From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1425844AbcBRJ0Y (ORCPT ); Thu, 18 Feb 2016 04:26:24 -0500 Received: from g1t6223.austin.hp.com ([15.73.96.124]:45811 "EHLO g1t6223.austin.hp.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1425615AbcBRJ0U (ORCPT ); Thu, 18 Feb 2016 04:26:20 -0500 Subject: Re: [PATCH v2] scripts/sign-file.c: Add support for signing with a raw signature To: David Howells References: <1454584165-9547-1-git-send-email-juerg.haefliger@hpe.com> <1454145497-4567-1-git-send-email-juerg.haefliger@hpe.com> <7614.1455099176@warthog.procyon.org.uk> <56BB3A09.3080501@hpe.com> Cc: linux-kernel@vger.kernel.org, keyrings@vger.kernel.org, dwmw2@infradead.org From: Juerg Haefliger Message-ID: <56C58E38.4080502@hpe.com> Date: Thu, 18 Feb 2016 10:26:16 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 In-Reply-To: <56BB3A09.3080501@hpe.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 02/10/2016 02:24 PM, Juerg Haefliger wrote: > On 02/10/2016 11:12 AM, David Howells wrote: >> Juerg Haefliger wrote: >> >>> This patch adds support for signing a kernel module with a raw >>> detached PKCS#7 signature/message. >>> >>> The signature is not converted and is simply appended to the module so >>> it needs to be in the right format. Using openssl, a valid signature can >>> be generated like this: >>> $ openssl smime -sign -nocerts -noattr -binary -in -inkey \ >>> -signer -outform der -out >>> >>> The resulting raw signature from the above command is (more or less) >>> identical to the raw signature that sign-file itself can produce like >>> this: >>> $ scripts/sign-file -d >> >> What's the usage case for this? Can it be done instead with openssl PKCS#11? > > Our internal signing service doesn't support PKCS#11. I have to submit the blobs > and get detached PKCS#7 messages back. I don't claim I fully understand all the > different signing mechanisms but everything worked just fine until support for > signing with a detached signature was removed. IMO that's a regression, which > I'm trying to fix with this patch. Any comments? Thanks ...Juerg