From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: David Woodhouse <David.Woodhouse@intel.com>
Cc: dhowells@redhat.com, rusty@rustcorp.com.au, mmarek@suse.cz,
mjg59@srcf.ucam.org, keyrings@linux-nfs.org,
dmitry.kasatkin@gmail.com, mcgrof@suse.com,
linux-kernel@vger.kernel.org, seth.forshee@canonical.com,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH 3/4] modsign: Allow password to be specified for signing key
Date: Mon, 18 May 2015 21:37:54 -0400 [thread overview]
Message-ID: <1431999474.4510.17.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <1431708823.4727.11.camel@infradead.org>
On Fri, 2015-05-15 at 17:53 +0100, David Woodhouse wrote:
> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
> ---
> Documentation/module-signing.txt | 2 ++
> Makefile | 1 +
> init/Kconfig | 6 ++++++
> scripts/sign-file.c | 39 ++++++++++++++++++++++++++++++++++++++-
> 4 files changed, 47 insertions(+), 1 deletion(-)
>
> diff --git a/Documentation/module-signing.txt b/Documentation/module-signing.txt
> index c72702e..b0ed080 100644
> --- a/Documentation/module-signing.txt
> +++ b/Documentation/module-signing.txt
> @@ -194,6 +194,8 @@ The hash algorithm used does not have to match the one configured, but if it
> doesn't, you should make sure that hash algorithm is either built into the
> kernel or can be loaded without requiring itself.
>
> +If the private key requires a passphrase or PIN, it can be provided in the
> +$CONFIG_MODULE_SIG_KEY_PASSWORD environment variable.
This works, but probably is not a good idea. For one, if IKCONFIG is
enabled, the pin is readily visible via /proc/config.gz.
Mimi
> ============================
> SIGNED MODULES AND STRIPPING
> diff --git a/Makefile b/Makefile
> index 9590e67..70c066c 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -875,6 +875,7 @@ ifdef CONFIG_MODULE_SIG_ALL
> MODSECKEY = $(CONFIG_MODULE_SIG_KEY)
> MODPUBKEY = ./signing_key.x509
> export MODPUBKEY
> +export CONFIG_MODULE_SIG_KEY_PASSWORD
> mod_sign_cmd = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)
> else
> mod_sign_cmd = true
> diff --git a/init/Kconfig b/init/Kconfig
> index 1ca075a..7bbc857 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -1967,6 +1967,12 @@ config MODULE_SIG_KEY
> Provide the file name of a private key in PEM format, or a PKCS#11
> URI according to RFC7512 to specify the key.
>
> +config MODULE_SIG_KEY_PASSWORD
> + string "Passphrase or PIN for module signing key if needed" if MODULE_SIG_EXTERNAL_KEY
> + help
> + If a passphrase or PIN is required for the private key, provide
> + it here.
> +
> config MODULE_COMPRESS
> bool "Compress modules on installation"
> depends on MODULES
> diff --git a/scripts/sign-file.c b/scripts/sign-file.c
> index 39aaabe..9a54acc 100755
> --- a/scripts/sign-file.c
> +++ b/scripts/sign-file.c
> @@ -80,9 +80,32 @@ static void drain_openssl_errors(void)
> } \
> } while(0)
>
> +static char *key_pass;
> +
> +static int pem_pw_cb(char *buf, int len, int w, void *v)
> +{
> + int pwlen;
> +
> + if (!key_pass)
> + return -1;
> +
> + pwlen = strlen(key_pass);
> + if (pwlen >= len)
> + return -1;
> +
> + strcpy(buf, key_pass);
> +
> + /* If it's wrong, don't keep trying it. */
> + free(key_pass);
> + key_pass = NULL;
> +
> + return pwlen;
> +}
> +
> int main(int argc, char **argv)
> {
> struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };
> + const char *pass_env;
> char *hash_algo = NULL;
> char *private_key_name, *x509_name, *module_name, *dest_name;
> bool save_pkcs7 = false, replace_orig;
> @@ -96,6 +119,7 @@ int main(int argc, char **argv)
> BIO *b, *bd = NULL, *bm;
> int opt, n;
>
> + OpenSSL_add_all_algorithms();
> ERR_load_crypto_strings();
> ERR_clear_error();
>
> @@ -127,12 +151,25 @@ int main(int argc, char **argv)
> replace_orig = true;
> }
>
> + pass_env = getenv("CONFIG_MODULE_SIG_KEY_PASSWORD");
> + if (pass_env) {
> + int pwlen = strlen(pass_env);
> +
> + if (pass_env[0] == '\"' && pass_env[pwlen - 1] == '\"') {
> + pass_env++;
> + pwlen -= 2;
> + }
> + if (pwlen)
> + key_pass = strndup(pass_env, pwlen);
> + }
> +
> /* Read the private key and the X.509 cert the PKCS#7 message
> * will point to.
> */
> b = BIO_new_file(private_key_name, "rb");
> ERR(!b, "%s", private_key_name);
> - private_key = PEM_read_bio_PrivateKey(b, NULL, NULL, NULL);
> + private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, NULL);
> + ERR(!private_key, "%s", private_key_name);
> BIO_free(b);
>
> b = BIO_new_file(x509_name, "rb");
> --
> 2.4.0
>
next prev parent reply other threads:[~2015-05-19 1:38 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-15 12:35 [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] David Howells
2015-05-15 12:35 ` [PATCH 1/8] X.509: Extract both parts of the AuthorityKeyIdentifier " David Howells
2015-05-15 12:35 ` [PATCH 2/8] X.509: Support X.509 lookup by Issuer+Serial form " David Howells
2015-05-15 12:35 ` [PATCH 3/8] PKCS#7: Allow detached data to be supplied for signature checking purposes " David Howells
2015-05-15 12:35 ` [PATCH 4/8] MODSIGN: Provide a utility to append a PKCS#7 signature to a module " David Howells
2015-05-20 0:50 ` Andy Lutomirski
2015-05-20 13:14 ` David Howells
2015-05-20 16:00 ` Andy Lutomirski
2015-05-15 12:36 ` [PATCH 5/8] MODSIGN: Use PKCS#7 messages as module signatures " David Howells
2015-05-15 12:36 ` [PATCH 6/8] sign-file: Add option to only create signature file " David Howells
2015-05-15 19:07 ` sign-file and detached PKCS#7 firmware signatures David Howells
2015-05-18 23:13 ` Luis R. Rodriguez
2015-05-19 9:25 ` David Howells
2015-05-19 16:19 ` Luis R. Rodriguez
2015-05-19 16:48 ` David Howells
2015-05-19 18:21 ` Luis R. Rodriguez
2015-05-19 18:35 ` Luis R. Rodriguez
2015-05-19 18:47 ` David Howells
2015-05-19 20:12 ` Luis R. Rodriguez
2015-05-19 20:29 ` David Howells
2015-05-15 12:36 ` [PATCH 7/8] system_keyring.c doesn't need to #include module-internal.h [ver #4] David Howells
2015-05-15 12:36 ` [PATCH 8/8] MODSIGN: Extract the blob PKCS#7 signature verifier from module signing " David Howells
2015-05-15 13:46 ` [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures " David Woodhouse
2015-05-15 16:52 ` [PATCH 1/4] modsign: Abort modules_install when signing fails David Woodhouse
2015-05-19 1:29 ` Mimi Zohar
2015-05-19 6:40 ` Woodhouse, David
2015-05-19 11:45 ` Mimi Zohar
2015-05-19 12:57 ` Woodhouse, David
2015-05-19 13:54 ` Mimi Zohar
2015-05-15 16:53 ` [PATCH 2/4] modsign: Allow external signing key to be specified David Woodhouse
2015-05-15 16:53 ` [PATCH 3/4] modsign: Allow password to be specified for signing key David Woodhouse
2015-05-19 1:37 ` Mimi Zohar [this message]
2015-05-15 16:54 ` [PATCH 4/4] modsign: Allow signing key to be PKCS#11 David Woodhouse
2015-05-18 12:43 ` David Howells
2015-05-15 22:51 ` [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] Rusty Russell
2015-05-19 14:45 ` [PATCH 9/8] modsign: Abort modules_install when signing fails David Woodhouse
2015-05-19 14:45 ` [PATCH 10/8] modsign: Allow password to be specified for signing key David Woodhouse
2015-05-19 15:36 ` David Howells
2015-05-19 15:50 ` Petko Manolov
2015-05-19 16:15 ` David Woodhouse
2015-05-19 16:34 ` Petko Manolov
2015-05-19 18:39 ` Mimi Zohar
2015-05-19 18:48 ` David Howells
2015-05-19 19:14 ` Mimi Zohar
2015-05-19 20:04 ` David Woodhouse
2015-05-19 14:46 ` [PATCH 11/8] modsign: Allow signing key to be PKCS#11 David Woodhouse
2015-05-19 14:46 ` [PATCH 12/8] modsign: Allow external signing key to be specified David Woodhouse
2015-05-19 14:47 ` [PATCH 13/8] modsign: Extract signing cert from CONFIG_MODULE_SIG_KEY if needed David Woodhouse
2015-05-20 0:36 ` [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] Andy Lutomirski
2015-05-20 13:36 ` David Howells
2015-05-20 15:56 ` Andy Lutomirski
2015-05-20 16:21 ` Petko Manolov
2015-05-20 16:41 ` Andy Lutomirski
2015-05-20 16:55 ` Petko Manolov
2015-05-21 21:38 ` Luis R. Rodriguez
2015-05-21 21:44 ` Andy Lutomirski
2015-05-21 21:59 ` Luis R. Rodriguez
2015-05-21 22:06 ` Andy Lutomirski
2015-05-21 22:16 ` Luis R. Rodriguez
2015-05-21 22:24 ` Andy Lutomirski
2015-05-21 22:31 ` Luis R. Rodriguez
2015-05-21 22:47 ` Andy Lutomirski
2015-05-21 23:01 ` Luis R. Rodriguez
2015-05-21 23:09 ` Andy Lutomirski
2015-05-22 7:56 ` David Howells
2015-05-22 12:42 ` Mimi Zohar
2015-05-22 7:49 ` David Howells
2015-05-22 7:48 ` David Howells
2015-05-22 12:28 ` Mimi Zohar
2015-05-24 10:52 ` Petko Manolov
2015-05-21 13:59 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1431999474.4510.17.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=David.Woodhouse@intel.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mcgrof@suse.com \
--cc=mjg59@srcf.ucam.org \
--cc=mmarek@suse.cz \
--cc=rusty@rustcorp.com.au \
--cc=seth.forshee@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.