From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751919AbcBJNYa (ORCPT ); Wed, 10 Feb 2016 08:24:30 -0500 Received: from g1t6216.austin.hp.com ([15.73.96.123]:35398 "EHLO g1t6216.austin.hp.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751126AbcBJNY2 (ORCPT ); Wed, 10 Feb 2016 08:24:28 -0500 X-Greylist: delayed 1023 seconds by postgrey-1.27 at vger.kernel.org; Wed, 10 Feb 2016 08:24:28 EST From: Juerg Haefliger Subject: Re: [PATCH v2] scripts/sign-file.c: Add support for signing with a raw signature To: David Howells References: <1454584165-9547-1-git-send-email-juerg.haefliger@hpe.com> <1454145497-4567-1-git-send-email-juerg.haefliger@hpe.com> <7614.1455099176@warthog.procyon.org.uk> Cc: linux-kernel@vger.kernel.org, keyrings@vger.kernel.org, dwmw2@infradead.org Message-ID: <56BB3A09.3080501@hpe.com> Date: Wed, 10 Feb 2016 14:24:25 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 In-Reply-To: <7614.1455099176@warthog.procyon.org.uk> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 02/10/2016 11:12 AM, David Howells wrote: > Juerg Haefliger wrote: > >> This patch adds support for signing a kernel module with a raw >> detached PKCS#7 signature/message. >> >> The signature is not converted and is simply appended to the module so >> it needs to be in the right format. Using openssl, a valid signature can >> be generated like this: >> $ openssl smime -sign -nocerts -noattr -binary -in -inkey \ >> -signer -outform der -out >> >> The resulting raw signature from the above command is (more or less) >> identical to the raw signature that sign-file itself can produce like >> this: >> $ scripts/sign-file -d > > What's the usage case for this? Can it be done instead with openssl PKCS#11? Our internal signing service doesn't support PKCS#11. I have to submit the blobs and get detached PKCS#7 messages back. I don't claim I fully understand all the different signing mechanisms but everything worked just fine until support for signing with a detached signature was removed. IMO that's a regression, which I'm trying to fix with this patch. ...Juerg > David >