From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: David Woodhouse <dwmw2@infradead.org>
Cc: dhowells@redhat.com, rusty@rustcorp.com.au, mmarek@suse.cz,
mjg59@srcf.ucam.org, keyrings@linux-nfs.org,
dmitry.kasatkin@gmail.com, mcgrof@suse.com,
linux-kernel@vger.kernel.org, seth.forshee@canonical.com,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH 10/8] modsign: Allow password to be specified for signing key
Date: Tue, 19 May 2015 14:39:09 -0400 [thread overview]
Message-ID: <1432060749.4510.155.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <1432046758.3277.36.camel@infradead.org>
On Tue, 2015-05-19 at 15:45 +0100, David Woodhouse wrote:
> We don't want this in the Kconfig since it might then get exposed in
> /proc/config.gz. So make it a parameter to Kbuild instead. This also
> means we don't have to jump through hoops to strip quotes from it, as
> we would if it was a config option.
Definitely better. (FYI, Dmitry's modsig patches from 2012 used the
keyring for safely storing a password. )
Mimi
> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
> ---
> Documentation/kbuild/kbuild.txt | 5 +++++
> Documentation/module-signing.txt | 3 +++
> scripts/sign-file.c | 27 ++++++++++++++++++++++++++-
> 3 files changed, 34 insertions(+), 1 deletion(-)
>
> diff --git a/Documentation/kbuild/kbuild.txt b/Documentation/kbuild/kbuild.txt
> index 6466704..0ff6a46 100644
> --- a/Documentation/kbuild/kbuild.txt
> +++ b/Documentation/kbuild/kbuild.txt
> @@ -174,6 +174,11 @@ The output directory is often set using "O=..." on the commandline.
>
> The value can be overridden in which case the default value is ignored.
>
> +KBUILD_SIGN_PIN
> +--------------------------------------------------
> +This variable allows a passphrase or PIN to be passed to the sign-file
> +utility when signing kernel modules, if the private key requires such.
> +
> KBUILD_MODPOST_WARN
> --------------------------------------------------
> KBUILD_MODPOST_WARN can be set to avoid errors in case of undefined
> diff --git a/Documentation/module-signing.txt b/Documentation/module-signing.txt
> index c72702e..faaa6ea 100644
> --- a/Documentation/module-signing.txt
> +++ b/Documentation/module-signing.txt
> @@ -194,6 +194,9 @@ The hash algorithm used does not have to match the one configured, but if it
> doesn't, you should make sure that hash algorithm is either built into the
> kernel or can be loaded without requiring itself.
>
> +If the private key requires a passphrase or PIN, it can be provided in the
> +$KBUILD_SIGN_PIN environment variable.
> +
>
> ============================
> SIGNED MODULES AND STRIPPING
> diff --git a/scripts/sign-file.c b/scripts/sign-file.c
> index 39aaabe..720b9bc 100755
> --- a/scripts/sign-file.c
> +++ b/scripts/sign-file.c
> @@ -80,6 +80,27 @@ static void drain_openssl_errors(void)
> } \
> } while(0)
>
> +static const char *key_pass;
> +
> +static int pem_pw_cb(char *buf, int len, int w, void *v)
> +{
> + int pwlen;
> +
> + if (!key_pass)
> + return -1;
> +
> + pwlen = strlen(key_pass);
> + if (pwlen >= len)
> + return -1;
> +
> + strcpy(buf, key_pass);
> +
> + /* If it's wrong, don't keep trying it. */
> + key_pass = NULL;
> +
> + return pwlen;
> +}
> +
> int main(int argc, char **argv)
> {
> struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };
> @@ -96,9 +117,12 @@ int main(int argc, char **argv)
> BIO *b, *bd = NULL, *bm;
> int opt, n;
>
> + OpenSSL_add_all_algorithms();
> ERR_load_crypto_strings();
> ERR_clear_error();
>
> + key_pass = getenv("KBUILD_SIGN_PIN");
> +
> do {
> opt = getopt(argc, argv, "dp");
> switch (opt) {
> @@ -132,7 +156,8 @@ int main(int argc, char **argv)
> */
> b = BIO_new_file(private_key_name, "rb");
> ERR(!b, "%s", private_key_name);
> - private_key = PEM_read_bio_PrivateKey(b, NULL, NULL, NULL);
> + private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, NULL);
> + ERR(!private_key, "%s", private_key_name);
> BIO_free(b);
>
> b = BIO_new_file(x509_name, "rb");
> --
> 2.4.0
>
>
next prev parent reply other threads:[~2015-05-19 18:40 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-15 12:35 [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] David Howells
2015-05-15 12:35 ` [PATCH 1/8] X.509: Extract both parts of the AuthorityKeyIdentifier " David Howells
2015-05-15 12:35 ` [PATCH 2/8] X.509: Support X.509 lookup by Issuer+Serial form " David Howells
2015-05-15 12:35 ` [PATCH 3/8] PKCS#7: Allow detached data to be supplied for signature checking purposes " David Howells
2015-05-15 12:35 ` [PATCH 4/8] MODSIGN: Provide a utility to append a PKCS#7 signature to a module " David Howells
2015-05-20 0:50 ` Andy Lutomirski
2015-05-20 13:14 ` David Howells
2015-05-20 16:00 ` Andy Lutomirski
2015-05-15 12:36 ` [PATCH 5/8] MODSIGN: Use PKCS#7 messages as module signatures " David Howells
2015-05-15 12:36 ` [PATCH 6/8] sign-file: Add option to only create signature file " David Howells
2015-05-15 12:36 ` [PATCH 7/8] system_keyring.c doesn't need to #include module-internal.h " David Howells
2015-05-15 12:36 ` [PATCH 8/8] MODSIGN: Extract the blob PKCS#7 signature verifier from module signing " David Howells
2015-05-15 13:46 ` [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures " David Woodhouse
2015-05-15 16:52 ` [PATCH 1/4] modsign: Abort modules_install when signing fails David Woodhouse
2015-05-19 1:29 ` Mimi Zohar
2015-05-19 6:40 ` Woodhouse, David
2015-05-19 11:45 ` Mimi Zohar
2015-05-19 12:57 ` Woodhouse, David
2015-05-19 13:54 ` Mimi Zohar
2015-05-15 16:53 ` [PATCH 2/4] modsign: Allow external signing key to be specified David Woodhouse
2015-05-15 16:53 ` [PATCH 3/4] modsign: Allow password to be specified for signing key David Woodhouse
2015-05-19 1:37 ` Mimi Zohar
2015-05-15 16:54 ` [PATCH 4/4] modsign: Allow signing key to be PKCS#11 David Woodhouse
2015-05-15 19:07 ` sign-file and detached PKCS#7 firmware signatures David Howells
2015-05-18 23:13 ` Luis R. Rodriguez
2015-05-19 9:25 ` David Howells
2015-05-19 16:19 ` Luis R. Rodriguez
2015-05-19 16:48 ` David Howells
2015-05-19 18:21 ` Luis R. Rodriguez
2015-05-19 18:35 ` Luis R. Rodriguez
2015-05-19 18:47 ` David Howells
2015-05-19 20:12 ` Luis R. Rodriguez
2015-05-19 20:29 ` David Howells
2015-05-15 22:51 ` [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] Rusty Russell
2015-05-18 12:43 ` [PATCH 4/4] modsign: Allow signing key to be PKCS#11 David Howells
2015-05-19 14:45 ` [PATCH 9/8] modsign: Abort modules_install when signing fails David Woodhouse
2015-05-19 14:45 ` [PATCH 10/8] modsign: Allow password to be specified for signing key David Woodhouse
2015-05-19 15:50 ` Petko Manolov
2015-05-19 16:15 ` David Woodhouse
2015-05-19 16:34 ` Petko Manolov
2015-05-19 18:39 ` Mimi Zohar [this message]
2015-05-19 18:48 ` David Howells
2015-05-19 19:14 ` Mimi Zohar
2015-05-19 20:04 ` David Woodhouse
2015-05-19 14:46 ` [PATCH 11/8] modsign: Allow signing key to be PKCS#11 David Woodhouse
2015-05-19 14:46 ` [PATCH 12/8] modsign: Allow external signing key to be specified David Woodhouse
2015-05-19 14:47 ` [PATCH 13/8] modsign: Extract signing cert from CONFIG_MODULE_SIG_KEY if needed David Woodhouse
2015-05-19 15:36 ` [PATCH 10/8] modsign: Allow password to be specified for signing key David Howells
2015-05-20 0:36 ` [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] Andy Lutomirski
2015-05-20 13:36 ` David Howells
2015-05-20 15:56 ` Andy Lutomirski
2015-05-20 16:21 ` Petko Manolov
2015-05-20 16:41 ` Andy Lutomirski
2015-05-20 16:55 ` Petko Manolov
2015-05-21 21:38 ` Luis R. Rodriguez
2015-05-21 21:44 ` Andy Lutomirski
2015-05-21 21:59 ` Luis R. Rodriguez
2015-05-21 22:06 ` Andy Lutomirski
2015-05-21 22:16 ` Luis R. Rodriguez
2015-05-21 22:24 ` Andy Lutomirski
2015-05-21 22:31 ` Luis R. Rodriguez
2015-05-21 22:47 ` Andy Lutomirski
2015-05-21 23:01 ` Luis R. Rodriguez
2015-05-21 23:09 ` Andy Lutomirski
2015-05-22 7:56 ` David Howells
2015-05-22 12:42 ` Mimi Zohar
2015-05-22 7:49 ` David Howells
2015-05-22 7:48 ` David Howells
2015-05-22 12:28 ` Mimi Zohar
2015-05-24 10:52 ` Petko Manolov
2015-05-21 13:59 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1432060749.4510.155.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dwmw2@infradead.org \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mcgrof@suse.com \
--cc=mjg59@srcf.ucam.org \
--cc=mmarek@suse.cz \
--cc=rusty@rustcorp.com.au \
--cc=seth.forshee@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).