lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 12 Aug 2015 20:08:00 +1000 (AEST)
From:	James Morris <jmorris@...ei.org>
To:	David Woodhouse <dwmw2@...radead.org>
cc:	David Howells <dhowells@...hat.com>, mcgrof@...il.com,
	Mimi Zohar <zohar@...ux.vnet.ibm.com>,
	linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: Re: [GIT PULL] MODSIGN: Use PKCS#7 for module signatures [ver #7a]

On Wed, 12 Aug 2015, David Woodhouse wrote:

> On Wed, 2015-08-12 at 19:27 +1000, James Morris wrote:
> > 
> > Yep:
> > 
> > # CONFIG_MODULE_SIG_SHA512 is not set
> > CONFIG_MODULE_SIG_HASH="sha1"
> > CONFIG_MODULE_SIG_KEY="signing_key.pem"
> > # CONFIG_MODULE_COMPRESS is not set
> 
> Can I have the full config please? Not that I understand how anything
> else would really make much difference.

Attached.

> 
> > > 
> > > At the very end of kernel/Makefile, in the rule for 
> > signing_key.x509,
> > > please could you add an 'echo $(X509_DEP)' before the call to
> > > extract_certs? That ought to be correctly depending on the
> > > signing_key.pem file.
> > 
> > $ make
> >   CHK     include/config/kernel.release
> >   CHK     include/generated/uapi/linux/version.h
> >   CHK     include/generated/utsrelease.h
> >   CHK     include/generated/bounds.h
> >   CHK     include/generated/timeconst.h
> >   CHK     include/generated/asm-offsets.h
> >   CALL    scripts/checksyscalls.sh
> >   CHK     include/generated/compile.h
> > echo 
> > 
> >   EXTRACT_CERTS   signing_key.pem
> > 
> > i.e. nothing.
> 
> Odd.
> 
> What are $(MODULE_SIG_KEY_FILENAME) and $(MODULE_SIG_KEY_SRCPREFIX) ?

They're empty.

> 
> I'm going to have to make another pot of coffee if I'm going to debug
> the config_filename thing today... :)
> 
> I'm scared to start thinking this way but... what version of 'make' are
> you using? If your precise .config doesn't help, is there any chance I
> can log into an affected box to poke at it?
> 

make-3.81-20.el6.x86_64

The machine is not accessible, sorry.

> I've also been testing David's tree (commit f81977b46 precisely), so
> perhaps I should also try *precisely* the merged tree you're looking
> at. Again, not that I can imagine anything that would make this
> difference.
> 

It's the next branch of my repo, with his latest pull request.

> > > 
> > > There's magic here to work out the precise dependency, since it 
> > might
> > > be a filename relative to either the build tree or the source tree.
> > > I'll take another look and work out how it copes in the case where 
> > the
> > > file doesn't exist yet... is this an out-of-tree build?
> > > 
> > 
> > Nope, but try a make mrproper first (as I have) and see if you get 
> > the same result.
> 
> I've been testing that, both in-tree and out-of-tree. I can't make it
> *fail* to set X509_DEP and thus depend correctly on the signing_key.pem
> file.

Where is MODULE_SIG_KEY_FILENAME assigned?


-- 
James Morris
<jmorris@...ei.org>

View attachment "config.txt" of type "text/plain" (102339 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ