Re: [PATCH 0/3] MODSIGN: Use PKCS#7 cert to avoid SKIDs

[Dmitry Kasatkin <d.kasatkin@samsung.com>]

[-- Attachment #1: Type: text/plain, Size: 4019 bytes --]

Hi David,

I just applied these 3 patches, but got build problems..
sign-file.c cannot be build.
Log attached...

Any ideas?

Thanks

- Dmitry

On 03/10/14 17:30, David Howells wrote:
> Hi Rusty,
>
> In the current module signing code, we try to use the subject and subjKeyId
> fields from X.509 certificate representing the key used to sign the modules to
> locate the X.509 certificate containing the public key required to verify the
> signature.
>
> Unfortunately, we have situations where we have to deal with signatures
> generated from keys that don't have a subjKeyId (it is, after all, optional in
> the X.509 spec for none CA keys).
>
> Now that we have PKCS#7 message handling code in the kernel for kexec(), we can
> make use of this for module signing.  By using a PKCS#7 message with detached
> data and no embedded X.509 certs as the signature blob, we can forgo specifying
> all the signature parameters (eg. hash algo, pubkey algo, name, id) elsewhere
> and rely instead on the PKCS#7 message to supply all of those.
>
> PKCS#7 doesn't use the subjKeyId, but rather matches issuer name and
> certificate serial number, both of which are mandatory in an X.509 certificate.
>
> We leave out the embedded X.509 certs to make the signature smaller and use
> detached data so that we don't have to put the module content in there.
>
> The patches are as follows:
>
>  (1) Provide a function to pass detached data to the PKCS#7 verifier, rather
>      than always requiring the data to be contained therein.
>
>  (2) Provide a utility to sign modules (a drop-in replacement for
>      scripts/sign-file).  This does need to be built against -lcrypto from
>      OpenSSL.  I couldn't work out how to make a PKCS#7 message with no
>      embedded X.509 certs from the openssl command line.
>
>      I also haven't provided a way to externally specify the signature - that's
>      something that will need to be worked out.  Quite likely it will involve
>      taking a PKCS#7 message rather than generating one.
>
>  (3) Make use of the above and the PKCS#7 handling to sign modules and verify
>      signatures.
>
> Note that this does make signatures generated by previous kernels incompatible
> with newer kernels, but since the modules being signed may no longer be
> compatible anyway for other reasons, I'm not sure how much of a problem that
> will actually be.
>
> I have provided a function, mod_verify_pkcs7(), that takes a buffer containing
> the actual module data, sans signature, and a buffer containing the PKCS#7
> message that does the actual work.  This could be called, for instance, if
> modules are ever loaded with detached signatures.
>
> The patches can be found here also:
>
> 	http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=modsign-pkcs7
>
> This is based on James Morris's security/next branch as there are some keyring
> and PKCS#7 changes in there that are prerequisites for this.
>
> David
> ---
> David Howells (3):
>       PKCS#7: Allow detached data to be supplied for signature checking purposes
>       MODSIGN: Provide a utility to append a PKCS#7 signature to a module
>       MODSIGN: Use PKCS#7 messages as module signatures
>
>
>  crypto/asymmetric_keys/pkcs7_verify.c |   26 ++
>  include/crypto/pkcs7.h                |    3 
>  include/crypto/public_key.h           |    1 
>  init/Kconfig                          |    1 
>  kernel/module_signing.c               |  220 +++--------------
>  scripts/Makefile                      |    2 
>  scripts/sign-file                     |  421 ---------------------------------
>  scripts/sign-file.c                   |  189 +++++++++++++++
>  8 files changed, 266 insertions(+), 597 deletions(-)
>  delete mode 100755 scripts/sign-file
>  create mode 100755 scripts/sign-file.c
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: sign-file.log --]
[-- Type: text/x-log; CHARSET=EUC-KR; name=sign-file.log, Size: 4842 bytes --]

EXTRAVERSION=-kds
ARCH: x86_64
  CHK     include/config/kernel.release
  CHK     include/generated/uapi/linux/version.h
  CHK     include/generated/utsrelease.h
  CALL    scripts/checksyscalls.sh
<stdin>:1226:2: warning: #warning syscall finit_module not implemented [-Wcpp]
<stdin>:1229:2: warning: #warning syscall sched_setattr not implemented [-Wcpp]
<stdin>:1232:2: warning: #warning syscall sched_getattr not implemented [-Wcpp]
<stdin>:1235:2: warning: #warning syscall renameat2 not implemented [-Wcpp]
<stdin>:1238:2: warning: #warning syscall seccomp not implemented [-Wcpp]
  HOSTCC  scripts/sign-file
scripts/sign-file.c: In function ‘main’:
scripts/sign-file.c:136:2: warning: format not a string literal and no format arguments [-Wformat-security]
  ERR(!bd, dest_name);
  ^
scripts/sign-file.c:162:3: warning: format not a string literal and no format arguments [-Wformat-security]
   ERR(!b, pkcs7_name);
   ^
scripts/sign-file.c:163:3: warning: format not a string literal and no format arguments [-Wformat-security]
   ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) < 0, pkcs7_name);
   ^
scripts/sign-file.c:168:2: warning: format not a string literal and no format arguments [-Wformat-security]
  ERR(BIO_reset(bm) < 0, module_name);
  ^
scripts/sign-file.c:171:3: warning: format not a string literal and no format arguments [-Wformat-security]
   ERR(BIO_write(bd, buf, n) < 0, dest_name);
   ^
scripts/sign-file.c:173:2: warning: format not a string literal and no format arguments [-Wformat-security]
  ERR(n < 0, module_name);
  ^
scripts/sign-file.c:176:2: warning: format not a string literal and no format arguments [-Wformat-security]
  ERR(i2d_PKCS7_bio_stream(bd, pkcs7, NULL, 0) < 0, dest_name);
  ^
scripts/sign-file.c:179:2: warning: format not a string literal and no format arguments [-Wformat-security]
  ERR(BIO_write(bd, &sig_info, sizeof(sig_info)) < 0, dest_name);
  ^
scripts/sign-file.c:180:2: warning: format not a string literal and no format arguments [-Wformat-security]
  ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, dest_name);
  ^
scripts/sign-file.c:182:2: warning: format not a string literal and no format arguments [-Wformat-security]
  ERR(BIO_free(bd) < 0, dest_name);
  ^
scripts/sign-file.c:186:3: warning: format not a string literal and no format arguments [-Wformat-security]
   ERR(rename(dest_name, module_name) < 0, dest_name);
   ^
/tmp/ccgSFKJd.o: In function `display_openssl_errors':
sign-file.c:(.text+0x4e): undefined reference to `ERR_peek_error'
sign-file.c:(.text+0xa1): undefined reference to `ERR_error_string'
sign-file.c:(.text+0xd7): undefined reference to `ERR_get_error_line'
/tmp/ccgSFKJd.o: In function `main':
sign-file.c:(.text.startup+0xd5): undefined reference to `ERR_load_crypto_strings'
sign-file.c:(.text.startup+0xda): undefined reference to `ERR_clear_error'
sign-file.c:(.text.startup+0xe7): undefined reference to `BIO_new_file'
sign-file.c:(.text.startup+0x10b): undefined reference to `PEM_read_bio_PrivateKey'
sign-file.c:(.text.startup+0x118): undefined reference to `BIO_free'
sign-file.c:(.text.startup+0x125): undefined reference to `BIO_new_file'
sign-file.c:(.text.startup+0x149): undefined reference to `PEM_read_bio_X509'
sign-file.c:(.text.startup+0x156): undefined reference to `BIO_free'
sign-file.c:(.text.startup+0x165): undefined reference to `BIO_new_file'
sign-file.c:(.text.startup+0x180): undefined reference to `OpenSSL_add_all_digests'
sign-file.c:(.text.startup+0x192): undefined reference to `EVP_get_digestbyname'
sign-file.c:(.text.startup+0x1b5): undefined reference to `BIO_new_file'
sign-file.c:(.text.startup+0x1de): undefined reference to `PKCS7_sign'
sign-file.c:(.text.startup+0x20f): undefined reference to `PKCS7_sign_add_signer'
sign-file.c:(.text.startup+0x229): undefined reference to `PKCS7_final'
sign-file.c:(.text.startup+0x286): undefined reference to `BIO_new_file'
sign-file.c:(.text.startup+0x2ab): undefined reference to `i2d_PKCS7_bio_stream'
sign-file.c:(.text.startup+0x2c9): undefined reference to `BIO_free'
sign-file.c:(.text.startup+0x2da): undefined reference to `BIO_ctrl'
sign-file.c:(.text.startup+0x303): undefined reference to `BIO_write'
sign-file.c:(.text.startup+0x32b): undefined reference to `BIO_read'
sign-file.c:(.text.startup+0x351): undefined reference to `BIO_number_written'
sign-file.c:(.text.startup+0x363): undefined reference to `i2d_PKCS7_bio_stream'
sign-file.c:(.text.startup+0x381): undefined reference to `BIO_number_written'
sign-file.c:(.text.startup+0x39e): undefined reference to `BIO_write'
sign-file.c:(.text.startup+0x3c4): undefined reference to `BIO_write'
sign-file.c:(.text.startup+0x3dc): undefined reference to `BIO_free'
collect2: error: ld returned 1 exit status
make[1]: *** [scripts/sign-file] Error 1
make: *** [scripts] Error 2