[PATCH v2 3/4] MODSIGN: Add -s <signature> option to sign-file

From: Michal Marek
Date: Thu Jan 24 2013 - 16:21:35 EST

Next message: Michal Marek: "[PATCH v2 1/4] MODSIGN: Simplify Makefile with a Kconfig helper"
Previous message: Greg Kroah-Hartman: "[ 12/15] x86: Use enum instead of literals for trap values [PARTIAL]"
In reply to: Michal Marek: "[PATCH v2 4/4] MODSIGN: Add option to not sign modules during modules_install"
Next in thread: David Howells: "Re: [PATCH v2 3/4] MODSIGN: Add -s <signature> option to sign-file"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This option allows to append an externally computed singature to the
module. This is needed in setups, where the private key is not directly
available, but a service exists that returns signatures for given files.

Signed-off-by: Michal Marek <mmarek@xxxxxxx>
---
v2: Use two-argument version of getopts to avoid global variables
Use parentheses in EXPR if (...) constructs

---
scripts/sign-file | 99 ++++++++++++++++++++++++++++++-----------------------
1 files changed, 56 insertions(+), 43 deletions(-)

diff --git a/scripts/sign-file b/scripts/sign-file
index 2c2bbd1..2b7c448 100755
--- a/scripts/sign-file
+++ b/scripts/sign-file
@@ -2,31 +2,41 @@
#
# Sign a module file using the given key.
#
-# Format:
-#
-# ./scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]
-#
-#
+
+my $USAGE =
+"Usage: scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]\n" .
+" scripts/sign-file [-v] -s <raw sig> <hash algo> <x509> <module> [<dest>]\n";
+
use strict;
use FileHandle;
use IPC::Open2;
+use Getopt::Std;

-my $verbose = 0;
-if ($#ARGV >= 0 && $ARGV[0] eq "-v") {
- $verbose = 1;
- shift;
-}
+my %opts;
+getopts('vs:', \%opts) or die $USAGE;
+my $verbose = $opts{'v'};
+my $signature_file = $opts{'s'};

-die "Format: ./scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]\n"
- if ($#ARGV != 3 && $#ARGV != 4);
+die $USAGE if ($#ARGV > 4);
+die $USAGE if (!$signature_file && $#ARGV < 3 || $signature_file && $#ARGV < 2);

-my $dgst = $ARGV[0];
-my $private_key = $ARGV[1];
-my $x509 = $ARGV[2];
-my $module = $ARGV[3];
-my $dest = ($#ARGV == 4) ? $ARGV[4] : $ARGV[3] . "~";
+my $dgst = shift @ARGV;
+my $private_key;
+if (!$signature_file) {
+ $private_key = shift @ARGV;
+}
+my $x509 = shift @ARGV;
+my $module = shift @ARGV;
+my ($dest, $keep_orig);
+if (@ARGV) {
+ $dest = $ARGV[0];
+ $keep_orig = 1;
+} else {
+ $dest = $module . "~";
+}

-die "Can't read private key\n" unless (-r $private_key);
+die "Can't read private key\n" if (!$signature_file && !-r $private_key);
+die "Can't read signature file\n" if ($signature_file && !-r $signature_file);
die "Can't read X.509 certificate\n" unless (-r $x509);
die "Can't read module\n" unless (-r $module);

@@ -340,33 +350,36 @@ if ($dgst eq "sha1") {
die "Unknown hash algorithm: $dgst\n";
}

-#
-# Generate the digest and read from openssl's stdout
-#
-my $digest;
-$digest = readpipe("openssl dgst -$dgst -binary $module") || die "openssl dgst";
-
-#
-# Generate the binary signature, which will be just the integer that comprises
-# the signature with no metadata attached.
-#
-my $pid;
-$pid = open2(*read_from, *write_to,
- "openssl rsautl -sign -inkey $private_key -keyform PEM") ||
- die "openssl rsautl";
-binmode write_to;
-print write_to $prologue . $digest || die "pipe to openssl rsautl";
-close(write_to) || die "pipe to openssl rsautl";
-
-binmode read_from;
my $signature;
-read(read_from, $signature, 4096) || die "pipe from openssl rsautl";
-close(read_from) || die "pipe from openssl rsautl";
+if ($signature_file) {
+ $signature = read_file($signature_file);
+} else {
+ #
+ # Generate the digest and read from openssl's stdout
+ #
+ my $digest;
+ $digest = readpipe("openssl dgst -$dgst -binary $module") || die "openssl dgst";
+
+ #
+ # Generate the binary signature, which will be just the integer that
+ # comprises the signature with no metadata attached.
+ #
+ my $pid;
+ $pid = open2(*read_from, *write_to,
+ "openssl rsautl -sign -inkey $private_key -keyform PEM") ||
+ die "openssl rsautl";
+ binmode write_to;
+ print write_to $prologue . $digest || die "pipe to openssl rsautl";
+ close(write_to) || die "pipe to openssl rsautl";
+
+ binmode read_from;
+ read(read_from, $signature, 4096) || die "pipe from openssl rsautl";
+ close(read_from) || die "pipe from openssl rsautl";
+ waitpid($pid, 0) || die;
+ die "openssl rsautl died: $?" if ($? >> 8);
+}
$signature = pack("n", length($signature)) . $signature,

-waitpid($pid, 0) || die;
-die "openssl rsautl died: $?" if ($? >> 8);
-
#
# Build the signed binary
#
@@ -403,6 +416,6 @@ print FD
;
close FD || die $dest;

-if ($#ARGV != 3) {
+if (!$keep_orig) {
rename($dest, $module) || die $module;
}
--
1.7.8.3

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Michal Marek: "[PATCH v2 1/4] MODSIGN: Simplify Makefile with a Kconfig helper"
Previous message: Greg Kroah-Hartman: "[ 12/15] x86: Use enum instead of literals for trap values [PARTIAL]"
In reply to: Michal Marek: "[PATCH v2 4/4] MODSIGN: Add option to not sign modules during modules_install"
Next in thread: David Howells: "Re: [PATCH v2 3/4] MODSIGN: Add -s <signature> option to sign-file"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]