From: David Woodhouse <David.Woodhouse@intel.com>
To: dhowells@redhat.com
Cc: rusty@rustcorp.com.au, mmarek@suse.cz, mjg59@srcf.ucam.org,
keyrings@linux-nfs.org, dmitry.kasatkin@gmail.com,
mcgrof@suse.com, linux-kernel@vger.kernel.org,
dhowells@redhat.com, seth.forshee@canonical.com,
linux-security-module@vger.kernel.org
Subject: [PATCH 2/4] modsign: Allow external signing key to be specified
Date: Fri, 15 May 2015 17:53:24 +0100 [thread overview]
Message-ID: <1431708804.4727.10.camel@infradead.org> (raw)
In-Reply-To: <20150515123513.16723.96340.stgit@warthog.procyon.org.uk>
[-- Attachment #1: Type: text/plain, Size: 2620 bytes --]
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
---
Makefile | 2 +-
init/Kconfig | 13 +++++++++++++
kernel/Makefile | 6 ++++++
3 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index ad27fc9..9590e67 100644
--- a/Makefile
+++ b/Makefile
@@ -872,7 +872,7 @@ INITRD_COMPRESS-$(CONFIG_RD_LZ4) := lz4
# export INITRD_COMPRESS := $(INITRD_COMPRESS-y)
ifdef CONFIG_MODULE_SIG_ALL
-MODSECKEY = ./signing_key.priv
+MODSECKEY = $(CONFIG_MODULE_SIG_KEY)
MODPUBKEY = ./signing_key.x509
export MODPUBKEY
mod_sign_cmd = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)
diff --git a/init/Kconfig b/init/Kconfig
index c05afd6..1ca075a 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1954,6 +1954,19 @@ config MODULE_SIG_HASH
default "sha384" if MODULE_SIG_SHA384
default "sha512" if MODULE_SIG_SHA512
+config MODULE_SIG_EXTERNAL_KEY
+ bool "Use external key for module signing"
+ depends on MODULE_SIG_ALL
+ help
+ Use an external private key for module signing.
+
+config MODULE_SIG_KEY
+ string "File name or PKCS#11 URI of module signing key" if MODULE_SIG_EXTERNAL_KEY
+ default "signing_key.priv"
+ help
+ Provide the file name of a private key in PEM format, or a PKCS#11
+ URI according to RFC7512 to specify the key.
+
config MODULE_COMPRESS
bool "Compress modules on installation"
depends on MODULES
diff --git a/kernel/Makefile b/kernel/Makefile
index 60c302c..b1a718c 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -170,6 +170,11 @@ ifndef CONFIG_MODULE_SIG_HASH
$(error Could not determine digest type to use from kernel config)
endif
+# 'make randconfig' might enable CONFIG_MODULE_SIG_EXTERNAL_KEY but will
+# leave any strings at their default settings. We want to let the automatic
+# key generation work in that case, which is why we check the string here
+# instead of just using 'ifndef CONFIG_MODULE_SIG_EXTERNAL_KEY'.
+ifeq ($(CONFIG_MODULE_SIG_KEY),"signing_key.priv")
signing_key.priv signing_key.x509: x509.genkey
@echo "###"
@echo "### Now generating an X.509 key pair to be used for signing modules."
@@ -207,3 +212,4 @@ x509.genkey:
@echo >>x509.genkey "subjectKeyIdentifier=hash"
@echo >>x509.genkey "authorityKeyIdentifier=keyid"
endif
+endif
--
2.4.0
--
David Woodhouse Open Source Technology Centre
David.Woodhouse@intel.com Intel Corporation
[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5691 bytes --]
next prev parent reply other threads:[~2015-05-15 16:53 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-15 12:35 [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] David Howells
2015-05-15 12:35 ` [PATCH 1/8] X.509: Extract both parts of the AuthorityKeyIdentifier " David Howells
2015-05-15 12:35 ` [PATCH 2/8] X.509: Support X.509 lookup by Issuer+Serial form " David Howells
2015-05-15 12:35 ` [PATCH 3/8] PKCS#7: Allow detached data to be supplied for signature checking purposes " David Howells
2015-05-15 12:35 ` [PATCH 4/8] MODSIGN: Provide a utility to append a PKCS#7 signature to a module " David Howells
2015-05-20 0:50 ` Andy Lutomirski
2015-05-20 13:14 ` David Howells
2015-05-20 16:00 ` Andy Lutomirski
2015-05-15 12:36 ` [PATCH 5/8] MODSIGN: Use PKCS#7 messages as module signatures " David Howells
2015-05-15 12:36 ` [PATCH 6/8] sign-file: Add option to only create signature file " David Howells
2015-05-15 12:36 ` [PATCH 7/8] system_keyring.c doesn't need to #include module-internal.h " David Howells
2015-05-15 12:36 ` [PATCH 8/8] MODSIGN: Extract the blob PKCS#7 signature verifier from module signing " David Howells
2015-05-15 13:46 ` [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures " David Woodhouse
2015-05-15 16:52 ` [PATCH 1/4] modsign: Abort modules_install when signing fails David Woodhouse
2015-05-19 1:29 ` Mimi Zohar
2015-05-19 6:40 ` Woodhouse, David
2015-05-19 11:45 ` Mimi Zohar
2015-05-19 12:57 ` Woodhouse, David
2015-05-19 13:54 ` Mimi Zohar
2015-05-15 16:53 ` David Woodhouse [this message]
2015-05-15 16:53 ` [PATCH 3/4] modsign: Allow password to be specified for signing key David Woodhouse
2015-05-19 1:37 ` Mimi Zohar
2015-05-15 16:54 ` [PATCH 4/4] modsign: Allow signing key to be PKCS#11 David Woodhouse
2015-05-15 19:07 ` sign-file and detached PKCS#7 firmware signatures David Howells
2015-05-18 23:13 ` Luis R. Rodriguez
2015-05-19 9:25 ` David Howells
2015-05-19 16:19 ` Luis R. Rodriguez
2015-05-19 16:48 ` David Howells
2015-05-19 18:21 ` Luis R. Rodriguez
2015-05-19 18:35 ` Luis R. Rodriguez
2015-05-19 18:47 ` David Howells
2015-05-19 20:12 ` Luis R. Rodriguez
2015-05-19 20:29 ` David Howells
2015-05-15 22:51 ` [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] Rusty Russell
2015-05-18 12:43 ` [PATCH 4/4] modsign: Allow signing key to be PKCS#11 David Howells
2015-05-19 14:45 ` [PATCH 9/8] modsign: Abort modules_install when signing fails David Woodhouse
2015-05-19 14:45 ` [PATCH 10/8] modsign: Allow password to be specified for signing key David Woodhouse
2015-05-19 15:50 ` Petko Manolov
2015-05-19 16:15 ` David Woodhouse
2015-05-19 16:34 ` Petko Manolov
2015-05-19 18:39 ` Mimi Zohar
2015-05-19 18:48 ` David Howells
2015-05-19 19:14 ` Mimi Zohar
2015-05-19 20:04 ` David Woodhouse
2015-05-19 14:46 ` [PATCH 11/8] modsign: Allow signing key to be PKCS#11 David Woodhouse
2015-05-19 14:46 ` [PATCH 12/8] modsign: Allow external signing key to be specified David Woodhouse
2015-05-19 14:47 ` [PATCH 13/8] modsign: Extract signing cert from CONFIG_MODULE_SIG_KEY if needed David Woodhouse
2015-05-19 15:36 ` [PATCH 10/8] modsign: Allow password to be specified for signing key David Howells
2015-05-20 0:36 ` [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] Andy Lutomirski
2015-05-20 13:36 ` David Howells
2015-05-20 15:56 ` Andy Lutomirski
2015-05-20 16:21 ` Petko Manolov
2015-05-20 16:41 ` Andy Lutomirski
2015-05-20 16:55 ` Petko Manolov
2015-05-21 21:38 ` Luis R. Rodriguez
2015-05-21 21:44 ` Andy Lutomirski
2015-05-21 21:59 ` Luis R. Rodriguez
2015-05-21 22:06 ` Andy Lutomirski
2015-05-21 22:16 ` Luis R. Rodriguez
2015-05-21 22:24 ` Andy Lutomirski
2015-05-21 22:31 ` Luis R. Rodriguez
2015-05-21 22:47 ` Andy Lutomirski
2015-05-21 23:01 ` Luis R. Rodriguez
2015-05-21 23:09 ` Andy Lutomirski
2015-05-22 7:56 ` David Howells
2015-05-22 12:42 ` Mimi Zohar
2015-05-22 7:49 ` David Howells
2015-05-22 7:48 ` David Howells
2015-05-22 12:28 ` Mimi Zohar
2015-05-24 10:52 ` Petko Manolov
2015-05-21 13:59 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1431708804.4727.10.camel@infradead.org \
--to=david.woodhouse@intel.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mcgrof@suse.com \
--cc=mjg59@srcf.ucam.org \
--cc=mmarek@suse.cz \
--cc=rusty@rustcorp.com.au \
--cc=seth.forshee@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).