lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20241015222235.71040-5-jeremy.linton@arm.com>
Date: Tue, 15 Oct 2024 17:22:34 -0500
From: Jeremy Linton <jeremy.linton@....com>
To: linux-kernel@...r.kernel.org
Cc: akpm@...ux-foundation.org,
	hch@....de,
	gregkh@...uxfoundation.org,
	graf@...zon.com,
	lukas@...ner.de,
	wufan@...ux.microsoft.com,
	brauner@...nel.org,
	jsperbeck@...gle.com,
	ardb@...nel.org,
	linux-crypto@...r.kernel.org,
	linux-kbuild@...r.kernel.org,
	keyrings@...r.kernel.org,
	Jeremy Linton <jeremy.linton@....com>
Subject: [RFC 4/5] sign-file: Add -i option to sign initramfs images

The initramfs signature is the mod signature with a differing string
to assure that cpio archives with a signed module at the end can never
be confused for a valid signed initramfs.

To support this, add a -i option to sign-file, which replaces the
"Module signature appended" string with "initrd signature appended",
which is the same length.

Signed-off-by: Jeremy Linton <jeremy.linton@....com>
---
 scripts/sign-file.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index 7070245edfc1..bbf97a57311a 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -75,6 +75,7 @@ struct module_signature {
 #define PKEY_ID_PKCS7 2
 
 static char magic_number[] = "~Module signature appended~\n";
+static char magic_initrd[] = "~initrd signature appended~\n";
 
 static __attribute__((noreturn))
 void format(void)
@@ -226,6 +227,7 @@ int main(int argc, char **argv)
 	bool save_sig = false, replace_orig;
 	bool sign_only = false;
 	bool raw_sig = false;
+	bool initrd_sig = false;
 	unsigned char buf[4096];
 	unsigned long module_size, sig_size;
 	unsigned int use_signed_attrs;
@@ -253,7 +255,7 @@ int main(int argc, char **argv)
 #endif
 
 	do {
-		opt = getopt(argc, argv, "sdpk");
+		opt = getopt(argc, argv, "sdpki");
 		switch (opt) {
 		case 's': raw_sig = true; break;
 		case 'p': save_sig = true; break;
@@ -261,6 +263,7 @@ int main(int argc, char **argv)
 #ifndef USE_PKCS7
 		case 'k': use_keyid = CMS_USE_KEYID; break;
 #endif
+		case 'i': initrd_sig = true; break;
 		case -1: break;
 		default: format();
 		}
@@ -398,7 +401,11 @@ int main(int argc, char **argv)
 	sig_size = BIO_number_written(bd) - module_size;
 	sig_info.sig_len = htonl(sig_size);
 	ERR(BIO_write(bd, &sig_info, sizeof(sig_info)) < 0, "%s", dest_name);
-	ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, "%s", dest_name);
+	if (initrd_sig)
+		ERR(BIO_write(bd, magic_initrd, sizeof(magic_initrd) - 1) < 0, "%s", dest_name);
+	else
+		ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, "%s", dest_name);
+
 
 	ERR(BIO_free(bd) != 1, "%s", dest_name);
 
-- 
2.46.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ