Re: [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4]
From: David Woodhouse
Date: Fri May 15 2015 - 09:46:18 EST
On Fri, 2015-05-15 at 13:35 +0100, David Howells wrote:
> Note that David Woodhouse is looking at making
> sign-file work with PKCS#11, so bringing back -s might not be
> necessary.
I actually already *had* it working with PKCS#11, at
http://git.infradead.org/users/dwmw2/modsign-pkcs11.git
Then you went and rewrote it in C, so I'm still refactoring it. WIP at
http://git.infradead.org/users/dwmw2/modsign-pkcs11-c.git just needs
me to add the ENGINE_by_id("pkcs11")... bits to scripts/sign-file.c.
I'm also vacillating about whether to allow an external *cert* to be
specified separately from the key. Do we...
1. Just require the X.509 DER cert in $(topdir)/signing_key.x509,
2. Automatically extract it from $CONFIG_MODULE_SIG_EXTERNAL_KEY
which shall be a file (or PKCS#11 URI) containing *both* key
and cert, or
3. Add a separate CONFIG_MODULE_SIG_EXTERNAL_CERT option.
I'm probably inclined towards #2. I'll need to script something to
automatically extract the key from a PEM file or PKCS#11 and drop it
in DER form in $(topdir)/signing_key.x509 where needed. Using
basically the same make rules we already *have* for creating a new
key+cert on demand anyway.
--
David Woodhouse Open Source Technology Centre
David.Woodhouse@xxxxxxxxx Intel Corporation
Attachment:
smime.p7s
Description: S/MIME cryptographic signature