[PATCH RFC] kernel build: enable use of password-protected signing keys

[PATCH RFC] kernel build: enable use of password-protected signing keys

[Emily Maier]

[-- Attachment #1: Type: text/plain, Size: 3872 bytes --]

Currently, the module signing script assumes that the private key is 
not password-protected. This patch makes it slightly more secure by 
allowing it to be passed in on the command line as "make 
modules_install MOD_PASSWORD=abc". It's vulnerable to snooping during 
the build of course, but so is an unprotected signing key.

I'm not sure how to securely give the password to the perl signing 
script. OpenSSL will prompt you for it in stdin if one isn't provided, 
but that's obviously not reasonable if you're building many modules.

Signed-off-by: Emily Maier <emilymaier@mykolab.com>
---
 Documentation/dontdiff |    1 +
 Makefile               |    7 ++++++-
 scripts/sign-file      |   18 +++++++++++++-----
 3 files changed, 20 insertions(+), 6 deletions(-)

diff -uprN -X linux-3.13.2-devel/Documentation/dontdiff linux-3.13.2/Documentation/dontdiff linux-3.13.2-devel/Documentation/dontdiff
--- linux-3.13.2/Documentation/dontdiff	2014-02-06 14:42:22.000000000 -0500
+++ linux-3.13.2-devel/Documentation/dontdiff	2014-02-09 15:30:41.719448065 -0500
@@ -214,6 +214,7 @@ setup
 setup.bin
 setup.elf
 sImage
+signing_key.*
 sm_tbl*
 split-include
 syscalltab.h
diff -uprN -X linux-3.13.2-devel/Documentation/dontdiff linux-3.13.2/Makefile linux-3.13.2-devel/Makefile
--- linux-3.13.2/Makefile	2014-02-06 14:42:22.000000000 -0500
+++ linux-3.13.2-devel/Makefile	2014-02-09 16:34:19.727020032 -0500
@@ -742,11 +742,16 @@ INITRD_COMPRESS-$(CONFIG_RD_LZ4)   := lz
 # choose a sane default compression above.
 # export INITRD_COMPRESS := $(INITRD_COMPRESS-y)
 +ifdef MOD_PASSWORD
+mod_sign_cmd = perl $(srctree)/scripts/sign-file -p $(MOD_PASSWORD)
+else
+mod_sign_cmd = perl $(srctree)/scripts/sign-file
+endif
 ifdef CONFIG_MODULE_SIG_ALL
 MODSECKEY = ./signing_key.priv
 MODPUBKEY = ./signing_key.x509
 export MODPUBKEY
-mod_sign_cmd = perl $(srctree)/scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)
+mod_sign_cmd += $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)
 else
 mod_sign_cmd = true
 endif
diff -uprN -X linux-3.13.2-devel/Documentation/dontdiff linux-3.13.2/scripts/sign-file linux-3.13.2-devel/scripts/sign-file
--- linux-3.13.2/scripts/sign-file	2014-02-06 14:42:22.000000000 -0500
+++ linux-3.13.2-devel/scripts/sign-file	2014-02-09 15:16:22.198684877 -0500
@@ -5,7 +5,8 @@
  my $USAGE =
 "Usage: scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]\n" .
-"       scripts/sign-file [-v] -s <raw sig> <hash algo> <x509> <module> [<dest>]\n";
+"       scripts/sign-file [-v] -s <raw sig> <hash algo> <x509> <module> [<dest>]\n" .
+"	scripts/sign-file [-v] -p <password> <hash algo> <x509> <module> [<dest>]";
  use strict;
 use FileHandle;
@@ -13,9 +14,10 @@ use IPC::Open2;
 use Getopt::Std;
  my %opts;
-getopts('vs:', \%opts) or die $USAGE;
+getopts('vs:p:', \%opts) or die $USAGE;
 my $verbose = $opts{'v'};
 my $signature_file = $opts{'s'};
+my $password = $opts{'p'};
  die $USAGE if ($#ARGV > 4);
 die $USAGE if (!$signature_file && $#ARGV < 3 || $signature_file && $#ARGV < 2);
@@ -365,9 +367,15 @@ if ($signature_file) {
 	# comprises the signature with no metadata attached.
 	#
 	my $pid;
-	$pid = open2(*read_from, *write_to,
-		     "openssl rsautl -sign -inkey $private_key -keyform PEM") ||
-	    die "openssl rsautl";
+	if ($password) {
+		$pid = open2(*read_from, *write_to,
+		             "openssl rsautl -sign -inkey $private_key -keyform PEM \\
+		              -passin pass:$password") || die "openssl rsautl";
+	} else {
+		$pid = open2(*read_from, *write_to,
+			     "openssl rsautl -sign -inkey $private_key -keyform PEM") ||
+		    die "openssl rsautl";
+	}
 	binmode write_to;
 	print write_to $prologue . $digest || die "pipe to openssl rsautl";
 	close(write_to) || die "pipe to openssl rsautl";


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 901 bytes --]

Re: [PATCH RFC] kernel build: enable use of password-protected signing keys

[Michal Marek]

On 9.2.2014 23:38, Emily Maier wrote:
> Currently, the module signing script assumes that the private key is 
> not password-protected. This patch makes it slightly more secure by 
> allowing it to be passed in on the command line as "make 
> modules_install MOD_PASSWORD=abc". It's vulnerable to snooping during 
> the build of course, but so is an unprotected signing key.

The key's permissions can be set to 0600, while the make commandline is
visible in ps.

Michal

Re: [PATCH RFC] kernel build: enable use of password-protected signing keys

[Michal Marek]

On 2014-02-12 23:41, Emily Maier wrote:
> On 02/10/2014 08:51 AM, Michal Marek wrote:
>> On 9.2.2014 23:38, Emily Maier wrote:
>>> Currently, the module signing script assumes that the private key is 
>>> not password-protected. This patch makes it slightly more secure by 
>>> allowing it to be passed in on the command line as "make 
>>> modules_install MOD_PASSWORD=abc". It's vulnerable to snooping during 
>>> the build of course, but so is an unprotected signing key.
>>
>> The key's permissions can be set to 0600, while the make commandline is
>> visible in ps.
> 
> Ok, I'll change it to that and look into other options as well. I think
> there may be a way to pass it to OpenSSL off disk and the command line
> entirely.
> 
> Would it be appropriate to add Kconfig options for this or try to
> autodetect the password file?

What some vendors do is that they have the modules signed by a signing
machine that is separated from the build farm. So they typically unset
MODULE_SIG_ALL and handle the signing outside kbuild. The other option
is to have a wrapper for the openssl command, not sure if anybody is
doing that.

Michal