +               if (pwlen)
> +                       key_pass = strndup(pass_env, pwlen);
> +       }
> +
>         /* Read the private key and the X.509 cert the PKCS#7 message
>          * will point to.
>          */
>         b = BIO_new_file(private_key_name, "rb");
>         ERR(!b, "%s", private_key_name);
> -        private_key = PEM_read_bio_PrivateKey(b, NULL, NULL, NULL);
> +       private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, NULL);
> +       ERR(!private_key, "%s", private_key_name);
>         BIO_free(b);
>  
>         b = BIO_new_file(x509_name, "rb");
> -- 
> 2.4.0
> 


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ