lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20210218103222.58854-1-songyang@linux.alibaba.com>
Date:   Thu, 18 Feb 2021 18:32:22 +0800
From:   Yang Song <songyang@...ux.alibaba.com>
To:     dhowells@...hat.com, dwmw2@...radead.org, keyrings@...r.kernel.org,
        linux-kernel@...r.kernel.org
Cc:     zhang.jia@...ux.alibaba.com, tianjia.zhang@...ux.alibaba.com,
        songyang@...ux.alibaba.com
Subject: [PATCH v2] sign-file: add openssl engine support

Use a customized signature service supported by openssl engine
to sign the kernel module.
Add command line parameters that support engine for sign-file
to use the customized openssl engine service to sign kernel modules.

Signed-off-by: Yang Song <songyang@...ux.alibaba.com>
---
 scripts/sign-file.c | 54 +++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 52 insertions(+), 2 deletions(-)

diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index fbd34b8e8f57..897976c859da 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -70,7 +70,7 @@ static __attribute__((noreturn))
 void format(void)
 {
 	fprintf(stderr,
-		"Usage: scripts/sign-file [-dp] <hash algo> <key> <x509> <module> [<dest>]\n");
+		"Usage: scripts/sign-file [-dp] [-e <openssl engine>] <hash algo> <key> <x509> <module> [<dest>]\n");
 	fprintf(stderr,
 		"       scripts/sign-file -s <raw sig> <hash algo> <x509> <module> [<dest>]\n");
 	exit(2);
@@ -206,9 +206,52 @@ static X509 *read_x509(const char *x509_name)
 	return x509;
 }
 
+/* Try to load an engine in a shareable library */
+static ENGINE *try_load_engine(const char *engine)
+{
+	ENGINE *e = NULL;
+
+	e = ENGINE_by_id("dynamic");
+	if (e) {
+		if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine, 0)
+			|| !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) {
+			ENGINE_free(e);
+			e = NULL;
+		}
+	}
+	return e;
+}
+
+static ENGINE *setup_engine(const char *engine)
+{
+	ENGINE *e = NULL;
+
+	if (engine) {
+		e = ENGINE_by_id(engine);
+		if (e == NULL) {
+			e = try_load_engine(engine);
+			if (e == NULL) {
+				ERR(1, "Invalid engine \"%s\"\n", engine);
+				return NULL;
+			}
+		}
+
+		if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
+			ERR(1, "Can't use that engine\n");
+			ENGINE_free(e);
+			return NULL;
+		}
+
+		fprintf(stdout,  "Engine \"%s\" set.\n", ENGINE_get_id(e));
+	}
+
+	return e;
+}
+
 int main(int argc, char **argv)
 {
 	struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };
+	char *ossl_engine = NULL;
 	char *hash_algo = NULL;
 	char *private_key_name = NULL, *raw_sig_name = NULL;
 	char *x509_name, *module_name, *dest_name;
@@ -242,8 +285,9 @@ int main(int argc, char **argv)
 #endif
 
 	do {
-		opt = getopt(argc, argv, "sdpk");
+		opt = getopt(argc, argv, "se:dpk");
 		switch (opt) {
+		case 'e': ossl_engine = optarg; break;
 		case 's': raw_sig = true; break;
 		case 'p': save_sig = true; break;
 		case 'd': sign_only = true; save_sig = true; break;
@@ -291,6 +335,12 @@ int main(int argc, char **argv)
 	ERR(!bm, "%s", module_name);
 
 	if (!raw_sig) {
+		if (ossl_engine != NULL) {
+			/* Engine setup */
+			ENGINE_load_builtin_engines();
+			setup_engine(ossl_engine);
+		}
+
 		/* Read the private key and the X.509 cert the PKCS#7 message
 		 * will point to.
 		 */
-- 
2.19.1.3.ge56e4f7

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ