sign-file and detached PKCS#7 firmware signatures

[David Howells]

Hi Luis,

As David Woodhouse pointed out to me, you don't need sign-file if you're just
going to create a detached PKCS#7 message as your signature.  You can just use
"openssl smime" directly.

The reason that sign-file is needed for module signing is that the signature
is added to the module with a little bit of metadata to indicate its presence
- but if you're having detached signatures, that isn't relevant.

You can do this with two steps:

 (1) Require that an X.509 certificate is made available to the kernel to
     provide the public key.  One way to do this is to convert it to DER form
     and place it in the source directory as <name>.x509 when you build the
     kernel.

 (2) Document that to produce a signature for a firmware blob, you just run
     the following command:

		openssl smime -sign \
		 -in $FIRMWARE_BLOB_NAME \
		 -outform DER \
		 -inkey $PRIVATE_KEY_FILE_IN_PEM_FORM \
		 -signer $X509_CERT_FILE_IN_PEM_FORM \
		 -nocerts \
		 -md $DIGEST_ALGORITHM \
		 >$PKCS7_MESSAGE_FILE_IN_DER_FORM

     Note that if you have crypto hardware available that openssl can use, you
     can do that in this command.


To summarise, what you have to present to the kernel is the following:

 (A) A DER-encoded X.509 certificate containing the public key.

 (B) A DER-encoded PKCS#7 message containing the signatures.

 (C) A binary blob that is the detached data for the PKCS#7 message.

David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/