lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 12 Aug 2015 10:50:41 +0100
From:	David Woodhouse <dwmw2@...radead.org>
To:	James Morris <jmorris@...ei.org>
Cc:	David Howells <dhowells@...hat.com>, mcgrof@...il.com,
	zohar@...ux.vnet.ibm.com, linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org
Subject: Re: [GIT PULL] MODSIGN: Use PKCS#7 for module signatures [ver #7a]

On Wed, 2015-08-12 at 19:27 +1000, James Morris wrote:
> 
> Yep:
> 
> # CONFIG_MODULE_SIG_SHA512 is not set
> CONFIG_MODULE_SIG_HASH="sha1"
> CONFIG_MODULE_SIG_KEY="signing_key.pem"
> # CONFIG_MODULE_COMPRESS is not set

Can I have the full config please? Not that I understand how anything
else would really make much difference.

> > 
> > At the very end of kernel/Makefile, in the rule for 
> signing_key.x509,
> > please could you add an 'echo $(X509_DEP)' before the call to
> > extract_certs? That ought to be correctly depending on the
> > signing_key.pem file.
> 
> $ make
>   CHK     include/config/kernel.release
>   CHK     include/generated/uapi/linux/version.h
>   CHK     include/generated/utsrelease.h
>   CHK     include/generated/bounds.h
>   CHK     include/generated/timeconst.h
>   CHK     include/generated/asm-offsets.h
>   CALL    scripts/checksyscalls.sh
>   CHK     include/generated/compile.h
> echo 
> 
>   EXTRACT_CERTS   signing_key.pem
> 
> i.e. nothing.

Odd.

What are $(MODULE_SIG_KEY_FILENAME) and $(MODULE_SIG_KEY_SRCPREFIX) ?

I'm going to have to make another pot of coffee if I'm going to debug
the config_filename thing today... :)

I'm scared to start thinking this way but... what version of 'make' are
you using? If your precise .config doesn't help, is there any chance I
can log into an affected box to poke at it?

I've also been testing David's tree (commit f81977b46 precisely), so
perhaps I should also try *precisely* the merged tree you're looking
at. Again, not that I can imagine anything that would make this
difference.

> > 
> > There's magic here to work out the precise dependency, since it 
> might
> > be a filename relative to either the build tree or the source tree.
> > I'll take another look and work out how it copes in the case where 
> the
> > file doesn't exist yet... is this an out-of-tree build?
> > 
> 
> Nope, but try a make mrproper first (as I have) and see if you get 
> the same result.

I've been testing that, both in-tree and out-of-tree. I can't make it
*fail* to set X509_DEP and thus depend correctly on the signing_key.pem
file.


-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse@...el.com                              Intel Corporation

Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5691 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ