From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752467AbbESBi7 (ORCPT <rfc822;w@1wt.eu>);
	Mon, 18 May 2015 21:38:59 -0400
Received: from e23smtp01.au.ibm.com ([202.81.31.143]:48100 "EHLO
	e23smtp01.au.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751076AbbESBiy (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 18 May 2015 21:38:54 -0400
Message-ID: <1431999474.4510.17.camel@linux.vnet.ibm.com>
Subject: Re: [PATCH 3/4] modsign: Allow password to be specified for signing
 key
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: David Woodhouse <David.Woodhouse@intel.com>
Cc: dhowells@redhat.com, rusty@rustcorp.com.au, mmarek@suse.cz,
        mjg59@srcf.ucam.org, keyrings@linux-nfs.org, dmitry.kasatkin@gmail.com,
        mcgrof@suse.com, linux-kernel@vger.kernel.org,
        seth.forshee@canonical.com, linux-security-module@vger.kernel.org
Date: Mon, 18 May 2015 21:37:54 -0400
In-Reply-To: <1431708823.4727.11.camel@infradead.org>
References: <20150515123513.16723.96340.stgit@warthog.procyon.org.uk>
	 <1431708823.4727.11.camel@infradead.org>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.12.10 (3.12.10-1.fc21) 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-TM-AS-MML: disable
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 15051901-1618-0000-0000-0000021C67D4
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, 2015-05-15 at 17:53 +0100, David Woodhouse wrote:
> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
> ---
>  Documentation/module-signing.txt |  2 ++
>  Makefile                         |  1 +
>  init/Kconfig                     |  6 ++++++
>  scripts/sign-file.c              | 39 ++++++++++++++++++++++++++++++++++++++-
>  4 files changed, 47 insertions(+), 1 deletion(-)
> 
> diff --git a/Documentation/module-signing.txt b/Documentation/module-signing.txt
> index c72702e..b0ed080 100644
> --- a/Documentation/module-signing.txt
> +++ b/Documentation/module-signing.txt
> @@ -194,6 +194,8 @@ The hash algorithm used does not have to match the one configured, but if it
>  doesn't, you should make sure that hash algorithm is either built into the
>  kernel or can be loaded without requiring itself.
>  
> +If the private key requires a passphrase or PIN, it can be provided in the
> +$CONFIG_MODULE_SIG_KEY_PASSWORD environment variable.

This works, but probably is not a good idea.  For one, if IKCONFIG is
enabled, the pin is readily visible via /proc/config.gz. 

Mimi

>  ============================
>  SIGNED MODULES AND STRIPPING
> diff --git a/Makefile b/Makefile
> index 9590e67..70c066c 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -875,6 +875,7 @@ ifdef CONFIG_MODULE_SIG_ALL
>  MODSECKEY = $(CONFIG_MODULE_SIG_KEY)
>  MODPUBKEY = ./signing_key.x509
>  export MODPUBKEY
> +export CONFIG_MODULE_SIG_KEY_PASSWORD
>  mod_sign_cmd = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)
>  else
>  mod_sign_cmd = true
> diff --git a/init/Kconfig b/init/Kconfig
> index 1ca075a..7bbc857 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -1967,6 +1967,12 @@ config MODULE_SIG_KEY
>           Provide the file name of a private key in PEM format, or a PKCS#11
>           URI according to RFC7512 to specify the key.
>  
> +config MODULE_SIG_KEY_PASSWORD
> +       string "Passphrase or PIN for module signing key if needed" if MODULE_SIG_EXTERNAL_KEY
> +       help
> +         If a passphrase or PIN is required for the private key, provide
> +         it here.
> +
>  config MODULE_COMPRESS
>         bool "Compress modules on installation"
>         depends on MODULES
> diff --git a/scripts/sign-file.c b/scripts/sign-file.c
> index 39aaabe..9a54acc 100755
> --- a/scripts/sign-file.c
> +++ b/scripts/sign-file.c
> @@ -80,9 +80,32 @@ static void drain_openssl_errors(void)
>                 }                                       \
>         } while(0)
>  
> +static char *key_pass;
> +
> +static int pem_pw_cb(char *buf, int len, int w, void *v)
> +{
> +       int pwlen;
> +
> +       if (!key_pass)
> +               return -1;
> +
> +       pwlen = strlen(key_pass);
> +       if (pwlen >= len)
> +               return -1;
> +
> +       strcpy(buf, key_pass);
> +
> +       /* If it's wrong, don't keep trying it. */
> +       free(key_pass);
> +       key_pass = NULL;
> +
> +       return pwlen;
> +}
> +
>  int main(int argc, char **argv)
>  {
>         struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };
> +       const char *pass_env;
>         char *hash_algo = NULL;
>         char *private_key_name, *x509_name, *module_name, *dest_name;
>         bool save_pkcs7 = false, replace_orig;
> @@ -96,6 +119,7 @@ int main(int argc, char **argv)
>         BIO *b, *bd = NULL, *bm;
>         int opt, n;
>  
> +       OpenSSL_add_all_algorithms();
>         ERR_load_crypto_strings();
>         ERR_clear_error();
>  
> @@ -127,12 +151,25 @@ int main(int argc, char **argv)
>                 replace_orig = true;
>         }
>  
> +       pass_env = getenv("CONFIG_MODULE_SIG_KEY_PASSWORD");
> +       if (pass_env) {
> +               int pwlen = strlen(pass_env);
> +
> +               if (pass_env[0] == '\"' && pass_env[pwlen - 1] == '\"') {
> +                       pass_env++;
> +                       pwlen -= 2;
> +               }
> +               if (pwlen)
> +                       key_pass = strndup(pass_env, pwlen);
> +       }
> +
>         /* Read the private key and the X.509 cert the PKCS#7 message
>          * will point to.
>          */
>         b = BIO_new_file(private_key_name, "rb");
>         ERR(!b, "%s", private_key_name);
> -        private_key = PEM_read_bio_PrivateKey(b, NULL, NULL, NULL);
> +       private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, NULL);
> +       ERR(!private_key, "%s", private_key_name);
>         BIO_free(b);
>  
>         b = BIO_new_file(x509_name, "rb");
> -- 
> 2.4.0
>