Re: [PATCH 0/5] MODSIGN: Use PKCS#7 for module signatures
From: Dmitry Kasatkin
Date: Mon Nov 24 2014 - 04:20:40 EST
On 21/11/14 14:59, Dmitry Kasatkin wrote:
> Hi David,
>
> Before I go into reviewing the patches just want to let you know that
> Integrity stuff seems to work fine with these changes.
Actually after cleaning the tree and re-signing the modules, I get following
Unrecognized character \x7F; marked by <-- HERE after <-- HERE near
column 1 at ./scripts/sign-file line 1.
make[1]: *** [arch/x86/crypto/aes-x86_64.ko] Error 255
- Dmitry
> Thanks,
> Dmitry
>
> On 20/11/14 18:53, David Howells wrote:
>> Here's a set of patches that does the following:
>>
>> (1) Extracts both parts of an X.509 AuthorityKeyIdentifier (AKID) extension.
>> We already extract the bit that can match the subjectKeyIdentifier (SKID)
>> of the parent X.509 cert, but we currently ignore the bits that can match
>> the issuer and serialNumber.
>>
>> Looks up an X.509 cert by issuer and serialNumber if those are provided in
>> the AKID. If the keyIdentifier is also provided, checks that the
>> subjectKeyIdentifier of the cert found matches that also.
>>
>> If no issuer and serialNumber are provided in the AKID, looks up an X.509
>> cert by SKID using the AKID keyIdentifier.
>>
>> This allows module signing to be done with certificates that don't have an
>> SKID by which they can be looked up.
>>
>> (2) Makes use of the PKCS#7 facility to provide module signatures.
>>
>> sign-file is replaced with a program that generates a PKCS#7 message that
>> has no X.509 certs embedded and that has detached data (the module
>> content) and adds it onto the message with magic string and descriptor.
>>
>> (3) The PKCS#7 message (and matching X.509 cert) supply all the information
>> that is needed to select the X.509 cert to be used to verify the signature
>> by standard means (including selection of digest algorithm and public key
>> algorithm). No kernel-specific magic values are required.
>>
>> Note that the revised sign-file program no longer supports the "-s <signature>"
>> option as I'm not sure what the best way to deal with this is. Do we generate
>> a PKCS#7 cert from the signature given, or do we get given a PKCS#7 cert? I
>> lean towards the latter.
>>
>> They can be found here also:
>>
>> http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=modsign-pkcs7
>>
>> These patches are based on the security tree's next branch.
>>
>> David
>> ---
>> David Howells (5):
>> X.509: Extract both parts of the AuthorityKeyIdentifier
>> X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier
>> PKCS#7: Allow detached data to be supplied for signature checking purposes
>> MODSIGN: Provide a utility to append a PKCS#7 signature to a module
>> MODSIGN: Use PKCS#7 messages as module signatures
>>
>>
>> crypto/asymmetric_keys/Makefile | 8 -
>> crypto/asymmetric_keys/pkcs7_trust.c | 10 -
>> crypto/asymmetric_keys/pkcs7_verify.c | 81 ++++--
>> crypto/asymmetric_keys/x509_akid.asn1 | 35 ++
>> crypto/asymmetric_keys/x509_cert_parser.c | 142 ++++++----
>> crypto/asymmetric_keys/x509_parser.h | 3
>> crypto/asymmetric_keys/x509_public_key.c | 85 ++++--
>> include/crypto/pkcs7.h | 3
>> include/crypto/public_key.h | 4
>> init/Kconfig | 1
>> kernel/module_signing.c | 220 +++------------
>> scripts/Makefile | 2
>> scripts/sign-file | 421 -----------------------------
>> scripts/sign-file.c | 189 +++++++++++++
>> 14 files changed, 505 insertions(+), 699 deletions(-)
>> create mode 100644 crypto/asymmetric_keys/x509_akid.asn1
>> delete mode 100755 scripts/sign-file
>> create mode 100755 scripts/sign-file.c
>>
>>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/