[PATCH RFC] kernel build: enable use of password-protected signingkeys

[Emily Maier]

Currently, the module signing script assumes that the private key is 
not password-protected. This patch makes it slightly more secure by 
allowing it to be passed in on the command line as "make 
modules_install MOD_PASSWORD=abc". It's vulnerable to snooping during 
the build of course, but so is an unprotected signing key.

I'm not sure how to securely give the password to the perl signing 
script. OpenSSL will prompt you for it in stdin if one isn't provided, 
but that's obviously not reasonable if you're building many modules.

Signed-off-by: Emily Maier <emilymaier@xxxxxxxxxxx>
---
 Documentation/dontdiff |    1 +
 Makefile               |    7 ++++++-
 scripts/sign-file      |   18 +++++++++++++-----
 3 files changed, 20 insertions(+), 6 deletions(-)

diff -uprN -X linux-3.13.2-devel/Documentation/dontdiff linux-3.13.2/Documentation/dontdiff linux-3.13.2-devel/Documentation/dontdiff
--- linux-3.13.2/Documentation/dontdiff	2014-02-06 14:42:22.000000000 -0500
+++ linux-3.13.2-devel/Documentation/dontdiff	2014-02-09 15:30:41.719448065 -0500
@@ -214,6 +214,7 @@ setup
 setup.bin
 setup.elf
 sImage
+signing_key.*
 sm_tbl*
 split-include
 syscalltab.h
diff -uprN -X linux-3.13.2-devel/Documentation/dontdiff linux-3.13.2/Makefile linux-3.13.2-devel/Makefile
--- linux-3.13.2/Makefile	2014-02-06 14:42:22.000000000 -0500
+++ linux-3.13.2-devel/Makefile	2014-02-09 16:34:19.727020032 -0500
@@ -742,11 +742,16 @@ INITRD_COMPRESS-$(CONFIG_RD_LZ4)   := lz
 # choose a sane default compression above.
 # export INITRD_COMPRESS := $(INITRD_COMPRESS-y)
 +ifdef MOD_PASSWORD
+mod_sign_cmd = perl $(srctree)/scripts/sign-file -p $(MOD_PASSWORD)
+else
+mod_sign_cmd = perl $(srctree)/scripts/sign-file
+endif
 ifdef CONFIG_MODULE_SIG_ALL
 MODSECKEY = ./signing_key.priv
 MODPUBKEY = ./signing_key.x509
 export MODPUBKEY
-mod_sign_cmd = perl $(srctree)/scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)
+mod_sign_cmd += $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)
 else
 mod_sign_cmd = true
 endif
diff -uprN -X linux-3.13.2-devel/Documentation/dontdiff linux-3.13.2/scripts/sign-file linux-3.13.2-devel/scripts/sign-file
--- linux-3.13.2/scripts/sign-file	2014-02-06 14:42:22.000000000 -0500
+++ linux-3.13.2-devel/scripts/sign-file	2014-02-09 15:16:22.198684877 -0500
@@ -5,7 +5,8 @@
  my $USAGE =
 "Usage: scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]\n" .
-"       scripts/sign-file [-v] -s <raw sig> <hash algo> <x509> <module> [<dest>]\n";
+"       scripts/sign-file [-v] -s <raw sig> <hash algo> <x509> <module> [<dest>]\n" .
+"	scripts/sign-file [-v] -p <password> <hash algo> <x509> <module> [<dest>]";
  use strict;
 use FileHandle;
@@ -13,9 +14,10 @@ use IPC::Open2;
 use Getopt::Std;
  my %opts;
-getopts('vs:', \%opts) or die $USAGE;
+getopts('vs:p:', \%opts) or die $USAGE;
 my $verbose = $opts{'v'};
 my $signature_file = $opts{'s'};
+my $password = $opts{'p'};
  die $USAGE if ($#ARGV > 4);
 die $USAGE if (!$signature_file && $#ARGV < 3 || $signature_file && $#ARGV < 2);
@@ -365,9 +367,15 @@ if ($signature_file) {
 	# comprises the signature with no metadata attached.
 	#
 	my $pid;
-	$pid = open2(*read_from, *write_to,
-		     "openssl rsautl -sign -inkey $private_key -keyform PEM") ||
-	    die "openssl rsautl";
+	if ($password) {
+		$pid = open2(*read_from, *write_to,
+		             "openssl rsautl -sign -inkey $private_key -keyform PEM \\
+		              -passin pass:$password") || die "openssl rsautl";
+	} else {
+		$pid = open2(*read_from, *write_to,
+			     "openssl rsautl -sign -inkey $private_key -keyform PEM") ||
+		    die "openssl rsautl";
+	}
 	binmode write_to;
 	print write_to $prologue . $digest || die "pipe to openssl rsautl";
 	close(write_to) || die "pipe to openssl rsautl";

Attachment: signature.asc
Description: OpenPGP digital signature