[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1432084120-7918-3-git-send-email-mmarek@suse.cz>
Date: Wed, 20 May 2015 09:08:40 +0800
From: Michal Marek <mmarek@...e.cz>
To: dhowells@...hat.com
Cc: torvalds@...ux-foundation.org, aricart@...nix.com,
linux-kernel@...r.kernel.org, sedat.dilek@...il.com,
keyrings@...ux-nfs.org, rusty@...tcorp.com.au,
linux-security-module@...r.kernel.org, james.l.morris@...cle.com,
dwmw2@...radead.org
Subject: [PATCH 3/3] MODSIGN: Split user-supplied and autogenerated signing key
Allow the users to place signing_key.{x509,priv} and x509.genkey in the
source tree. If any of these files is missing, generate the file in the
build tree with an .auto suffix. This avoids problems with overwriting
user-supplied files.
Signed-off-by: Michal Marek <mmarek@...e.cz>
---
.gitignore | 2 ++
Documentation/module-signing.txt | 10 ++++++---
Makefile | 5 +++--
kernel/Makefile | 46 ++++++++++++++++++++--------------------
4 files changed, 35 insertions(+), 28 deletions(-)
diff --git a/.gitignore b/.gitignore
index 4ad4a98..92b9bc8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -100,6 +100,8 @@ extra_certificates
signing_key.priv
signing_key.x509
x509.genkey
+signing_key.*.auto
+x509.genkey.auto
# Kconfig presets
all.config
diff --git a/Documentation/module-signing.txt b/Documentation/module-signing.txt
index c72702e..74121fb 100644
--- a/Documentation/module-signing.txt
+++ b/Documentation/module-signing.txt
@@ -100,18 +100,22 @@ it can be deleted or stored securely. The public key gets built into the
kernel so that it can be used to check the signatures as the modules are
loaded.
-Under normal conditions, the kernel build will automatically generate a new
-keypair using openssl if one does not exist in the files:
+The kernel expects the keypair to be stored in the files:
signing_key.priv
signing_key.x509
+If the keypair is not supplied, the kernel will generate it as:
+
+ signing_key.priv.auto
+ signing_key.x509.auto
+
during the building of vmlinux (the public part of the key needs to be built
into vmlinux) using parameters in the:
x509.genkey
-file (which is also generated if it does not already exist).
+file (which, if not supplied, is also generated as x509.genkey.auto).
It is strongly recommended that you provide your own x509.genkey file.
diff --git a/Makefile b/Makefile
index 2da553f..f46e76a 100644
--- a/Makefile
+++ b/Makefile
@@ -872,8 +872,8 @@ INITRD_COMPRESS-$(CONFIG_RD_LZ4) := lz4
# export INITRD_COMPRESS := $(INITRD_COMPRESS-y)
ifdef CONFIG_MODULE_SIG_ALL
-MODSECKEY = ./signing_key.priv
-MODPUBKEY = ./signing_key.x509
+MODSECKEY = $(firstword $(wildcard $(srctree)/signing_key.priv) ./signing_key.priv.auto)
+MODPUBKEY = $(firstword $(wildcard $(srctree)/signing_key.x509) ./signing_key.x509.auto)
export MODPUBKEY
mod_sign_cmd = perl $(srctree)/scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)
else
@@ -1176,6 +1176,7 @@ MRPROPER_DIRS += include/config usr/include include/generated \
MRPROPER_FILES += .config .config.old .version .old_version \
Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \
signing_key.priv signing_key.x509 x509.genkey \
+ signing_key.*.auto x509.genkey.auto \
extra_certificates signing_key.x509.keyid \
signing_key.x509.signer vmlinux-gdb.py
diff --git a/kernel/Makefile b/kernel/Makefile
index 3177160..58e6ca7 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -126,7 +126,7 @@ $(obj)/config_data.h: $(obj)/config_data.gz FORCE
###############################################################################
ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
X509_CERTIFICATES-y := $(wildcard *.x509)
-X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += signing_key.x509
+X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += $(if $(wildcard $(srctree)/signing_key.x509),,signing_key.x509.auto)
X509_CERTIFICATES := $(sort $(X509_CERTIFICATES-y))
ifneq ($(objtree),$(srctree))
X509_CERTIFICATES += $(sort $(wildcard $(srctree)/*.x509))
@@ -167,7 +167,7 @@ ifndef CONFIG_MODULE_SIG_HASH
$(error Could not determine digest type to use from kernel config)
endif
-signing_key.priv signing_key.x509: x509.genkey
+signing_key.priv.auto signing_key.x509.auto: $(firstword $(wildcard $(srctree)/x509.genkey) x509.genkey.auto)
@echo "###"
@echo "### Now generating an X.509 key pair to be used for signing modules."
@echo "###"
@@ -177,30 +177,30 @@ signing_key.priv signing_key.x509: x509.genkey
@echo "### number generator if one is available."
@echo "###"
openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
- -batch -x509 -config x509.genkey \
- -outform DER -out signing_key.x509 \
- -keyout signing_key.priv 2>&1
+ -batch -x509 -config $< \
+ -outform DER -out signing_key.x509.auto \
+ -keyout signing_key.priv.auto 2>&1
@echo "###"
@echo "### Key pair generated."
@echo "###"
-x509.genkey:
+x509.genkey.auto:
@echo Generating X.509 key generation config
- @echo >x509.genkey "[ req ]"
- @echo >>x509.genkey "default_bits = 4096"
- @echo >>x509.genkey "distinguished_name = req_distinguished_name"
- @echo >>x509.genkey "prompt = no"
- @echo >>x509.genkey "string_mask = utf8only"
- @echo >>x509.genkey "x509_extensions = myexts"
- @echo >>x509.genkey
- @echo >>x509.genkey "[ req_distinguished_name ]"
- @echo >>x509.genkey "#O = Unspecified company"
- @echo >>x509.genkey "CN = Build time autogenerated kernel key"
- @echo >>x509.genkey "#emailAddress = unspecified.user@...pecified.company"
- @echo >>x509.genkey
- @echo >>x509.genkey "[ myexts ]"
- @echo >>x509.genkey "basicConstraints=critical,CA:FALSE"
- @echo >>x509.genkey "keyUsage=digitalSignature"
- @echo >>x509.genkey "subjectKeyIdentifier=hash"
- @echo >>x509.genkey "authorityKeyIdentifier=keyid"
+ @echo >$@ "[ req ]"
+ @echo >>$@ "default_bits = 4096"
+ @echo >>$@ "distinguished_name = req_distinguished_name"
+ @echo >>$@ "prompt = no"
+ @echo >>$@ "string_mask = utf8only"
+ @echo >>$@ "x509_extensions = myexts"
+ @echo >>$@
+ @echo >>$@ "[ req_distinguished_name ]"
+ @echo >>$@ "#O = Unspecified company"
+ @echo >>$@ "CN = Build time autogenerated kernel key"
+ @echo >>$@ "#emailAddress = unspecified.user@...pecified.company"
+ @echo >>$@
+ @echo >>$@ "[ myexts ]"
+ @echo >>$@ "basicConstraints=critical,CA:FALSE"
+ @echo >>$@ "keyUsage=digitalSignature"
+ @echo >>$@ "subjectKeyIdentifier=hash"
+ @echo >>$@ "authorityKeyIdentifier=keyid"
endif
--
2.1.4
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists