Re: [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4]

From: Andy Lutomirski
Date: Tue May 19 2015 - 20:36:47 EST

Next message: Stephen Boyd: "Re: [PATCH] spmi: add command tracepoints for SPMI"
Previous message: Krzysztof Kozlowski: "Re: linux-next: manual merge of the samsung tree with the arm-soc and at91 trees"
Next in thread: David Howells: "Re: [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'm not sure I want to get involved here, but...

On 05/15/2015 05:35 AM, David Howells wrote:

Hi Rusty,

Here's a set of patches that does the following:

(1) Extracts both parts of an X.509 AuthorityKeyIdentifier (AKID) extension.
We already extract the bit that can match the subjectKeyIdentifier (SKID)
of the parent X.509 cert, but we currently ignore the bits that can match
the issuer and serialNumber.

Looks up an X.509 cert by issuer and serialNumber if those are provided in
the AKID. If the keyIdentifier is also provided, checks that the
subjectKeyIdentifier of the cert found matches that also.

If no issuer and serialNumber are provided in the AKID, looks up an X.509
cert by SKID using the AKID keyIdentifier.

This allows module signing to be done with certificates that don't have an
SKID by which they can be looked up.

I think this is way more complicated than it has to be. Can't we look up certificates by their subjectPublicKeyInfo? Every public key has a subjectPublicKeyInfo, and even key types that aren't X.509 at all have something equivalent to that.

(2) Makes use of the PKCS#7 facility to provide module signatures.

sign-file is replaced with a program that generates a PKCS#7 message that
has no X.509 certs embedded and that has detached data (the module
content) and adds it onto the message with magic string and descriptor.

Why is PKCS#7 better than whatever we're using now?

(3) The PKCS#7 message (and matching X.509 cert) supply all the information
that is needed to select the X.509 cert to be used to verify the signature
by standard means (including selection of digest algorithm and public key
algorithm). No kernel-specific magic values are required.

I would take kernel-specific over PKCS#7 any day. PKCS#7 is severely overcomplicated for what we're doing here.

--Andy

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Stephen Boyd: "Re: [PATCH] spmi: add command tracepoints for SPMI"
Previous message: Krzysztof Kozlowski: "Re: linux-next: manual merge of the samsung tree with the arm-soc and at91 trees"
Next in thread: David Howells: "Re: [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]