sign-file and detached PKCS#7 firmware signatures

From: David Howells
Date: Fri May 15 2015 - 15:08:53 EST


Hi Luis,

As David Woodhouse pointed out to me, you don't need sign-file if you're just
going to create a detached PKCS#7 message as your signature. You can just use
"openssl smime" directly.

The reason that sign-file is needed for module signing is that the signature
is added to the module with a little bit of metadata to indicate its presence
- but if you're having detached signatures, that isn't relevant.

You can do this with two steps:

(1) Require that an X.509 certificate is made available to the kernel to
provide the public key. One way to do this is to convert it to DER form
and place it in the source directory as <name>.x509 when you build the
kernel.

(2) Document that to produce a signature for a firmware blob, you just run
the following command:

openssl smime -sign \
-in $FIRMWARE_BLOB_NAME \
-outform DER \
-inkey $PRIVATE_KEY_FILE_IN_PEM_FORM \
-signer $X509_CERT_FILE_IN_PEM_FORM \
-nocerts \
-md $DIGEST_ALGORITHM \
>$PKCS7_MESSAGE_FILE_IN_DER_FORM

Note that if you have crypto hardware available that openssl can use, you
can do that in this command.


To summarise, what you have to present to the kernel is the following:

(A) A DER-encoded X.509 certificate containing the public key.

(B) A DER-encoded PKCS#7 message containing the signatures.

(C) A binary blob that is the detached data for the PKCS#7 message.

David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/