[PATCH v3 1/6] sign-file: refactor argument parsing logic

[PATCH v3 1/6] sign-file: refactor argument parsing logic

[Shreenidhi Shedi]

- Use getopt_long_only for parsing input args
- Use more easy to remember command line argument names

Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
---
 scripts/sign-file.c | 156 ++++++++++++++++++++++++++++++++++----------
 1 file changed, 122 insertions(+), 34 deletions(-)

diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index 598ef5465f82..cf3acbb13013 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -213,15 +213,111 @@ static X509 *read_x509(const char *x509_name)
 	return x509;
 }
 
+struct cmd_opts {
+	char *hash_algo;
+	char *dest_name;
+	char *private_key_name;
+	char *raw_sig_name;
+	char *x509_name;
+	char *module_name;
+	bool save_sig;
+	bool replace_orig;
+	bool raw_sig;
+	bool sign_only;
+
+#ifndef USE_PKCS7
+	unsigned int use_keyid;
+#endif
+};
+
+void parse_args(int argc, char **argv, struct cmd_opts *opts)
+{
+	struct option cmd_options[] = {
+		/* These options set a flag. */
+		{"help", no_argument, 0, 'h'},
+		{"savesig", no_argument, 0, 's'},
+		{"signonly", no_argument, 0, 'o'},
+#ifndef USE_PKCS7
+		{"usekeyid", no_argument, 0, 'k'},
+#endif
+		{"rawsig", required_argument, 0, 'r'},
+		{"privkey", required_argument, 0, 'p'},
+		{"hashalgo", required_argument, 0, 'a'},
+		{"x509", required_argument, 0, 'x'},
+		{"dest", required_argument, 0, 'd'},
+		{"replaceorig", required_argument, 0, 'l'},
+		{0, 0, 0, 0}
+	};
+
+	int opt;
+	int opt_index = 0;
+
+	do {
+#ifndef USE_PKCS7
+		opt = getopt_long_only(argc, argv, "hsobr:p:a:x:d:l:",
+				cmd_options, &opt_index);
+#else
+		opt = getopt_long_only(argc, argv, "hsobkr:p:a:x:d:l:",
+				cmd_options, &opt_index);
+#endif
+		switch (opt) {
+		case 'h':
+			format();
+			break;
+
+		case 'r':
+			opts->raw_sig = true;
+			opts->raw_sig_name = optarg;
+			break;
+
+		case 's':
+			opts->save_sig = true;
+			break;
+
+		case 'o':
+			opts->sign_only = true;
+			opts->save_sig = true;
+			break;
+
+#ifndef USE_PKCS7
+		case 'k':
+			opts->use_keyid = CMS_USE_KEYID;
+			break;
+#endif
+
+		case 'p':
+			opts->private_key_name = optarg;
+			break;
+
+		case 'a':
+			opts->hash_algo = optarg;
+			break;
+
+		case 'x':
+			opts->x509_name = optarg;
+			break;
+
+		case 'd':
+			opts->dest_name = optarg;
+			break;
+
+		case 'l':
+			opts->replace_orig = true;
+			break;
+
+		case -1:
+			break;
+
+		default:
+			format();
+			break;
+		}
+	} while (opt != -1);
+}
+
 int main(int argc, char **argv)
 {
 	struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };
-	char *hash_algo = NULL;
-	char *private_key_name = NULL, *raw_sig_name = NULL;
-	char *x509_name, *module_name, *dest_name;
-	bool save_sig = false, replace_orig;
-	bool sign_only = false;
-	bool raw_sig = false;
 	unsigned char buf[4096];
 	unsigned long module_size, sig_size;
 	unsigned int use_signed_attrs;
@@ -229,13 +325,14 @@ int main(int argc, char **argv)
 	EVP_PKEY *private_key;
 #ifndef USE_PKCS7
 	CMS_ContentInfo *cms = NULL;
-	unsigned int use_keyid = 0;
 #else
 	PKCS7 *pkcs7 = NULL;
 #endif
 	X509 *x509;
 	BIO *bd, *bm;
-	int opt, n;
+	int i, n;
+	struct cmd_opts opts = {0};
+
 	OpenSSL_add_all_algorithms();
 	ERR_load_crypto_strings();
 	ERR_clear_error();
@@ -247,37 +344,29 @@ int main(int argc, char **argv)
 #else
 	use_signed_attrs = PKCS7_NOATTR;
 #endif
+	parse_args(argc, argv, &opts);
+	argc -= optind;
+	argv += optind;
+
+	char *hash_algo = opts.hash_algo;
+	char *dest_name = opts.dest_name;
+	char *private_key_name = opts.private_key_name;
+	char *raw_sig_name = opts.raw_sig_name;
+	char *x509_name = opts.x509_name;
+	char *module_name = opts.module_name;
+	bool save_sig = opts.save_sig;
+	bool replace_orig = opts.replace_orig;
+	bool raw_sig = opts.raw_sig;
+	bool sign_only = opts.sign_only;
 
-	do {
-		opt = getopt(argc, argv, "sdpk");
-		switch (opt) {
-		case 's': raw_sig = true; break;
-		case 'p': save_sig = true; break;
-		case 'd': sign_only = true; save_sig = true; break;
 #ifndef USE_PKCS7
-		case 'k': use_keyid = CMS_USE_KEYID; break;
+	unsigned int use_keyid = opts.use_keyid;
 #endif
-		case -1: break;
-		default: format();
-		}
-	} while (opt != -1);
 
-	argc -= optind;
-	argv += optind;
-	if (argc < 4 || argc > 5)
+	if (!argv[0] || argc != 1)
 		format();
 
-	if (raw_sig) {
-		raw_sig_name = argv[0];
-		hash_algo = argv[1];
-	} else {
-		hash_algo = argv[0];
-		private_key_name = argv[1];
-	}
-	x509_name = argv[2];
-	module_name = argv[3];
-	if (argc == 5 && strcmp(argv[3], argv[4]) != 0) {
-		dest_name = argv[4];
+	if (dest_name && strcmp(argv[0], dest_name)) {
 		replace_orig = false;
 	} else {
 		ERR(asprintf(&dest_name, "%s.~signed~", module_name) < 0,
@@ -292,7 +381,6 @@ int main(int argc, char **argv)
 		exit(3);
 	}
 #endif
-
 	/* Open the module file */
 	bm = BIO_new_file(module_name, "rb");
 	ERR(!bm, "%s", module_name);
-- 
2.39.1

[PATCH v3 2/6] sign-file: move file signing logic to its own function

[Shreenidhi Shedi]

Keep the main function bare minimal and do less in main function.

Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
---
 scripts/sign-file.c | 69 +++++++++++++++++++++++++--------------------
 1 file changed, 39 insertions(+), 30 deletions(-)

diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index cf3acbb13013..4732201feb96 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -230,7 +230,7 @@ struct cmd_opts {
 #endif
 };
 
-void parse_args(int argc, char **argv, struct cmd_opts *opts)
+static void parse_args(int argc, char **argv, struct cmd_opts *opts)
 {
 	struct option cmd_options[] = {
 		/* These options set a flag. */
@@ -315,10 +315,10 @@ void parse_args(int argc, char **argv, struct cmd_opts *opts)
 	} while (opt != -1);
 }
 
-int main(int argc, char **argv)
+int sign_file(int argc, char **argv, struct cmd_opts *opts)
 {
 	struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };
-	unsigned char buf[4096];
+	unsigned char buf[4096] = {0};
 	unsigned long module_size, sig_size;
 	unsigned int use_signed_attrs;
 	const EVP_MD *digest_algo;
@@ -331,36 +331,20 @@ int main(int argc, char **argv)
 	X509 *x509;
 	BIO *bd, *bm;
 	int i, n;
-	struct cmd_opts opts = {0};
 
-	OpenSSL_add_all_algorithms();
-	ERR_load_crypto_strings();
-	ERR_clear_error();
-
-	key_pass = getenv("KBUILD_SIGN_PIN");
+	char *hash_algo = opts->hash_algo;
+	char *dest_name = opts->dest_name;
+	char *private_key_name = opts->private_key_name;
+	char *raw_sig_name = opts->raw_sig_name;
+	char *x509_name = opts->x509_name;
+	char *module_name = opts->module_name;
+	bool save_sig = opts->save_sig;
+	bool replace_orig = opts->replace_orig;
+	bool raw_sig = opts->raw_sig;
+	bool sign_only = opts->sign_only;
 
 #ifndef USE_PKCS7
-	use_signed_attrs = CMS_NOATTR;
-#else
-	use_signed_attrs = PKCS7_NOATTR;
-#endif
-	parse_args(argc, argv, &opts);
-	argc -= optind;
-	argv += optind;
-
-	char *hash_algo = opts.hash_algo;
-	char *dest_name = opts.dest_name;
-	char *private_key_name = opts.private_key_name;
-	char *raw_sig_name = opts.raw_sig_name;
-	char *x509_name = opts.x509_name;
-	char *module_name = opts.module_name;
-	bool save_sig = opts.save_sig;
-	bool replace_orig = opts.replace_orig;
-	bool raw_sig = opts.raw_sig;
-	bool sign_only = opts.sign_only;
-
-#ifndef USE_PKCS7
-	unsigned int use_keyid = opts.use_keyid;
+	unsigned int use_keyid = opts->use_keyid;
 #endif
 
 	if (!argv[0] || argc != 1)
@@ -381,6 +365,19 @@ int main(int argc, char **argv)
 		exit(3);
 	}
 #endif
+
+	OpenSSL_add_all_algorithms();
+	ERR_load_crypto_strings();
+	ERR_clear_error();
+
+	key_pass = getenv("KBUILD_SIGN_PIN");
+
+#ifndef USE_PKCS7
+	use_signed_attrs = CMS_NOATTR;
+#else
+	use_signed_attrs = PKCS7_NOATTR;
+#endif
+
 	/* Open the module file */
 	bm = BIO_new_file(module_name, "rb");
 	ERR(!bm, "%s", module_name);
@@ -492,3 +489,15 @@ int main(int argc, char **argv)
 
 	return 0;
 }
+
+int main(int argc, char **argv)
+{
+	struct cmd_opts opts = {0};
+
+	parse_args(argc, argv, &opts);
+
+	argc -= optind;
+	argv += optind;
+
+	return sign_file(argc, argv, &opts);
+}
-- 
2.39.1

[PATCH v3 3/6] sign-file: add support sign modules in bulk

[Shreenidhi Shedi]

In the existing system, we need to invoke sign-file binary for every
module we want to sign. This patch adds support to give modules in bulk
and it will sign them all one by one.

Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
---
 scripts/sign-file.c | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index 4732201feb96..7ad330b47d64 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -224,6 +224,7 @@ struct cmd_opts {
 	bool replace_orig;
 	bool raw_sig;
 	bool sign_only;
+	bool bulk_sign;
 
 #ifndef USE_PKCS7
 	unsigned int use_keyid;
@@ -237,6 +238,7 @@ static void parse_args(int argc, char **argv, struct cmd_opts *opts)
 		{"help", no_argument, 0, 'h'},
 		{"savesig", no_argument, 0, 's'},
 		{"signonly", no_argument, 0, 'o'},
+		{"bulksign", no_argument, 0, 'b'},
 #ifndef USE_PKCS7
 		{"usekeyid", no_argument, 0, 'k'},
 #endif
@@ -305,6 +307,10 @@ static void parse_args(int argc, char **argv, struct cmd_opts *opts)
 			opts->replace_orig = true;
 			break;
 
+		case 'b':
+			opts->bulk_sign = true;
+			break;
+
 		case -1:
 			break;
 
@@ -342,12 +348,13 @@ int sign_file(int argc, char **argv, struct cmd_opts *opts)
 	bool replace_orig = opts->replace_orig;
 	bool raw_sig = opts->raw_sig;
 	bool sign_only = opts->sign_only;
+	bool bulk_sign = opts->bulk_sign;
 
 #ifndef USE_PKCS7
 	unsigned int use_keyid = opts->use_keyid;
 #endif
 
-	if (!argv[0] || argc != 1)
+	if ((bulk_sign && dest_name) || (!bulk_sign && argc != 1))
 		format();
 
 	if (dest_name && strcmp(argv[0], dest_name)) {
@@ -378,6 +385,16 @@ int sign_file(int argc, char **argv, struct cmd_opts *opts)
 	use_signed_attrs = PKCS7_NOATTR;
 #endif
 
+	for (i = 0; i < argc; i++) {
+		module_name = argv[i];
+
+		if (bulk_sign) {
+			ERR(asprintf(&dest_name, "%s.~signed~", module_name) < 0,
+					"asprintf");
+			if (!replace_orig)
+				replace_orig = true;
+		}
+
 	/* Open the module file */
 	bm = BIO_new_file(module_name, "rb");
 	ERR(!bm, "%s", module_name);
@@ -486,6 +503,7 @@ int sign_file(int argc, char **argv, struct cmd_opts *opts)
 	/* Finally, if we're signing in place, replace the original. */
 	if (replace_orig)
 		ERR(rename(dest_name, module_name) < 0, "%s", dest_name);
+	}
 
 	return 0;
 }
-- 
2.39.1

[PATCH v3 4/6] sign-file: cosmetic fix

[Shreenidhi Shedi]

In the previous patch for adding bulk modules support, this was not done
because it will add a lot to review in one patch.

Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
---
 scripts/sign-file.c | 174 ++++++++++++++++++++++----------------------
 1 file changed, 87 insertions(+), 87 deletions(-)

diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index 7ad330b47d64..b48832d54f45 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -395,114 +395,114 @@ int sign_file(int argc, char **argv, struct cmd_opts *opts)
 				replace_orig = true;
 		}
 
-	/* Open the module file */
-	bm = BIO_new_file(module_name, "rb");
-	ERR(!bm, "%s", module_name);
-
-	if (!raw_sig) {
-		/* Read the private key and the X.509 cert the PKCS#7 message
-		 * will point to.
-		 */
-		private_key = read_private_key(private_key_name);
-		x509 = read_x509(x509_name);
-
-		/* Digest the module data. */
-		OpenSSL_add_all_digests();
-		display_openssl_errors(__LINE__);
-		digest_algo = EVP_get_digestbyname(hash_algo);
-		ERR(!digest_algo, "EVP_get_digestbyname");
+		/* Open the module file */
+		bm = BIO_new_file(module_name, "rb");
+		ERR(!bm, "%s", module_name);
+
+		if (!raw_sig) {
+			/* Read the private key and the X.509 cert the PKCS#7 message
+			 * will point to.
+			 */
+			private_key = read_private_key(private_key_name);
+			x509 = read_x509(x509_name);
+
+			/* Digest the module data. */
+			OpenSSL_add_all_digests();
+			display_openssl_errors(__LINE__);
+			digest_algo = EVP_get_digestbyname(hash_algo);
+			ERR(!digest_algo, "EVP_get_digestbyname");
 
 #ifndef USE_PKCS7
-		/* Load the signature message from the digest buffer. */
-		cms = CMS_sign(NULL, NULL, NULL, NULL,
-			       CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY |
-			       CMS_DETACHED | CMS_STREAM);
-		ERR(!cms, "CMS_sign");
-
-		ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo,
-				     CMS_NOCERTS | CMS_BINARY |
-				     CMS_NOSMIMECAP | use_keyid |
-				     use_signed_attrs),
-		    "CMS_add1_signer");
-		ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) < 0,
-		    "CMS_final");
+			/* Load the signature message from the digest buffer. */
+			cms = CMS_sign(NULL, NULL, NULL, NULL,
+					CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY |
+					CMS_DETACHED | CMS_STREAM);
+			ERR(!cms, "CMS_sign");
+
+			ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo,
+						CMS_NOCERTS | CMS_BINARY |
+						CMS_NOSMIMECAP | use_keyid |
+						use_signed_attrs),
+					"CMS_add1_signer");
+			ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) < 0,
+					"CMS_final");
 
 #else
-		pkcs7 = PKCS7_sign(x509, private_key, NULL, bm,
-				   PKCS7_NOCERTS | PKCS7_BINARY |
-				   PKCS7_DETACHED | use_signed_attrs);
-		ERR(!pkcs7, "PKCS7_sign");
+			pkcs7 = PKCS7_sign(x509, private_key, NULL, bm,
+					PKCS7_NOCERTS | PKCS7_BINARY |
+					PKCS7_DETACHED | use_signed_attrs);
+			ERR(!pkcs7, "PKCS7_sign");
 #endif
 
-		if (save_sig) {
-			char *sig_file_name;
-			BIO *b;
+			if (save_sig) {
+				char *sig_file_name;
+				BIO *b;
 
-			ERR(asprintf(&sig_file_name, "%s.p7s", module_name) < 0,
-			    "asprintf");
-			b = BIO_new_file(sig_file_name, "wb");
-			ERR(!b, "%s", sig_file_name);
+				ERR(asprintf(&sig_file_name, "%s.p7s", module_name) < 0,
+						"asprintf");
+				b = BIO_new_file(sig_file_name, "wb");
+				ERR(!b, "%s", sig_file_name);
 #ifndef USE_PKCS7
-			ERR(i2d_CMS_bio_stream(b, cms, NULL, 0) < 0,
-			    "%s", sig_file_name);
+				ERR(i2d_CMS_bio_stream(b, cms, NULL, 0) < 0,
+						"%s", sig_file_name);
 #else
-			ERR(i2d_PKCS7_bio(b, pkcs7) < 0,
-			    "%s", sig_file_name);
+				ERR(i2d_PKCS7_bio(b, pkcs7) < 0,
+						"%s", sig_file_name);
 #endif
-			BIO_free(b);
-		}
+				BIO_free(b);
+			}
 
-		if (sign_only) {
-			BIO_free(bm);
-			return 0;
+			if (sign_only) {
+				BIO_free(bm);
+				return 0;
+			}
 		}
-	}
 
-	/* Open the destination file now so that we can shovel the module data
-	 * across as we read it.
-	 */
-	bd = BIO_new_file(dest_name, "wb");
-	ERR(!bd, "%s", dest_name);
-
-	/* Append the marker and the PKCS#7 message to the destination file */
-	ERR(BIO_reset(bm) < 0, "%s", module_name);
-	while ((n = BIO_read(bm, buf, sizeof(buf))),
-	       n > 0) {
-		ERR(BIO_write(bd, buf, n) < 0, "%s", dest_name);
-	}
-	BIO_free(bm);
-	ERR(n < 0, "%s", module_name);
-	module_size = BIO_number_written(bd);
+		/* Open the destination file now so that we can shovel the module data
+		 * across as we read it.
+		 */
+		bd = BIO_new_file(dest_name, "wb");
+		ERR(!bd, "%s", dest_name);
 
-	if (!raw_sig) {
+		/* Append the marker and the PKCS#7 message to the destination file */
+		ERR(BIO_reset(bm) < 0, "%s", module_name);
+		while ((n = BIO_read(bm, buf, sizeof(buf))),
+				n > 0) {
+			ERR(BIO_write(bd, buf, n) < 0, "%s", dest_name);
+		}
+		BIO_free(bm);
+		ERR(n < 0, "%s", module_name);
+		module_size = BIO_number_written(bd);
+
+		if (!raw_sig) {
 #ifndef USE_PKCS7
-		ERR(i2d_CMS_bio_stream(bd, cms, NULL, 0) < 0, "%s", dest_name);
+			ERR(i2d_CMS_bio_stream(bd, cms, NULL, 0) < 0, "%s", dest_name);
 #else
-		ERR(i2d_PKCS7_bio(bd, pkcs7) < 0, "%s", dest_name);
+			ERR(i2d_PKCS7_bio(bd, pkcs7) < 0, "%s", dest_name);
 #endif
-	} else {
-		BIO *b;
+		} else {
+			BIO *b;
 
-		/* Read the raw signature file and write the data to the
-		 * destination file
-		 */
-		b = BIO_new_file(raw_sig_name, "rb");
-		ERR(!b, "%s", raw_sig_name);
-		while ((n = BIO_read(b, buf, sizeof(buf))), n > 0)
-			ERR(BIO_write(bd, buf, n) < 0, "%s", dest_name);
-		BIO_free(b);
-	}
+			/* Read the raw signature file and write the data to the
+			 * destination file
+			 */
+			b = BIO_new_file(raw_sig_name, "rb");
+			ERR(!b, "%s", raw_sig_name);
+			while ((n = BIO_read(b, buf, sizeof(buf))), n > 0)
+				ERR(BIO_write(bd, buf, n) < 0, "%s", dest_name);
+			BIO_free(b);
+		}
 
-	sig_size = BIO_number_written(bd) - module_size;
-	sig_info.sig_len = htonl(sig_size);
-	ERR(BIO_write(bd, &sig_info, sizeof(sig_info)) < 0, "%s", dest_name);
-	ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, "%s", dest_name);
+		sig_size = BIO_number_written(bd) - module_size;
+		sig_info.sig_len = htonl(sig_size);
+		ERR(BIO_write(bd, &sig_info, sizeof(sig_info)) < 0, "%s", dest_name);
+		ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, "%s", dest_name);
 
-	ERR(BIO_free(bd) < 0, "%s", dest_name);
+		ERR(BIO_free(bd) < 0, "%s", dest_name);
 
-	/* Finally, if we're signing in place, replace the original. */
-	if (replace_orig)
-		ERR(rename(dest_name, module_name) < 0, "%s", dest_name);
+		/* Finally, if we're signing in place, replace the original. */
+		if (replace_orig)
+			ERR(rename(dest_name, module_name) < 0, "%s", dest_name);
 	}
 
 	return 0;
-- 
2.39.1

[PATCH v3 5/6] sign-file: use const with a global string constant

[Shreenidhi Shedi]

Fix a space issue (cosmetic)
Both reported by checkpatch.

Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
---
 scripts/sign-file.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index b48832d54f45..0729d8df5660 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -71,7 +71,7 @@ struct module_signature {
 
 #define PKEY_ID_PKCS7 2
 
-static char magic_number[] = "~Module signature appended~\n";
+static const char magic_number[] = "~Module signature appended~\n";
 
 static __attribute__((noreturn))
 void format(void)
@@ -116,7 +116,7 @@ static void drain_openssl_errors(void)
 		if (__cond) {				\
 			errx(1, fmt, ## __VA_ARGS__);	\
 		}					\
-	} while(0)
+	} while (0)
 
 static const char *key_pass;
 
-- 
2.39.1

[PATCH v3 6/6] sign-file: improve help message

[Shreenidhi Shedi]

Add a proper help message with examples on how to use this tool.

Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
---
 scripts/sign-file.c | 49 ++++++++++++++++++++++++++++++++++++---------
 1 file changed, 40 insertions(+), 9 deletions(-)

diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index 0729d8df5660..d9499ea5c8cc 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -74,13 +74,44 @@ struct module_signature {
 static const char magic_number[] = "~Module signature appended~\n";
 
 static __attribute__((noreturn))
-void format(void)
+void print_usage(int retval)
 {
-	fprintf(stderr,
-		"Usage: scripts/sign-file [-dp] <hash algo> <key> <x509> <module> [<dest>]\n");
-	fprintf(stderr,
-		"       scripts/sign-file -s <raw sig> <hash algo> <x509> <module> [<dest>]\n");
-	exit(2);
+	fprintf(stderr, "Usage: scripts/sign-file [OPTIONS]... [MODULE]...\n");
+	fprintf(stderr, "Available options:\n");
+	fprintf(stderr, "-h, --help		Print this help message and exit\n");
+
+	fprintf(stderr, "\nOptional args:\n");
+	fprintf(stderr, "-s, --savesig		Save signature\n");
+	fprintf(stderr, "-o, --signonly		Sign only\n");
+	fprintf(stderr, "-b, --bulksign		Sign modules in bulk\n");
+	fprintf(stderr, "-l, --replaceorig	Replace original\n");
+#ifndef USE_PKCS7
+	fprintf(stderr, "-k, --usekeyid		Use key ID\n");
+#endif
+	fprintf(stderr, "-r, --rawsig <sig>	Raw signature\n");
+	fprintf(stderr, "-d, --dest <dest>	Destination path ");
+	fprintf(stderr, "(Exclusive with bulk option)\n");
+
+	fprintf(stderr, "\nMandatory args:\n");
+	fprintf(stderr, "-p, --privkey <key>	Private key\n");
+	fprintf(stderr, "-a, --hashalgo <alg>	Hash algorithm\n");
+	fprintf(stderr, "-x, --x509 <x509>	X509\n");
+
+	fprintf(stderr, "\nExamples:\n");
+
+	fprintf(stderr, "\nRegular signing:\n");
+	fprintf(stderr, "scripts/sign-file -a sha512 -p certs/signing_key.pem ");
+	fprintf(stderr, "-x certs/signing_key.x509 <module>\n");
+
+	fprintf(stderr, "\nSigning with destination path:\n");
+	fprintf(stderr, "scripts/sign-file -a sha512 -p certs/signing_key.pem ");
+	fprintf(stderr, "-x certs/signing_key.x509 <module> -d <path>\n");
+
+	fprintf(stderr, "\nSigning modules in bulk:\n");
+	fprintf(stderr, "scripts/sign-file -a sha512 -p certs/signing_key.pem ");
+	fprintf(stderr, "-x certs/signing_key.x509 -b <module1> <module2> ...\n");
+
+	exit(retval);
 }
 
 static void display_openssl_errors(int l)
@@ -264,7 +295,7 @@ static void parse_args(int argc, char **argv, struct cmd_opts *opts)
 #endif
 		switch (opt) {
 		case 'h':
-			format();
+			print_usage(0);
 			break;
 
 		case 'r':
@@ -315,7 +346,7 @@ static void parse_args(int argc, char **argv, struct cmd_opts *opts)
 			break;
 
 		default:
-			format();
+			print_usage(2);
 			break;
 		}
 	} while (opt != -1);
@@ -355,7 +386,7 @@ int sign_file(int argc, char **argv, struct cmd_opts *opts)
 #endif
 
 	if ((bulk_sign && dest_name) || (!bulk_sign && argc != 1))
-		format();
+		print_usage(2);
 
 	if (dest_name && strcmp(argv[0], dest_name)) {
 		replace_orig = false;
-- 
2.39.1

Re: [PATCH v3 1/6] sign-file: refactor argument parsing logic

[Greg KH]

On Tue, Feb 14, 2023 at 12:30:29AM +0530, Shreenidhi Shedi wrote:
> - Use getopt_long_only for parsing input args
> - Use more easy to remember command line argument names
> 
> Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
> ---
>  scripts/sign-file.c | 156 ++++++++++++++++++++++++++++++++++----------
>  1 file changed, 122 insertions(+), 34 deletions(-)
> 
> diff --git a/scripts/sign-file.c b/scripts/sign-file.c
> index 598ef5465f82..cf3acbb13013 100644
> --- a/scripts/sign-file.c
> +++ b/scripts/sign-file.c
> @@ -213,15 +213,111 @@ static X509 *read_x509(const char *x509_name)
>  	return x509;
>  }
>  
> +struct cmd_opts {
> +	char *hash_algo;
> +	char *dest_name;
> +	char *private_key_name;
> +	char *raw_sig_name;
> +	char *x509_name;
> +	char *module_name;
> +	bool save_sig;
> +	bool replace_orig;
> +	bool raw_sig;
> +	bool sign_only;
> +
> +#ifndef USE_PKCS7
> +	unsigned int use_keyid;
> +#endif
> +};
> +
> +void parse_args(int argc, char **argv, struct cmd_opts *opts)
> +{
> +	struct option cmd_options[] = {
> +		/* These options set a flag. */
> +		{"help", no_argument, 0, 'h'},
> +		{"savesig", no_argument, 0, 's'},
> +		{"signonly", no_argument, 0, 'o'},
> +#ifndef USE_PKCS7
> +		{"usekeyid", no_argument, 0, 'k'},
> +#endif
> +		{"rawsig", required_argument, 0, 'r'},
> +		{"privkey", required_argument, 0, 'p'},
> +		{"hashalgo", required_argument, 0, 'a'},
> +		{"x509", required_argument, 0, 'x'},
> +		{"dest", required_argument, 0, 'd'},
> +		{"replaceorig", required_argument, 0, 'l'},
> +		{0, 0, 0, 0}
> +	};
> +
> +	int opt;
> +	int opt_index = 0;
> +
> +	do {
> +#ifndef USE_PKCS7
> +		opt = getopt_long_only(argc, argv, "hsobr:p:a:x:d:l:",
> +				cmd_options, &opt_index);
> +#else
> +		opt = getopt_long_only(argc, argv, "hsobkr:p:a:x:d:l:",
> +				cmd_options, &opt_index);
> +#endif
> +		switch (opt) {
> +		case 'h':
> +			format();
> +			break;
> +
> +		case 'r':
> +			opts->raw_sig = true;
> +			opts->raw_sig_name = optarg;
> +			break;
> +
> +		case 's':
> +			opts->save_sig = true;
> +			break;
> +
> +		case 'o':
> +			opts->sign_only = true;
> +			opts->save_sig = true;
> +			break;
> +
> +#ifndef USE_PKCS7
> +		case 'k':
> +			opts->use_keyid = CMS_USE_KEYID;
> +			break;
> +#endif
> +
> +		case 'p':
> +			opts->private_key_name = optarg;
> +			break;
> +
> +		case 'a':
> +			opts->hash_algo = optarg;
> +			break;
> +
> +		case 'x':
> +			opts->x509_name = optarg;
> +			break;
> +
> +		case 'd':
> +			opts->dest_name = optarg;
> +			break;
> +
> +		case 'l':
> +			opts->replace_orig = true;
> +			break;
> +
> +		case -1:
> +			break;
> +
> +		default:
> +			format();
> +			break;
> +		}
> +	} while (opt != -1);
> +}
> +
>  int main(int argc, char **argv)
>  {
>  	struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };
> -	char *hash_algo = NULL;
> -	char *private_key_name = NULL, *raw_sig_name = NULL;
> -	char *x509_name, *module_name, *dest_name;
> -	bool save_sig = false, replace_orig;
> -	bool sign_only = false;
> -	bool raw_sig = false;
>  	unsigned char buf[4096];
>  	unsigned long module_size, sig_size;
>  	unsigned int use_signed_attrs;
> @@ -229,13 +325,14 @@ int main(int argc, char **argv)
>  	EVP_PKEY *private_key;
>  #ifndef USE_PKCS7
>  	CMS_ContentInfo *cms = NULL;
> -	unsigned int use_keyid = 0;
>  #else
>  	PKCS7 *pkcs7 = NULL;
>  #endif
>  	X509 *x509;
>  	BIO *bd, *bm;
> -	int opt, n;
> +	int i, n;
> +	struct cmd_opts opts = {0};
> +
>  	OpenSSL_add_all_algorithms();
>  	ERR_load_crypto_strings();
>  	ERR_clear_error();
> @@ -247,37 +344,29 @@ int main(int argc, char **argv)
>  #else
>  	use_signed_attrs = PKCS7_NOATTR;
>  #endif
> +	parse_args(argc, argv, &opts);
> +	argc -= optind;
> +	argv += optind;
> +
> +	char *hash_algo = opts.hash_algo;
> +	char *dest_name = opts.dest_name;
> +	char *private_key_name = opts.private_key_name;
> +	char *raw_sig_name = opts.raw_sig_name;
> +	char *x509_name = opts.x509_name;
> +	char *module_name = opts.module_name;
> +	bool save_sig = opts.save_sig;
> +	bool replace_orig = opts.replace_orig;
> +	bool raw_sig = opts.raw_sig;
> +	bool sign_only = opts.sign_only;
>  
> -	do {
> -		opt = getopt(argc, argv, "sdpk");
> -		switch (opt) {
> -		case 's': raw_sig = true; break;
> -		case 'p': save_sig = true; break;
> -		case 'd': sign_only = true; save_sig = true; break;
>  #ifndef USE_PKCS7
> -		case 'k': use_keyid = CMS_USE_KEYID; break;
> +	unsigned int use_keyid = opts.use_keyid;
>  #endif
> -		case -1: break;
> -		default: format();
> -		}
> -	} while (opt != -1);
>  
> -	argc -= optind;
> -	argv += optind;
> -	if (argc < 4 || argc > 5)
> +	if (!argv[0] || argc != 1)
>  		format();
>  
> -	if (raw_sig) {
> -		raw_sig_name = argv[0];
> -		hash_algo = argv[1];
> -	} else {
> -		hash_algo = argv[0];
> -		private_key_name = argv[1];
> -	}
> -	x509_name = argv[2];
> -	module_name = argv[3];
> -	if (argc == 5 && strcmp(argv[3], argv[4]) != 0) {
> -		dest_name = argv[4];
> +	if (dest_name && strcmp(argv[0], dest_name)) {
>  		replace_orig = false;
>  	} else {
>  		ERR(asprintf(&dest_name, "%s.~signed~", module_name) < 0,
> @@ -292,7 +381,6 @@ int main(int argc, char **argv)
>  		exit(3);
>  	}
>  #endif
> -
>  	/* Open the module file */
>  	bm = BIO_new_file(module_name, "rb");
>  	ERR(!bm, "%s", module_name);
> -- 
> 2.39.1
> 

Hi,

This is the friendly patch-bot of Greg Kroah-Hartman.  You have sent him
a patch that has triggered this response.  He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created.  Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.

You are receiving this message because of the following common error(s)
as indicated below:

- This looks like a new version of a previously submitted patch, but you
  did not list below the --- line any changes from the previous version.
  Please read the section entitled "The canonical patch format" in the
  kernel file, Documentation/process/submitting-patches.rst for what
  needs to be done here to properly describe this.

If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.

thanks,

greg k-h's patch email bot

Re: [PATCH v3 6/6] sign-file: improve help message

[Greg KH]

On Tue, Feb 14, 2023 at 12:30:34AM +0530, Shreenidhi Shedi wrote:
> Add a proper help message with examples on how to use this tool.
> 
> Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
> ---
>  scripts/sign-file.c | 49 ++++++++++++++++++++++++++++++++++++---------
>  1 file changed, 40 insertions(+), 9 deletions(-)
> 
> diff --git a/scripts/sign-file.c b/scripts/sign-file.c
> index 0729d8df5660..d9499ea5c8cc 100644
> --- a/scripts/sign-file.c
> +++ b/scripts/sign-file.c
> @@ -74,13 +74,44 @@ struct module_signature {
>  static const char magic_number[] = "~Module signature appended~\n";
>  
>  static __attribute__((noreturn))
> -void format(void)
> +void print_usage(int retval)
>  {
> -	fprintf(stderr,
> -		"Usage: scripts/sign-file [-dp] <hash algo> <key> <x509> <module> [<dest>]\n");
> -	fprintf(stderr,
> -		"       scripts/sign-file -s <raw sig> <hash algo> <x509> <module> [<dest>]\n");
> -	exit(2);
> +	fprintf(stderr, "Usage: scripts/sign-file [OPTIONS]... [MODULE]...\n");
> +	fprintf(stderr, "Available options:\n");
> +	fprintf(stderr, "-h, --help		Print this help message and exit\n");
> +
> +	fprintf(stderr, "\nOptional args:\n");
> +	fprintf(stderr, "-s, --savesig		Save signature\n");
> +	fprintf(stderr, "-o, --signonly		Sign only\n");
> +	fprintf(stderr, "-b, --bulksign		Sign modules in bulk\n");
> +	fprintf(stderr, "-l, --replaceorig	Replace original\n");
> +#ifndef USE_PKCS7
> +	fprintf(stderr, "-k, --usekeyid		Use key ID\n");
> +#endif
> +	fprintf(stderr, "-r, --rawsig <sig>	Raw signature\n");
> +	fprintf(stderr, "-d, --dest <dest>	Destination path ");
> +	fprintf(stderr, "(Exclusive with bulk option)\n");
> +
> +	fprintf(stderr, "\nMandatory args:\n");
> +	fprintf(stderr, "-p, --privkey <key>	Private key\n");
> +	fprintf(stderr, "-a, --hashalgo <alg>	Hash algorithm\n");
> +	fprintf(stderr, "-x, --x509 <x509>	X509\n");
> +
> +	fprintf(stderr, "\nExamples:\n");
> +
> +	fprintf(stderr, "\nRegular signing:\n");
> +	fprintf(stderr, "scripts/sign-file -a sha512 -p certs/signing_key.pem ");
> +	fprintf(stderr, "-x certs/signing_key.x509 <module>\n");
> +
> +	fprintf(stderr, "\nSigning with destination path:\n");
> +	fprintf(stderr, "scripts/sign-file -a sha512 -p certs/signing_key.pem ");
> +	fprintf(stderr, "-x certs/signing_key.x509 <module> -d <path>\n");
> +
> +	fprintf(stderr, "\nSigning modules in bulk:\n");
> +	fprintf(stderr, "scripts/sign-file -a sha512 -p certs/signing_key.pem ");
> +	fprintf(stderr, "-x certs/signing_key.x509 -b <module1> <module2> ...\n");
> +
> +	exit(retval);
>  }
>  
>  static void display_openssl_errors(int l)
> @@ -264,7 +295,7 @@ static void parse_args(int argc, char **argv, struct cmd_opts *opts)
>  #endif
>  		switch (opt) {
>  		case 'h':
> -			format();
> +			print_usage(0);
>  			break;
>  
>  		case 'r':
> @@ -315,7 +346,7 @@ static void parse_args(int argc, char **argv, struct cmd_opts *opts)
>  			break;
>  
>  		default:
> -			format();
> +			print_usage(2);
>  			break;
>  		}
>  	} while (opt != -1);
> @@ -355,7 +386,7 @@ int sign_file(int argc, char **argv, struct cmd_opts *opts)
>  #endif
>  
>  	if ((bulk_sign && dest_name) || (!bulk_sign && argc != 1))
> -		format();
> +		print_usage(2);
>  
>  	if (dest_name && strcmp(argv[0], dest_name)) {
>  		replace_orig = false;
> -- 
> 2.39.1

Hi,

This is the friendly patch-bot of Greg Kroah-Hartman.  You have sent him
a patch that has triggered this response.  He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created.  Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.

You are receiving this message because of the following common error(s)
as indicated below:

- This looks like a new version of a previously submitted patch, but you
  did not list below the --- line any changes from the previous version.
  Please read the section entitled "The canonical patch format" in the
  kernel file, Documentation/process/submitting-patches.rst for what
  needs to be done here to properly describe this.

If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.

thanks,

greg k-h's patch email bot

Re: [PATCH v3 5/6] sign-file: use const with a global string constant

[Greg KH]

On Tue, Feb 14, 2023 at 12:30:33AM +0530, Shreenidhi Shedi wrote:
> Fix a space issue (cosmetic)
> Both reported by checkpatch.
> 
> Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
> ---
>  scripts/sign-file.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/scripts/sign-file.c b/scripts/sign-file.c
> index b48832d54f45..0729d8df5660 100644
> --- a/scripts/sign-file.c
> +++ b/scripts/sign-file.c
> @@ -71,7 +71,7 @@ struct module_signature {
>  
>  #define PKEY_ID_PKCS7 2
>  
> -static char magic_number[] = "~Module signature appended~\n";
> +static const char magic_number[] = "~Module signature appended~\n";
>  
>  static __attribute__((noreturn))
>  void format(void)
> @@ -116,7 +116,7 @@ static void drain_openssl_errors(void)
>  		if (__cond) {				\
>  			errx(1, fmt, ## __VA_ARGS__);	\
>  		}					\
> -	} while(0)
> +	} while (0)
>  
>  static const char *key_pass;
>  
> -- 
> 2.39.1
>


Hi,

This is the friendly patch-bot of Greg Kroah-Hartman.  You have sent him
a patch that has triggered this response.  He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created.  Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.

You are receiving this message because of the following common error(s)
as indicated below:

- This looks like a new version of a previously submitted patch, but you
  did not list below the --- line any changes from the previous version.
  Please read the section entitled "The canonical patch format" in the
  kernel file, Documentation/process/submitting-patches.rst for what
  needs to be done here to properly describe this.

If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.

thanks,

greg k-h's patch email bot

Re: [PATCH v3 4/6] sign-file: cosmetic fix

[Greg KH]

On Tue, Feb 14, 2023 at 12:30:32AM +0530, Shreenidhi Shedi wrote:
> In the previous patch for adding bulk modules support, this was not done
> because it will add a lot to review in one patch.
> 
> Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
> ---
>  scripts/sign-file.c | 174 ++++++++++++++++++++++----------------------
>  1 file changed, 87 insertions(+), 87 deletions(-)
> 
> diff --git a/scripts/sign-file.c b/scripts/sign-file.c
> index 7ad330b47d64..b48832d54f45 100644
> --- a/scripts/sign-file.c
> +++ b/scripts/sign-file.c
> @@ -395,114 +395,114 @@ int sign_file(int argc, char **argv, struct cmd_opts *opts)
>  				replace_orig = true;
>  		}
>  
> -	/* Open the module file */
> -	bm = BIO_new_file(module_name, "rb");
> -	ERR(!bm, "%s", module_name);
> -
> -	if (!raw_sig) {
> -		/* Read the private key and the X.509 cert the PKCS#7 message
> -		 * will point to.
> -		 */
> -		private_key = read_private_key(private_key_name);
> -		x509 = read_x509(x509_name);
> -
> -		/* Digest the module data. */
> -		OpenSSL_add_all_digests();
> -		display_openssl_errors(__LINE__);
> -		digest_algo = EVP_get_digestbyname(hash_algo);
> -		ERR(!digest_algo, "EVP_get_digestbyname");
> +		/* Open the module file */
> +		bm = BIO_new_file(module_name, "rb");
> +		ERR(!bm, "%s", module_name);
> +
> +		if (!raw_sig) {
> +			/* Read the private key and the X.509 cert the PKCS#7 message
> +			 * will point to.
> +			 */
> +			private_key = read_private_key(private_key_name);
> +			x509 = read_x509(x509_name);
> +
> +			/* Digest the module data. */
> +			OpenSSL_add_all_digests();
> +			display_openssl_errors(__LINE__);
> +			digest_algo = EVP_get_digestbyname(hash_algo);
> +			ERR(!digest_algo, "EVP_get_digestbyname");
>  
>  #ifndef USE_PKCS7
> -		/* Load the signature message from the digest buffer. */
> -		cms = CMS_sign(NULL, NULL, NULL, NULL,
> -			       CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY |
> -			       CMS_DETACHED | CMS_STREAM);
> -		ERR(!cms, "CMS_sign");
> -
> -		ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo,
> -				     CMS_NOCERTS | CMS_BINARY |
> -				     CMS_NOSMIMECAP | use_keyid |
> -				     use_signed_attrs),
> -		    "CMS_add1_signer");
> -		ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) < 0,
> -		    "CMS_final");
> +			/* Load the signature message from the digest buffer. */
> +			cms = CMS_sign(NULL, NULL, NULL, NULL,
> +					CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY |
> +					CMS_DETACHED | CMS_STREAM);
> +			ERR(!cms, "CMS_sign");
> +
> +			ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo,
> +						CMS_NOCERTS | CMS_BINARY |
> +						CMS_NOSMIMECAP | use_keyid |
> +						use_signed_attrs),
> +					"CMS_add1_signer");
> +			ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) < 0,
> +					"CMS_final");
>  
>  #else
> -		pkcs7 = PKCS7_sign(x509, private_key, NULL, bm,
> -				   PKCS7_NOCERTS | PKCS7_BINARY |
> -				   PKCS7_DETACHED | use_signed_attrs);
> -		ERR(!pkcs7, "PKCS7_sign");
> +			pkcs7 = PKCS7_sign(x509, private_key, NULL, bm,
> +					PKCS7_NOCERTS | PKCS7_BINARY |
> +					PKCS7_DETACHED | use_signed_attrs);
> +			ERR(!pkcs7, "PKCS7_sign");
>  #endif
>  
> -		if (save_sig) {
> -			char *sig_file_name;
> -			BIO *b;
> +			if (save_sig) {
> +				char *sig_file_name;
> +				BIO *b;
>  
> -			ERR(asprintf(&sig_file_name, "%s.p7s", module_name) < 0,
> -			    "asprintf");
> -			b = BIO_new_file(sig_file_name, "wb");
> -			ERR(!b, "%s", sig_file_name);
> +				ERR(asprintf(&sig_file_name, "%s.p7s", module_name) < 0,
> +						"asprintf");
> +				b = BIO_new_file(sig_file_name, "wb");
> +				ERR(!b, "%s", sig_file_name);
>  #ifndef USE_PKCS7
> -			ERR(i2d_CMS_bio_stream(b, cms, NULL, 0) < 0,
> -			    "%s", sig_file_name);
> +				ERR(i2d_CMS_bio_stream(b, cms, NULL, 0) < 0,
> +						"%s", sig_file_name);
>  #else
> -			ERR(i2d_PKCS7_bio(b, pkcs7) < 0,
> -			    "%s", sig_file_name);
> +				ERR(i2d_PKCS7_bio(b, pkcs7) < 0,
> +						"%s", sig_file_name);
>  #endif
> -			BIO_free(b);
> -		}
> +				BIO_free(b);
> +			}
>  
> -		if (sign_only) {
> -			BIO_free(bm);
> -			return 0;
> +			if (sign_only) {
> +				BIO_free(bm);
> +				return 0;
> +			}
>  		}
> -	}
>  
> -	/* Open the destination file now so that we can shovel the module data
> -	 * across as we read it.
> -	 */
> -	bd = BIO_new_file(dest_name, "wb");
> -	ERR(!bd, "%s", dest_name);
> -
> -	/* Append the marker and the PKCS#7 message to the destination file */
> -	ERR(BIO_reset(bm) < 0, "%s", module_name);
> -	while ((n = BIO_read(bm, buf, sizeof(buf))),
> -	       n > 0) {
> -		ERR(BIO_write(bd, buf, n) < 0, "%s", dest_name);
> -	}
> -	BIO_free(bm);
> -	ERR(n < 0, "%s", module_name);
> -	module_size = BIO_number_written(bd);
> +		/* Open the destination file now so that we can shovel the module data
> +		 * across as we read it.
> +		 */
> +		bd = BIO_new_file(dest_name, "wb");
> +		ERR(!bd, "%s", dest_name);
>  
> -	if (!raw_sig) {
> +		/* Append the marker and the PKCS#7 message to the destination file */
> +		ERR(BIO_reset(bm) < 0, "%s", module_name);
> +		while ((n = BIO_read(bm, buf, sizeof(buf))),
> +				n > 0) {
> +			ERR(BIO_write(bd, buf, n) < 0, "%s", dest_name);
> +		}
> +		BIO_free(bm);
> +		ERR(n < 0, "%s", module_name);
> +		module_size = BIO_number_written(bd);
> +
> +		if (!raw_sig) {
>  #ifndef USE_PKCS7
> -		ERR(i2d_CMS_bio_stream(bd, cms, NULL, 0) < 0, "%s", dest_name);
> +			ERR(i2d_CMS_bio_stream(bd, cms, NULL, 0) < 0, "%s", dest_name);
>  #else
> -		ERR(i2d_PKCS7_bio(bd, pkcs7) < 0, "%s", dest_name);
> +			ERR(i2d_PKCS7_bio(bd, pkcs7) < 0, "%s", dest_name);
>  #endif
> -	} else {
> -		BIO *b;
> +		} else {
> +			BIO *b;
>  
> -		/* Read the raw signature file and write the data to the
> -		 * destination file
> -		 */
> -		b = BIO_new_file(raw_sig_name, "rb");
> -		ERR(!b, "%s", raw_sig_name);
> -		while ((n = BIO_read(b, buf, sizeof(buf))), n > 0)
> -			ERR(BIO_write(bd, buf, n) < 0, "%s", dest_name);
> -		BIO_free(b);
> -	}
> +			/* Read the raw signature file and write the data to the
> +			 * destination file
> +			 */
> +			b = BIO_new_file(raw_sig_name, "rb");
> +			ERR(!b, "%s", raw_sig_name);
> +			while ((n = BIO_read(b, buf, sizeof(buf))), n > 0)
> +				ERR(BIO_write(bd, buf, n) < 0, "%s", dest_name);
> +			BIO_free(b);
> +		}
>  
> -	sig_size = BIO_number_written(bd) - module_size;
> -	sig_info.sig_len = htonl(sig_size);
> -	ERR(BIO_write(bd, &sig_info, sizeof(sig_info)) < 0, "%s", dest_name);
> -	ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, "%s", dest_name);
> +		sig_size = BIO_number_written(bd) - module_size;
> +		sig_info.sig_len = htonl(sig_size);
> +		ERR(BIO_write(bd, &sig_info, sizeof(sig_info)) < 0, "%s", dest_name);
> +		ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, "%s", dest_name);
>  
> -	ERR(BIO_free(bd) < 0, "%s", dest_name);
> +		ERR(BIO_free(bd) < 0, "%s", dest_name);
>  
> -	/* Finally, if we're signing in place, replace the original. */
> -	if (replace_orig)
> -		ERR(rename(dest_name, module_name) < 0, "%s", dest_name);
> +		/* Finally, if we're signing in place, replace the original. */
> +		if (replace_orig)
> +			ERR(rename(dest_name, module_name) < 0, "%s", dest_name);
>  	}
>  
>  	return 0;
> -- 
> 2.39.1
> 


Hi,

This is the friendly patch-bot of Greg Kroah-Hartman.  You have sent him
a patch that has triggered this response.  He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created.  Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.

You are receiving this message because of the following common error(s)
as indicated below:

- This looks like a new version of a previously submitted patch, but you
  did not list below the --- line any changes from the previous version.
  Please read the section entitled "The canonical patch format" in the
  kernel file, Documentation/process/submitting-patches.rst for what
  needs to be done here to properly describe this.

If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.

thanks,

greg k-h's patch email bot

Re: [PATCH v3 3/6] sign-file: add support sign modules in bulk

[Greg KH]

On Tue, Feb 14, 2023 at 12:30:31AM +0530, Shreenidhi Shedi wrote:
> In the existing system, we need to invoke sign-file binary for every
> module we want to sign. This patch adds support to give modules in bulk
> and it will sign them all one by one.
> 
> Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
> ---
>  scripts/sign-file.c | 20 +++++++++++++++++++-
>  1 file changed, 19 insertions(+), 1 deletion(-)
> 
> diff --git a/scripts/sign-file.c b/scripts/sign-file.c
> index 4732201feb96..7ad330b47d64 100644
> --- a/scripts/sign-file.c
> +++ b/scripts/sign-file.c
> @@ -224,6 +224,7 @@ struct cmd_opts {
>  	bool replace_orig;
>  	bool raw_sig;
>  	bool sign_only;
> +	bool bulk_sign;
>  
>  #ifndef USE_PKCS7
>  	unsigned int use_keyid;
> @@ -237,6 +238,7 @@ static void parse_args(int argc, char **argv, struct cmd_opts *opts)
>  		{"help", no_argument, 0, 'h'},
>  		{"savesig", no_argument, 0, 's'},
>  		{"signonly", no_argument, 0, 'o'},
> +		{"bulksign", no_argument, 0, 'b'},
>  #ifndef USE_PKCS7
>  		{"usekeyid", no_argument, 0, 'k'},
>  #endif
> @@ -305,6 +307,10 @@ static void parse_args(int argc, char **argv, struct cmd_opts *opts)
>  			opts->replace_orig = true;
>  			break;
>  
> +		case 'b':
> +			opts->bulk_sign = true;
> +			break;
> +
>  		case -1:
>  			break;
>  
> @@ -342,12 +348,13 @@ int sign_file(int argc, char **argv, struct cmd_opts *opts)
>  	bool replace_orig = opts->replace_orig;
>  	bool raw_sig = opts->raw_sig;
>  	bool sign_only = opts->sign_only;
> +	bool bulk_sign = opts->bulk_sign;
>  
>  #ifndef USE_PKCS7
>  	unsigned int use_keyid = opts->use_keyid;
>  #endif
>  
> -	if (!argv[0] || argc != 1)
> +	if ((bulk_sign && dest_name) || (!bulk_sign && argc != 1))
>  		format();
>  
>  	if (dest_name && strcmp(argv[0], dest_name)) {
> @@ -378,6 +385,16 @@ int sign_file(int argc, char **argv, struct cmd_opts *opts)
>  	use_signed_attrs = PKCS7_NOATTR;
>  #endif
>  
> +	for (i = 0; i < argc; i++) {
> +		module_name = argv[i];
> +
> +		if (bulk_sign) {
> +			ERR(asprintf(&dest_name, "%s.~signed~", module_name) < 0,
> +					"asprintf");
> +			if (!replace_orig)
> +				replace_orig = true;
> +		}
> +
>  	/* Open the module file */
>  	bm = BIO_new_file(module_name, "rb");
>  	ERR(!bm, "%s", module_name);
> @@ -486,6 +503,7 @@ int sign_file(int argc, char **argv, struct cmd_opts *opts)
>  	/* Finally, if we're signing in place, replace the original. */
>  	if (replace_orig)
>  		ERR(rename(dest_name, module_name) < 0, "%s", dest_name);
> +	}
>  
>  	return 0;
>  }
> -- 
> 2.39.1
> 


Hi,

This is the friendly patch-bot of Greg Kroah-Hartman.  You have sent him
a patch that has triggered this response.  He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created.  Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.

You are receiving this message because of the following common error(s)
as indicated below:

- This looks like a new version of a previously submitted patch, but you
  did not list below the --- line any changes from the previous version.
  Please read the section entitled "The canonical patch format" in the
  kernel file, Documentation/process/submitting-patches.rst for what
  needs to be done here to properly describe this.

If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.

thanks,

greg k-h's patch email bot

Re: [PATCH v3 2/6] sign-file: move file signing logic to its own function

[Greg KH]

On Tue, Feb 14, 2023 at 12:30:30AM +0530, Shreenidhi Shedi wrote:
> Keep the main function bare minimal and do less in main function.
> 
> Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
> ---
>  scripts/sign-file.c | 69 +++++++++++++++++++++++++--------------------
>  1 file changed, 39 insertions(+), 30 deletions(-)
> 
> diff --git a/scripts/sign-file.c b/scripts/sign-file.c
> index cf3acbb13013..4732201feb96 100644
> --- a/scripts/sign-file.c
> +++ b/scripts/sign-file.c
> @@ -230,7 +230,7 @@ struct cmd_opts {
>  #endif
>  };
>  
> -void parse_args(int argc, char **argv, struct cmd_opts *opts)
> +static void parse_args(int argc, char **argv, struct cmd_opts *opts)
>  {
>  	struct option cmd_options[] = {
>  		/* These options set a flag. */
> @@ -315,10 +315,10 @@ void parse_args(int argc, char **argv, struct cmd_opts *opts)
>  	} while (opt != -1);
>  }
>  
> -int main(int argc, char **argv)
> +int sign_file(int argc, char **argv, struct cmd_opts *opts)
>  {
>  	struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };
> -	unsigned char buf[4096];
> +	unsigned char buf[4096] = {0};
>  	unsigned long module_size, sig_size;
>  	unsigned int use_signed_attrs;
>  	const EVP_MD *digest_algo;
> @@ -331,36 +331,20 @@ int main(int argc, char **argv)
>  	X509 *x509;
>  	BIO *bd, *bm;
>  	int i, n;
> -	struct cmd_opts opts = {0};
>  
> -	OpenSSL_add_all_algorithms();
> -	ERR_load_crypto_strings();
> -	ERR_clear_error();
> -
> -	key_pass = getenv("KBUILD_SIGN_PIN");
> +	char *hash_algo = opts->hash_algo;
> +	char *dest_name = opts->dest_name;
> +	char *private_key_name = opts->private_key_name;
> +	char *raw_sig_name = opts->raw_sig_name;
> +	char *x509_name = opts->x509_name;
> +	char *module_name = opts->module_name;
> +	bool save_sig = opts->save_sig;
> +	bool replace_orig = opts->replace_orig;
> +	bool raw_sig = opts->raw_sig;
> +	bool sign_only = opts->sign_only;
>  
>  #ifndef USE_PKCS7
> -	use_signed_attrs = CMS_NOATTR;
> -#else
> -	use_signed_attrs = PKCS7_NOATTR;
> -#endif
> -	parse_args(argc, argv, &opts);
> -	argc -= optind;
> -	argv += optind;
> -
> -	char *hash_algo = opts.hash_algo;
> -	char *dest_name = opts.dest_name;
> -	char *private_key_name = opts.private_key_name;
> -	char *raw_sig_name = opts.raw_sig_name;
> -	char *x509_name = opts.x509_name;
> -	char *module_name = opts.module_name;
> -	bool save_sig = opts.save_sig;
> -	bool replace_orig = opts.replace_orig;
> -	bool raw_sig = opts.raw_sig;
> -	bool sign_only = opts.sign_only;
> -
> -#ifndef USE_PKCS7
> -	unsigned int use_keyid = opts.use_keyid;
> +	unsigned int use_keyid = opts->use_keyid;
>  #endif
>  
>  	if (!argv[0] || argc != 1)
> @@ -381,6 +365,19 @@ int main(int argc, char **argv)
>  		exit(3);
>  	}
>  #endif
> +
> +	OpenSSL_add_all_algorithms();
> +	ERR_load_crypto_strings();
> +	ERR_clear_error();
> +
> +	key_pass = getenv("KBUILD_SIGN_PIN");
> +
> +#ifndef USE_PKCS7
> +	use_signed_attrs = CMS_NOATTR;
> +#else
> +	use_signed_attrs = PKCS7_NOATTR;
> +#endif
> +
>  	/* Open the module file */
>  	bm = BIO_new_file(module_name, "rb");
>  	ERR(!bm, "%s", module_name);
> @@ -492,3 +489,15 @@ int main(int argc, char **argv)
>  
>  	return 0;
>  }
> +
> +int main(int argc, char **argv)
> +{
> +	struct cmd_opts opts = {0};
> +
> +	parse_args(argc, argv, &opts);
> +
> +	argc -= optind;
> +	argv += optind;
> +
> +	return sign_file(argc, argv, &opts);
> +}
> -- 
> 2.39.1
> 


Hi,

This is the friendly patch-bot of Greg Kroah-Hartman.  You have sent him
a patch that has triggered this response.  He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created.  Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.

You are receiving this message because of the following common error(s)
as indicated below:

- This looks like a new version of a previously submitted patch, but you
  did not list below the --- line any changes from the previous version.
  Please read the section entitled "The canonical patch format" in the
  kernel file, Documentation/process/submitting-patches.rst for what
  needs to be done here to properly describe this.

If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.

thanks,

greg k-h's patch email bot

Re: [PATCH v3 1/6] sign-file: refactor argument parsing logic

[Greg KH]

On Tue, Feb 14, 2023 at 12:30:29AM +0530, Shreenidhi Shedi wrote:
> - Use getopt_long_only for parsing input args
> - Use more easy to remember command line argument names
> 
> Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>

Your From: line does not match your signed-off-by, please use your
vmware.com address to send patches out so that it can be validated that
this really is coming from there and not some random fake gmail account.

thanks,

greg k-h

Re: [PATCH v3 4/6] sign-file: cosmetic fix

[Greg KH]

On Tue, Feb 14, 2023 at 12:30:32AM +0530, Shreenidhi Shedi wrote:
> In the previous patch for adding bulk modules support, this was not done
> because it will add a lot to review in one patch.

This changelog text means nothing, what would you do if you were reading
this and had to review it?

thanks,

greg k-h

Re: [PATCH v3 2/6] sign-file: move file signing logic to its own function

[kernel test robot]

Hi Shreenidhi,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on linus/master]
[also build test WARNING on v6.2-rc8 next-20230214]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Shreenidhi-Shedi/sign-file-move-file-signing-logic-to-its-own-function/20230214-030302
patch link:    https://lore.kernel.org/r/20230213190034.57097-2-sshedi%40vmware.com
patch subject: [PATCH v3 2/6] sign-file: move file signing logic to its own function
config: x86_64-randconfig-a003-20230213 (https://download.01.org/0day-ci/archive/20230214/202302141805.tULq9MiK-lkp@intel.com/config)
compiler: clang version 14.0.6 (https://github.com/llvm/llvm-project f28c006a5895fc0e329fe15fead81e37457cb1d1)
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/intel-lab-lkp/linux/commit/1dfab8ead8d3f9c0c04eeeaf7c436a2878f2158e
        git remote add linux-review https://github.com/intel-lab-lkp/linux
        git fetch --no-tags linux-review Shreenidhi-Shedi/sign-file-move-file-signing-logic-to-its-own-function/20230214-030302
        git checkout 1dfab8ead8d3f9c0c04eeeaf7c436a2878f2158e
        # save the config file
        mkdir build_dir && cp config build_dir/.config
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=x86_64 olddefconfig
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=x86_64 prepare

If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
| Link: https://lore.kernel.org/oe-kbuild-all/202302141805.tULq9MiK-lkp@intel.com/

All warnings (new ones prefixed by >>):

   scripts/sign-file.c:333:6: warning: unused variable 'i' [-Wunused-variable]
           int i, n;
               ^
>> scripts/sign-file.c:318:5: warning: no previous prototype for function 'sign_file' [-Wmissing-prototypes]
   int sign_file(int argc, char **argv, struct cmd_opts *opts)
       ^
   scripts/sign-file.c:318:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
   int sign_file(int argc, char **argv, struct cmd_opts *opts)
   ^
   static 
   2 warnings generated.
--
   scripts/sign-file.c:333:6: warning: unused variable 'i' [-Wunused-variable]
           int i, n;
               ^
>> scripts/sign-file.c:318:5: warning: no previous prototype for function 'sign_file' [-Wmissing-prototypes]
   int sign_file(int argc, char **argv, struct cmd_opts *opts)
       ^
   scripts/sign-file.c:318:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
   int sign_file(int argc, char **argv, struct cmd_opts *opts)
   ^
   static 
   2 warnings generated.


vim +/sign_file +318 scripts/sign-file.c

   317	
 > 318	int sign_file(int argc, char **argv, struct cmd_opts *opts)
   319	{
   320		struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };
   321		unsigned char buf[4096] = {0};
   322		unsigned long module_size, sig_size;
   323		unsigned int use_signed_attrs;
   324		const EVP_MD *digest_algo;
   325		EVP_PKEY *private_key;
   326	#ifndef USE_PKCS7
   327		CMS_ContentInfo *cms = NULL;
   328	#else
   329		PKCS7 *pkcs7 = NULL;
   330	#endif
   331		X509 *x509;
   332		BIO *bd, *bm;
 > 333		int i, n;
   334	
   335		char *hash_algo = opts->hash_algo;
   336		char *dest_name = opts->dest_name;
   337		char *private_key_name = opts->private_key_name;
   338		char *raw_sig_name = opts->raw_sig_name;
   339		char *x509_name = opts->x509_name;
   340		char *module_name = opts->module_name;
   341		bool save_sig = opts->save_sig;
   342		bool replace_orig = opts->replace_orig;
   343		bool raw_sig = opts->raw_sig;
   344		bool sign_only = opts->sign_only;
   345	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests

Re: [PATCH v3 2/6] sign-file: move file signing logic to its own function

[kernel test robot]

Hi Shreenidhi,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on linus/master]
[also build test WARNING on v6.2-rc8 next-20230216]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Shreenidhi-Shedi/sign-file-move-file-signing-logic-to-its-own-function/20230214-030302
patch link:    https://lore.kernel.org/r/20230213190034.57097-2-sshedi%40vmware.com
patch subject: [PATCH v3 2/6] sign-file: move file signing logic to its own function
config: riscv-randconfig-r042-20230213 (https://download.01.org/0day-ci/archive/20230216/202302162229.XFMtVABh-lkp@intel.com/config)
compiler: riscv64-linux-gcc (GCC) 12.1.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/intel-lab-lkp/linux/commit/1dfab8ead8d3f9c0c04eeeaf7c436a2878f2158e
        git remote add linux-review https://github.com/intel-lab-lkp/linux
        git fetch --no-tags linux-review Shreenidhi-Shedi/sign-file-move-file-signing-logic-to-its-own-function/20230214-030302
        git checkout 1dfab8ead8d3f9c0c04eeeaf7c436a2878f2158e
        # save the config file
        mkdir build_dir && cp config build_dir/.config
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=riscv olddefconfig
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=riscv prepare

If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
| Link: https://lore.kernel.org/oe-kbuild-all/202302162229.XFMtVABh-lkp@intel.com/

All warnings (new ones prefixed by >>):

>> scripts/sign-file.c:318:5: warning: no previous prototype for 'sign_file' [-Wmissing-prototypes]
     318 | int sign_file(int argc, char **argv, struct cmd_opts *opts)
         |     ^~~~~~~~~
   scripts/sign-file.c: In function 'sign_file':
   scripts/sign-file.c:333:13: warning: unused variable 'i' [-Wunused-variable]
     333 |         int i, n;
         |             ^
--
>> scripts/sign-file.c:318:5: warning: no previous prototype for 'sign_file' [-Wmissing-prototypes]
     318 | int sign_file(int argc, char **argv, struct cmd_opts *opts)
         |     ^~~~~~~~~
   scripts/sign-file.c: In function 'sign_file':
   scripts/sign-file.c:333:13: warning: unused variable 'i' [-Wunused-variable]
     333 |         int i, n;
         |             ^


vim +/sign_file +318 scripts/sign-file.c

   317	
 > 318	int sign_file(int argc, char **argv, struct cmd_opts *opts)
   319	{
   320		struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };
   321		unsigned char buf[4096] = {0};
   322		unsigned long module_size, sig_size;
   323		unsigned int use_signed_attrs;
   324		const EVP_MD *digest_algo;
   325		EVP_PKEY *private_key;
   326	#ifndef USE_PKCS7
   327		CMS_ContentInfo *cms = NULL;
   328	#else
   329		PKCS7 *pkcs7 = NULL;
   330	#endif
   331		X509 *x509;
   332		BIO *bd, *bm;
   333		int i, n;
   334	
   335		char *hash_algo = opts->hash_algo;
   336		char *dest_name = opts->dest_name;
   337		char *private_key_name = opts->private_key_name;
   338		char *raw_sig_name = opts->raw_sig_name;
   339		char *x509_name = opts->x509_name;
   340		char *module_name = opts->module_name;
   341		bool save_sig = opts->save_sig;
   342		bool replace_orig = opts->replace_orig;
   343		bool raw_sig = opts->raw_sig;
   344		bool sign_only = opts->sign_only;
   345	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests