From: Rusty Russell <rusty@rustcorp.com.au>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: David Miller <davem@davemloft.net>,
David Howells <dhowells@redhat.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: RFC: sign the modules at install time
Date: Thu, 18 Oct 2012 16:04:28 +1030 [thread overview]
Message-ID: <871ugwny1n.fsf@rustcorp.com.au> (raw)
In-Reply-To: <CA+55aFxZdtD51AVKLtKK95ooh8VB8-5Tt8nHsxSUT67CBRrp2g@mail.gmail.com>
Linus Torvalds <torvalds@linux-foundation.org> writes:
> On Wed, Oct 17, 2012 at 6:17 PM, Rusty Russell <rusty@rustcorp.com.au> wrote:
>>
>> You cut too much: you need genkeyid.
>
> Yeah, I sent out a fixed version later, but I much prefer your version
> that generates those files earlier, not a "make modules_install".
Still committing a minor crime by lying to make about dependencies...
Hacking the keyid and signer-name to be extracted every time by
sign-file takes my modules_install time from 18.6 seconds to 19.1. We'd
get that back easily by making sign-file a perl script anyway; it calls
out to perl 3 times already.
David, want to take that on? My perl skills are lame, as shown below.
> [ Btw, your email "Date:" field is from 2+ hours ago, but it hit
> ozlabs and then arrived here only minutes ago. There's some delay in
> your mail delivery. Maybe it's something you know about, and you're
> batching emails over carrier pigeons, but I thought I'd mention it in
> case you weren't aware of some odd SMTP delay ]
I rsync mail to/from ozlabs.org. Manually, to avoid the
distraction-trickle. I could cron the outoing.
It's let me revoke unsent mail a few times. But maybe it's time to
embrace my uncanny ability to make a fool of myself? So many hackers
seem to revel in it, and they're nowhere as accomplished at it as I
am...
>> And in a moment of optimism I tried 'make modules_install MODLIB=.' to
>> sign modules in-place. It deleted my kernel/ dir. Don't recommend.
>
> Heh. I assume that's an old "feature", not something that has anything
> to do with the whole signing thing.
Exactly. But would have a been a nice hack for in-place signing.
A separate (optional) module_sign target seems easier.
Cheers,
Rusty.
diff --git a/kernel/Makefile b/kernel/Makefile
index f7abe6c..0bfd665 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -139,13 +139,7 @@ ifeq ($(CONFIG_MODULE_SIG),y)
extra_certificates:
touch $@
-quiet_cmd_genkeyid = GENKEYID $@
- cmd_genkeyid = $(PERL) $(src)/x509keyid.pl $< $<.signer $<.keyid
-
-%.signer %.keyid: %
- $(call if_changed,genkeyid)
-
-kernel/modsign_pubkey.o: signing_key.x509 extra_certificates $(MODPUBKEY).signer $(MODPUBKEY).keyid
+kernel/modsign_pubkey.o: signing_key.x509 extra_certificates
###############################################################################
diff --git a/kernel/x509keyid.pl b/kernel/x509keyid.pl
index c8e91a4..4241ec6 100755
--- a/kernel/x509keyid.pl
+++ b/kernel/x509keyid.pl
@@ -22,7 +22,7 @@ use strict;
my $raw_data;
-die "Need three filenames\n" if ($#ARGV != 2);
+die "Need a filename [keyid|signer-name]\n" if ($#ARGV != 1);
my $src = $ARGV[0];
@@ -259,10 +259,10 @@ die $src, ": ", "X.509: Couldn't find the Subject Key Identifier extension\n"
my $id_key_id = asn1_retrieve($subject_key_id->[1]);
-open(OUTFD, ">$ARGV[1]") || die $ARGV[1];
-print OUTFD $id_name;
-close OUTFD || die $ARGV[1];
-
-open(OUTFD, ">$ARGV[2]") || die $ARGV[2];
-print OUTFD $id_key_id;
-close OUTFD || die $ARGV[2];
+if ($ARGV[1] eq "signer-name") {
+ print $id_name;
+} elsif ($ARGV[1] eq "keyid") {
+ print $id_key_id;
+} else {
+ die "Unknown arg";
+}
diff --git a/scripts/sign-file b/scripts/sign-file
index 3084ba4..ea76f43 100644
--- a/scripts/sign-file
+++ b/scripts/sign-file
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
#
# Sign a module file using the given key.
#
@@ -29,16 +29,6 @@ then
echo "Can't read X.509 certificate" >&2
exit 2
fi
-if [ ! -r "$x509.signer" ]
-then
- echo "Can't read Signer name" >&2
- exit 2;
-fi
-if [ ! -r "$x509.keyid" ]
-then
- echo "Can't read Key identifier" >&2
- exit 2;
-fi
#
# Signature parameters
@@ -91,9 +81,11 @@ openssl dgst $dgst -binary $src || exit $?
# the signature with no metadata attached.
#
openssl rsautl -sign -inkey $key -keyform PEM -in $src.dig -out $src.sig || exit $?
-signerlen=`stat -c %s $x509.signer`
-keyidlen=`stat -c %s $x509.keyid`
-siglen=`stat -c %s $src.sig`
+
+SIGNER="`perl kernel/x509keyid.pl $x509 signer-name`"
+KEYID="`perl kernel/x509keyid.pl $x509 keyid`"
+keyidlen=${#KEYID}
+siglen=${#SIGNER}
#
# Build the signed binary
@@ -101,7 +93,8 @@ siglen=`stat -c %s $src.sig`
(
cat $src || exit $?
echo '~Module signature appended~' || exit $?
- cat $x509.signer $x509.keyid || exit $?
+ echo -n "$SIGNER" || exit $?
+ echo -n "$KEYID" || exit $?
# Preface each signature integer with a 2-byte BE length
perl -e "binmode STDOUT; print pack(\"n\", $siglen)" || exit $?
next prev parent reply other threads:[~2012-10-18 5:35 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-17 20:36 RFC: sign the modules at install time Linus Torvalds
2012-10-17 22:19 ` David Howells
2012-10-17 22:44 ` Linus Torvalds
2012-10-18 0:54 ` Greg KH
2012-10-18 3:14 ` Linus Torvalds
2012-10-18 3:18 ` Linus Torvalds
2012-10-18 4:34 ` Rusty Russell
2012-10-18 17:16 ` Greg KH
2012-10-18 4:31 ` Rusty Russell
2012-10-18 12:11 ` Josh Boyer
2012-10-18 16:29 ` Linus Torvalds
2012-10-19 0:20 ` Rusty Russell
2012-10-19 11:21 ` David Howells
2012-10-21 23:51 ` Rusty Russell
2012-10-20 16:41 ` Romain Francoise
2012-10-20 16:47 ` Linus Torvalds
2012-10-17 22:26 ` Josh Boyer
2012-10-17 23:07 ` Linus Torvalds
2012-10-17 23:20 ` Josh Boyer
2012-10-17 23:25 ` Linus Torvalds
2012-10-17 23:44 ` Linus Torvalds
2012-10-18 0:06 ` Linus Torvalds
2012-10-17 23:21 ` Linus Torvalds
2012-10-18 0:13 ` Josh Boyer
2012-10-18 4:41 ` Rusty Russell
2012-10-18 1:17 ` Rusty Russell
2012-10-18 3:27 ` Linus Torvalds
2012-10-18 5:34 ` Rusty Russell [this message]
2012-10-18 18:46 ` Linus Torvalds
2012-10-18 19:58 ` Josh Boyer
2012-10-19 0:48 ` Rusty Russell
2012-10-19 11:44 ` Josh Boyer
2012-10-19 1:16 ` Rusty Russell
2012-10-19 11:49 ` Josh Boyer
2012-10-19 1:23 ` Rusty Russell
2012-10-19 3:21 ` Stephen Rothwell
2012-10-19 11:25 ` David Howells
2012-10-19 11:30 ` Stephen Rothwell
2012-10-19 11:40 ` Alexander Holler
2012-10-20 3:53 ` Rusty Russell
2012-10-19 19:58 ` Linus Torvalds
2012-10-19 22:04 ` Linus Torvalds
2012-10-22 0:28 ` Rusty Russell
-- strict thread matches above, loose matches on Subject: below --
2012-10-18 21:31 George Spelvin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871ugwny1n.fsf@rustcorp.com.au \
--to=rusty@rustcorp.com.au \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox