lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1455099913.365.9.camel@infradead.org>
Date:	Wed, 10 Feb 2016 10:25:13 +0000
From:	David Woodhouse <dwmw2@...radead.org>
To:	David Howells <dhowells@...hat.com>,
	Juerg Haefliger <juerg.haefliger@....com>
Cc:	linux-kernel@...r.kernel.org, keyrings@...r.kernel.org
Subject: Re: [PATCH v2] scripts/sign-file.c: Add support for signing with a
 raw signature

On Wed, 2016-02-10 at 10:12 +0000, David Howells wrote:
> Juerg Haefliger <juerg.haefliger@....com> wrote:
> 
> > This patch adds support for signing a kernel module with a raw
> > detached PKCS#7 signature/message.
> > 
> > The signature is not converted and is simply appended to the module so
> > it needs to be in the right format. Using openssl, a valid signature can
> > be generated like this:
> >   $ openssl smime -sign -nocerts -noattr -binary -in  -inkey \
> >      -signer  -outform der -out 
> > 
> > The resulting raw signature from the above command is (more or less)
> > identical to the raw signature that sign-file itself can produce like
> > this:
> >   $ scripts/sign-file -d    
> 
> What's the usage case for this?  Can it be done instead with openssl PKCS#11?

Ah, right. That's what it was doing. Yeah, I have a vague recollection
of looking at this as we were doing the conversion to C, and concluding
that it was indeed a hackish workaround for the fact that the existing
setup didn't allow using external crypto devices via PKCS#11.

If you want to generate your signatures using external hardware, then
using sign-file with a PKCS#11 key definitely seems like the way to do
it. I believe I even tested it with the p11-kit remote mechanism, doing
the signing on a remote system over SSH.

There doesn't seem to be much of an excuse for doing otherwise on
security grounds — if this is the build system and you're going to
trust the modules which were built here, then copying them to separate
system and producing the signatures there is not really any different
to just allowing this system to invoke the signature-creation for
itself via PKCS#11, is it?

-- 
-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse@...el.com                              Intel Corporation


Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5691 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ