From: Rusty Russell <rusty@rustcorp.com.au>
To: David Howells <dhowells@redhat.com>
Cc: mmarek@suse.cz, mjg59@srcf.ucam.org, keyrings@linux-nfs.org,
dmitry.kasatkin@gmail.com, mcgrof@suse.com,
linux-kernel@vger.kernel.org, dhowells@redhat.com,
seth.forshee@canonical.com,
linux-security-module@vger.kernel.org, dwmw2@infradead.org
Subject: Re: [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4]
Date: Sat, 16 May 2015 08:21:56 +0930 [thread overview]
Message-ID: <87d221laib.fsf@rustcorp.com.au> (raw)
In-Reply-To: <20150515123513.16723.96340.stgit@warthog.procyon.org.uk>
David Howells <dhowells@redhat.com> writes:
> Hi Rusty,
Hi David,
I try to stick my nose into patches which touch module.c/h: this
doesn't, so am happy for this via another tree (AFAICT doesn't even need
my ack).
Thanks,
Rusty.
> Here's a set of patches that does the following:
>
> (1) Extracts both parts of an X.509 AuthorityKeyIdentifier (AKID) extension.
> We already extract the bit that can match the subjectKeyIdentifier (SKID)
> of the parent X.509 cert, but we currently ignore the bits that can match
> the issuer and serialNumber.
>
> Looks up an X.509 cert by issuer and serialNumber if those are provided in
> the AKID. If the keyIdentifier is also provided, checks that the
> subjectKeyIdentifier of the cert found matches that also.
>
> If no issuer and serialNumber are provided in the AKID, looks up an X.509
> cert by SKID using the AKID keyIdentifier.
>
> This allows module signing to be done with certificates that don't have an
> SKID by which they can be looked up.
>
> (2) Makes use of the PKCS#7 facility to provide module signatures.
>
> sign-file is replaced with a program that generates a PKCS#7 message that
> has no X.509 certs embedded and that has detached data (the module
> content) and adds it onto the message with magic string and descriptor.
>
> (3) The PKCS#7 message (and matching X.509 cert) supply all the information
> that is needed to select the X.509 cert to be used to verify the signature
> by standard means (including selection of digest algorithm and public key
> algorithm). No kernel-specific magic values are required.
>
> (4) Makes it possible to get sign-file to just write out a file containing the
> PKCS#7 signature blob. This can be used for debugging and potentially for
> firmware signing.
>
> (5) Extract the function that does PKCS#7 signature verification on a blob
> from the module signing code and put it somewhere more general so that
> other things, such as firmware signing, can make use of it without
> depending on module config options.
>
> Note that the revised sign-file program no longer supports the "-s <signature>"
> option as I'm not sure what the best way to deal with this is. Do we generate
> a PKCS#7 cert from the signature given, or do we get given a PKCS#7 cert? I
> lean towards the latter. Note that David Woodhouse is looking at making
> sign-file work with PKCS#11, so bringing back -s might not be necessary.
>
> They can be found here also:
>
> http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=modsign-pkcs7
>
> and are tagged with:
>
> modsign-pkcs7-20150515
>
> Should these go via the security tree or your tree?
>
> David
> ---
> David Howells (7):
> X.509: Extract both parts of the AuthorityKeyIdentifier
> X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier
> PKCS#7: Allow detached data to be supplied for signature checking purposes
> MODSIGN: Provide a utility to append a PKCS#7 signature to a module
> MODSIGN: Use PKCS#7 messages as module signatures
> system_keyring.c doesn't need to #include module-internal.h
> MODSIGN: Extract the blob PKCS#7 signature verifier from module signing
>
> Luis R. Rodriguez (1):
> sign-file: Add option to only create signature file
>
>
> Makefile | 2
> crypto/asymmetric_keys/Makefile | 8 -
> crypto/asymmetric_keys/pkcs7_trust.c | 10 -
> crypto/asymmetric_keys/pkcs7_verify.c | 80 ++++--
> crypto/asymmetric_keys/x509_akid.asn1 | 35 ++
> crypto/asymmetric_keys/x509_cert_parser.c | 142 ++++++----
> crypto/asymmetric_keys/x509_parser.h | 5
> crypto/asymmetric_keys/x509_public_key.c | 86 ++++--
> include/crypto/pkcs7.h | 3
> include/crypto/public_key.h | 4
> include/keys/system_keyring.h | 5
> init/Kconfig | 28 +-
> kernel/module_signing.c | 212 +--------------
> kernel/system_keyring.c | 51 +++-
> scripts/Makefile | 2
> scripts/sign-file | 421 -----------------------------
> scripts/sign-file.c | 212 +++++++++++++++
> 17 files changed, 578 insertions(+), 728 deletions(-)
> create mode 100644 crypto/asymmetric_keys/x509_akid.asn1
> delete mode 100755 scripts/sign-file
> create mode 100755 scripts/sign-file.c
next prev parent reply other threads:[~2015-05-16 0:22 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-15 12:35 [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] David Howells
2015-05-15 12:35 ` [PATCH 1/8] X.509: Extract both parts of the AuthorityKeyIdentifier " David Howells
2015-05-15 12:35 ` [PATCH 2/8] X.509: Support X.509 lookup by Issuer+Serial form " David Howells
2015-05-15 12:35 ` [PATCH 3/8] PKCS#7: Allow detached data to be supplied for signature checking purposes " David Howells
2015-05-15 12:35 ` [PATCH 4/8] MODSIGN: Provide a utility to append a PKCS#7 signature to a module " David Howells
2015-05-20 0:50 ` Andy Lutomirski
2015-05-20 13:14 ` David Howells
2015-05-20 16:00 ` Andy Lutomirski
2015-05-15 12:36 ` [PATCH 5/8] MODSIGN: Use PKCS#7 messages as module signatures " David Howells
2015-05-15 12:36 ` [PATCH 6/8] sign-file: Add option to only create signature file " David Howells
2015-05-15 19:07 ` sign-file and detached PKCS#7 firmware signatures David Howells
2015-05-18 23:13 ` Luis R. Rodriguez
2015-05-19 9:25 ` David Howells
2015-05-19 16:19 ` Luis R. Rodriguez
2015-05-19 16:48 ` David Howells
2015-05-19 18:21 ` Luis R. Rodriguez
2015-05-19 18:35 ` Luis R. Rodriguez
2015-05-19 18:47 ` David Howells
2015-05-19 20:12 ` Luis R. Rodriguez
2015-05-19 20:29 ` David Howells
2015-05-15 12:36 ` [PATCH 7/8] system_keyring.c doesn't need to #include module-internal.h [ver #4] David Howells
2015-05-15 12:36 ` [PATCH 8/8] MODSIGN: Extract the blob PKCS#7 signature verifier from module signing " David Howells
2015-05-15 13:46 ` [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures " David Woodhouse
2015-05-15 16:52 ` [PATCH 1/4] modsign: Abort modules_install when signing fails David Woodhouse
2015-05-19 1:29 ` Mimi Zohar
2015-05-19 6:40 ` Woodhouse, David
2015-05-19 11:45 ` Mimi Zohar
2015-05-19 12:57 ` Woodhouse, David
2015-05-19 13:54 ` Mimi Zohar
2015-05-15 16:53 ` [PATCH 2/4] modsign: Allow external signing key to be specified David Woodhouse
2015-05-15 16:53 ` [PATCH 3/4] modsign: Allow password to be specified for signing key David Woodhouse
2015-05-19 1:37 ` Mimi Zohar
2015-05-15 16:54 ` [PATCH 4/4] modsign: Allow signing key to be PKCS#11 David Woodhouse
2015-05-18 12:43 ` David Howells
2015-05-15 22:51 ` Rusty Russell [this message]
2015-05-19 14:45 ` [PATCH 9/8] modsign: Abort modules_install when signing fails David Woodhouse
2015-05-19 14:45 ` [PATCH 10/8] modsign: Allow password to be specified for signing key David Woodhouse
2015-05-19 15:36 ` David Howells
2015-05-19 15:50 ` Petko Manolov
2015-05-19 16:15 ` David Woodhouse
2015-05-19 16:34 ` Petko Manolov
2015-05-19 18:39 ` Mimi Zohar
2015-05-19 18:48 ` David Howells
2015-05-19 19:14 ` Mimi Zohar
2015-05-19 20:04 ` David Woodhouse
2015-05-19 14:46 ` [PATCH 11/8] modsign: Allow signing key to be PKCS#11 David Woodhouse
2015-05-19 14:46 ` [PATCH 12/8] modsign: Allow external signing key to be specified David Woodhouse
2015-05-19 14:47 ` [PATCH 13/8] modsign: Extract signing cert from CONFIG_MODULE_SIG_KEY if needed David Woodhouse
2015-05-20 0:36 ` [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] Andy Lutomirski
2015-05-20 13:36 ` David Howells
2015-05-20 15:56 ` Andy Lutomirski
2015-05-20 16:21 ` Petko Manolov
2015-05-20 16:41 ` Andy Lutomirski
2015-05-20 16:55 ` Petko Manolov
2015-05-21 21:38 ` Luis R. Rodriguez
2015-05-21 21:44 ` Andy Lutomirski
2015-05-21 21:59 ` Luis R. Rodriguez
2015-05-21 22:06 ` Andy Lutomirski
2015-05-21 22:16 ` Luis R. Rodriguez
2015-05-21 22:24 ` Andy Lutomirski
2015-05-21 22:31 ` Luis R. Rodriguez
2015-05-21 22:47 ` Andy Lutomirski
2015-05-21 23:01 ` Luis R. Rodriguez
2015-05-21 23:09 ` Andy Lutomirski
2015-05-22 7:56 ` David Howells
2015-05-22 12:42 ` Mimi Zohar
2015-05-22 7:49 ` David Howells
2015-05-22 7:48 ` David Howells
2015-05-22 12:28 ` Mimi Zohar
2015-05-24 10:52 ` Petko Manolov
2015-05-21 13:59 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87d221laib.fsf@rustcorp.com.au \
--to=rusty@rustcorp.com.au \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dwmw2@infradead.org \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mcgrof@suse.com \
--cc=mjg59@srcf.ucam.org \
--cc=mmarek@suse.cz \
--cc=seth.forshee@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.