Re: [PATCH 0/3] MODSIGN: Use PKCS#7 cert to avoid SKIDs
From: Dmitry Kasatkin
Date: Mon Oct 06 2014 - 10:19:40 EST
Hi David,
I just applied these 3 patches, but got build problems..
sign-file.c cannot be build.
Log attached...
Any ideas?
Thanks
- Dmitry
On 03/10/14 17:30, David Howells wrote:
> Hi Rusty,
>
> In the current module signing code, we try to use the subject and subjKeyId
> fields from X.509 certificate representing the key used to sign the modules to
> locate the X.509 certificate containing the public key required to verify the
> signature.
>
> Unfortunately, we have situations where we have to deal with signatures
> generated from keys that don't have a subjKeyId (it is, after all, optional in
> the X.509 spec for none CA keys).
>
> Now that we have PKCS#7 message handling code in the kernel for kexec(), we can
> make use of this for module signing. By using a PKCS#7 message with detached
> data and no embedded X.509 certs as the signature blob, we can forgo specifying
> all the signature parameters (eg. hash algo, pubkey algo, name, id) elsewhere
> and rely instead on the PKCS#7 message to supply all of those.
>
> PKCS#7 doesn't use the subjKeyId, but rather matches issuer name and
> certificate serial number, both of which are mandatory in an X.509 certificate.
>
> We leave out the embedded X.509 certs to make the signature smaller and use
> detached data so that we don't have to put the module content in there.
>
> The patches are as follows:
>
> (1) Provide a function to pass detached data to the PKCS#7 verifier, rather
> than always requiring the data to be contained therein.
>
> (2) Provide a utility to sign modules (a drop-in replacement for
> scripts/sign-file). This does need to be built against -lcrypto from
> OpenSSL. I couldn't work out how to make a PKCS#7 message with no
> embedded X.509 certs from the openssl command line.
>
> I also haven't provided a way to externally specify the signature - that's
> something that will need to be worked out. Quite likely it will involve
> taking a PKCS#7 message rather than generating one.
>
> (3) Make use of the above and the PKCS#7 handling to sign modules and verify
> signatures.
>
> Note that this does make signatures generated by previous kernels incompatible
> with newer kernels, but since the modules being signed may no longer be
> compatible anyway for other reasons, I'm not sure how much of a problem that
> will actually be.
>
> I have provided a function, mod_verify_pkcs7(), that takes a buffer containing
> the actual module data, sans signature, and a buffer containing the PKCS#7
> message that does the actual work. This could be called, for instance, if
> modules are ever loaded with detached signatures.
>
> The patches can be found here also:
>
> http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=modsign-pkcs7
>
> This is based on James Morris's security/next branch as there are some keyring
> and PKCS#7 changes in there that are prerequisites for this.
>
> David
> ---
> David Howells (3):
> PKCS#7: Allow detached data to be supplied for signature checking purposes
> MODSIGN: Provide a utility to append a PKCS#7 signature to a module
> MODSIGN: Use PKCS#7 messages as module signatures
>
>
> crypto/asymmetric_keys/pkcs7_verify.c | 26 ++
> include/crypto/pkcs7.h | 3
> include/crypto/public_key.h | 1
> init/Kconfig | 1
> kernel/module_signing.c | 220 +++--------------
> scripts/Makefile | 2
> scripts/sign-file | 421 ---------------------------------
> scripts/sign-file.c | 189 +++++++++++++++
> 8 files changed, 266 insertions(+), 597 deletions(-)
> delete mode 100755 scripts/sign-file
> create mode 100755 scripts/sign-file.c
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
EXTRAVERSION=-kds
ARCH: x86_64
CHK include/config/kernel.release
CHK include/generated/uapi/linux/version.h
CHK include/generated/utsrelease.h
CALL scripts/checksyscalls.sh
<stdin>:1226:2: warning: #warning syscall finit_module not implemented [-Wcpp]
<stdin>:1229:2: warning: #warning syscall sched_setattr not implemented [-Wcpp]
<stdin>:1232:2: warning: #warning syscall sched_getattr not implemented [-Wcpp]
<stdin>:1235:2: warning: #warning syscall renameat2 not implemented [-Wcpp]
<stdin>:1238:2: warning: #warning syscall seccomp not implemented [-Wcpp]
HOSTCC scripts/sign-file
scripts/sign-file.c: In function ‘main’:
scripts/sign-file.c:136:2: warning: format not a string literal and no format arguments [-Wformat-security]
ERR(!bd, dest_name);
^
scripts/sign-file.c:162:3: warning: format not a string literal and no format arguments [-Wformat-security]
ERR(!b, pkcs7_name);
^
scripts/sign-file.c:163:3: warning: format not a string literal and no format arguments [-Wformat-security]
ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) < 0, pkcs7_name);
^
scripts/sign-file.c:168:2: warning: format not a string literal and no format arguments [-Wformat-security]
ERR(BIO_reset(bm) < 0, module_name);
^
scripts/sign-file.c:171:3: warning: format not a string literal and no format arguments [-Wformat-security]
ERR(BIO_write(bd, buf, n) < 0, dest_name);
^
scripts/sign-file.c:173:2: warning: format not a string literal and no format arguments [-Wformat-security]
ERR(n < 0, module_name);
^
scripts/sign-file.c:176:2: warning: format not a string literal and no format arguments [-Wformat-security]
ERR(i2d_PKCS7_bio_stream(bd, pkcs7, NULL, 0) < 0, dest_name);
^
scripts/sign-file.c:179:2: warning: format not a string literal and no format arguments [-Wformat-security]
ERR(BIO_write(bd, &sig_info, sizeof(sig_info)) < 0, dest_name);
^
scripts/sign-file.c:180:2: warning: format not a string literal and no format arguments [-Wformat-security]
ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, dest_name);
^
scripts/sign-file.c:182:2: warning: format not a string literal and no format arguments [-Wformat-security]
ERR(BIO_free(bd) < 0, dest_name);
^
scripts/sign-file.c:186:3: warning: format not a string literal and no format arguments [-Wformat-security]
ERR(rename(dest_name, module_name) < 0, dest_name);
^
/tmp/ccgSFKJd.o: In function `display_openssl_errors':
sign-file.c:(.text+0x4e): undefined reference to `ERR_peek_error'
sign-file.c:(.text+0xa1): undefined reference to `ERR_error_string'
sign-file.c:(.text+0xd7): undefined reference to `ERR_get_error_line'
/tmp/ccgSFKJd.o: In function `main':
sign-file.c:(.text.startup+0xd5): undefined reference to `ERR_load_crypto_strings'
sign-file.c:(.text.startup+0xda): undefined reference to `ERR_clear_error'
sign-file.c:(.text.startup+0xe7): undefined reference to `BIO_new_file'
sign-file.c:(.text.startup+0x10b): undefined reference to `PEM_read_bio_PrivateKey'
sign-file.c:(.text.startup+0x118): undefined reference to `BIO_free'
sign-file.c:(.text.startup+0x125): undefined reference to `BIO_new_file'
sign-file.c:(.text.startup+0x149): undefined reference to `PEM_read_bio_X509'
sign-file.c:(.text.startup+0x156): undefined reference to `BIO_free'
sign-file.c:(.text.startup+0x165): undefined reference to `BIO_new_file'
sign-file.c:(.text.startup+0x180): undefined reference to `OpenSSL_add_all_digests'
sign-file.c:(.text.startup+0x192): undefined reference to `EVP_get_digestbyname'
sign-file.c:(.text.startup+0x1b5): undefined reference to `BIO_new_file'
sign-file.c:(.text.startup+0x1de): undefined reference to `PKCS7_sign'
sign-file.c:(.text.startup+0x20f): undefined reference to `PKCS7_sign_add_signer'
sign-file.c:(.text.startup+0x229): undefined reference to `PKCS7_final'
sign-file.c:(.text.startup+0x286): undefined reference to `BIO_new_file'
sign-file.c:(.text.startup+0x2ab): undefined reference to `i2d_PKCS7_bio_stream'
sign-file.c:(.text.startup+0x2c9): undefined reference to `BIO_free'
sign-file.c:(.text.startup+0x2da): undefined reference to `BIO_ctrl'
sign-file.c:(.text.startup+0x303): undefined reference to `BIO_write'
sign-file.c:(.text.startup+0x32b): undefined reference to `BIO_read'
sign-file.c:(.text.startup+0x351): undefined reference to `BIO_number_written'
sign-file.c:(.text.startup+0x363): undefined reference to `i2d_PKCS7_bio_stream'
sign-file.c:(.text.startup+0x381): undefined reference to `BIO_number_written'
sign-file.c:(.text.startup+0x39e): undefined reference to `BIO_write'
sign-file.c:(.text.startup+0x3c4): undefined reference to `BIO_write'
sign-file.c:(.text.startup+0x3dc): undefined reference to `BIO_free'
collect2: error: ld returned 1 exit status
make[1]: *** [scripts/sign-file] Error 1
make: *** [scripts] Error 2