| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4346.1439435629@warthog.procyon.org.uk>
Date: Thu, 13 Aug 2015 04:13:49 +0100
From: David Howells <dhowells@...hat.com>
To: James Morris <jmorris@...ei.org>
Cc: dhowells@...hat.com, mcgrof@...il.com, zohar@...ux.vnet.ibm.com,
dwmw2@...radead.org, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org
Subject: Re: [GIT PULL] MODSIGN: Use PKCS#7 for module signatures [ver #8]
Okay, I've fixed both of those bugs with patches tagged on the end of the
commit sequence. Here's a revised pull request with a new tag. Do you
want me to generate a complete new request message?
David
---
The following changes since commit 459c15e53cf7e4e88a78ecfb109af5a267c5500a:
Merge tag 'asn1-fixes-20150805' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs into next (2015-08-07 13:27:58 +1000)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git tags/modsign-pkcs7-20150812-3
for you to fetch changes up to e9a5e8cc55286941503f36c5b7485a5aa923b3f1:
sign-file: Fix warning about BIO_reset() return value (2015-08-13 04:03:12 +0100)
----------------------------------------------------------------
Module signing with PKCS#7
----------------------------------------------------------------
David Howells (19):
ASN.1: Add an ASN.1 compiler option to dump the element tree
ASN.1: Copy string names to tokens in ASN.1 compiler
X.509: Extract both parts of the AuthorityKeyIdentifier
X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier
PKCS#7: Allow detached data to be supplied for signature checking purposes
MODSIGN: Provide a utility to append a PKCS#7 signature to a module
MODSIGN: Use PKCS#7 messages as module signatures
system_keyring.c doesn't need to #include module-internal.h
MODSIGN: Extract the blob PKCS#7 signature verifier from module signing
PKCS#7: Check content type and versions
X.509: Change recorded SKID & AKID to not include Subject or Issuer
PKCS#7: Support CMS messages also [RFC5652]
sign-file: Generate CMS message as signature instead of PKCS#7
PKCS#7: Improve and export the X.509 ASN.1 time object decoder
KEYS: Add a name for PKEY_ID_PKCS7
PKCS#7: Appropriately restrict authenticated attributes and content type
sign-file: Document dependency on OpenSSL devel libraries
PKCS#7: Add MODULE_LICENSE() to test module
sign-file: Fix warning about BIO_reset() return value
David Woodhouse (9):
modsign: Abort modules_install when signing fails
modsign: Allow password to be specified for signing key
modsign: Allow signing key to be PKCS#11
modsign: Allow external signing key to be specified
modsign: Extract signing cert from CONFIG_MODULE_SIG_KEY if needed
modsign: Use single PEM file for autogenerated key
modsign: Add explicit CONFIG_SYSTEM_TRUSTED_KEYS option
extract-cert: Cope with multiple X.509 certificates in a single file
modsign: Use extract-cert to process CONFIG_SYSTEM_TRUSTED_KEYS
Luis R. Rodriguez (1):
sign-file: Add option to only create signature file
.gitignore | 1 +
Documentation/kbuild/kbuild.txt | 5 +
Documentation/module-signing.txt | 54 +++-
Makefile | 8 +-
arch/x86/kernel/kexec-bzimage64.c | 4 +-
crypto/asymmetric_keys/Makefile | 8 +-
crypto/asymmetric_keys/asymmetric_type.c | 11 +
crypto/asymmetric_keys/pkcs7.asn1 | 22 +-
crypto/asymmetric_keys/pkcs7_key_type.c | 17 +-
crypto/asymmetric_keys/pkcs7_parser.c | 269 ++++++++++++++++++-
crypto/asymmetric_keys/pkcs7_parser.h | 20 +-
crypto/asymmetric_keys/pkcs7_trust.c | 10 +-
crypto/asymmetric_keys/pkcs7_verify.c | 145 ++++++++--
crypto/asymmetric_keys/public_key.c | 1 +
crypto/asymmetric_keys/verify_pefile.c | 7 +-
crypto/asymmetric_keys/x509_akid.asn1 | 35 +++
crypto/asymmetric_keys/x509_cert_parser.c | 231 ++++++++++------
crypto/asymmetric_keys/x509_parser.h | 12 +-
crypto/asymmetric_keys/x509_public_key.c | 95 ++++---
include/crypto/pkcs7.h | 13 +-
include/crypto/public_key.h | 18 +-
include/keys/system_keyring.h | 7 +
include/linux/oid_registry.h | 4 +-
include/linux/verify_pefile.h | 6 +-
init/Kconfig | 59 ++++-
kernel/Makefile | 112 +++++---
kernel/module_signing.c | 213 ++-------------
kernel/system_certificates.S | 3 +
kernel/system_keyring.c | 53 +++-
scripts/Makefile | 4 +
scripts/Makefile.modinst | 2 +-
scripts/asn1_compiler.c | 229 ++++++++++------
scripts/extract-cert.c | 166 ++++++++++++
scripts/sign-file | 421 ------------------------------
scripts/sign-file.c | 260 ++++++++++++++++++
35 files changed, 1597 insertions(+), 928 deletions(-)
create mode 100644 crypto/asymmetric_keys/x509_akid.asn1
create mode 100644 scripts/extract-cert.c
delete mode 100755 scripts/sign-file
create mode 100755 scripts/sign-file.c
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists