* [PATCH 1/3] X.509: Fix certificate gathering again [not found] <18832.1432044859.1@warthog.procyon.org.uk> @ 2015-05-20 1:08 ` Michal Marek 2015-05-20 1:08 ` [PATCH 2/3] MODSIGN: Use filechk to generate .x509.list Michal Marek 2015-05-20 1:08 ` [PATCH 3/3] MODSIGN: Split user-supplied and autogenerated signing key Michal Marek 2015-05-26 16:15 ` [PATCH 1/3] X.509: Fix certificate gathering again David Howells 1 sibling, 2 replies; 10+ messages in thread From: Michal Marek @ 2015-05-20 1:08 UTC (permalink / raw) To: dhowells Cc: torvalds, aricart, linux-kernel, sedat.dilek, keyrings, rusty, linux-security-module, james.l.morris, dwmw2 Commit d7ec435f (X.509: Fix certificate gathering) fixed the issue of changing .x509.list, but in the CONFIG_MODULE_SIG=y case, it assumed that $(objtree) was an absolute path. Commit 7e1c0477 (kbuild: Use relative path for $(objtree)) broke this assumption and we get uncecessary rebuilds again, due to ./signing_key.x509 changing to signing_key.x509. Instead of prepending the absolute path and stripping it again, just check if $(srctree) and $(objtree) are different directories and add $(srctree)/*.x509 only in such case. However, such fix causes a different issue, namely that a potential $(srctree)/signing_key.x509 appears before the to-be-generated signing_key.x509 in the sorted list, and make remembers this file for the purpose of VPATH search. It worked previously, because ./signing_key.x509 sorts before any absolute path. Solve this by sorting the $(objtree) and $(srctree) files separately, to ensure that signing_key.x509 appears before anything from $(srctree). Signed-off-by: Michal Marek <mmarek@suse.cz> --- kernel/Makefile | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/kernel/Makefile b/kernel/Makefile index 60c302c..dc78819 100644 --- a/kernel/Makefile +++ b/kernel/Makefile @@ -119,17 +119,18 @@ $(obj)/config_data.h: $(obj)/config_data.gz FORCE # boot. # # We look in the source root and the build root for all files whose name ends -# in ".x509". Unfortunately, this will generate duplicate filenames, so we -# have make canonicalise the pathnames and then sort them to discard the -# duplicates. +# in ".x509". We put the $(objtree) certificates before those from $(srctree), +# so that a potential signing_key.x509 file from $(srctree) does not take +# precedence. # ############################################################################### ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y) -X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509) -X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += $(objtree)/signing_key.x509 -X509_CERTIFICATES-raw := $(sort $(foreach CERT,$(X509_CERTIFICATES-y), \ - $(or $(realpath $(CERT)),$(CERT)))) -X509_CERTIFICATES := $(subst $(realpath $(objtree))/,,$(X509_CERTIFICATES-raw)) +X509_CERTIFICATES-y := $(wildcard *.x509) +X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += signing_key.x509 +X509_CERTIFICATES := $(sort $(X509_CERTIFICATES-y)) +ifneq ($(objtree),$(srctree)) +X509_CERTIFICATES += $(sort $(wildcard $(srctree)/*.x509)) +endif ifeq ($(X509_CERTIFICATES),) $(warning *** No X.509 certificates found ***) -- 2.1.4 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 2/3] MODSIGN: Use filechk to generate .x509.list 2015-05-20 1:08 ` [PATCH 1/3] X.509: Fix certificate gathering again Michal Marek @ 2015-05-20 1:08 ` Michal Marek 2015-05-20 1:08 ` [PATCH 3/3] MODSIGN: Split user-supplied and autogenerated signing key Michal Marek 1 sibling, 0 replies; 10+ messages in thread From: Michal Marek @ 2015-05-20 1:08 UTC (permalink / raw) To: dhowells Cc: torvalds, aricart, linux-kernel, sedat.dilek, keyrings, rusty, linux-security-module, james.l.morris, dwmw2 From: Linus Torvalds <torvalds@linux-foundation.org> Use the filechk Kbuild function instead of manually comparing the content of the generated file. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> --- kernel/Makefile | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/kernel/Makefile b/kernel/Makefile index dc78819..3177160 100644 --- a/kernel/Makefile +++ b/kernel/Makefile @@ -136,13 +136,6 @@ ifeq ($(X509_CERTIFICATES),) $(warning *** No X.509 certificates found ***) endif -ifneq ($(wildcard $(obj)/.x509.list),) -ifneq ($(shell cat $(obj)/.x509.list),$(X509_CERTIFICATES)) -$(info X.509 certificate list changed) -$(shell rm $(obj)/.x509.list) -endif -endif - kernel/system_certificates.o: $(obj)/x509_certificate_list quiet_cmd_x509certs = CERTS $@ @@ -152,9 +145,12 @@ targets += $(obj)/x509_certificate_list $(obj)/x509_certificate_list: $(X509_CERTIFICATES) $(obj)/.x509.list $(call if_changed,x509certs) +define filechk_x509_list + echo $(X509_CERTIFICATES) +endef targets += $(obj)/.x509.list -$(obj)/.x509.list: - @echo $(X509_CERTIFICATES) >$@ +$(obj)/.x509.list: Makefile FORCE + $(call filechk,x509_list) endif clean-files := x509_certificate_list .x509.list -- 2.1.4 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 3/3] MODSIGN: Split user-supplied and autogenerated signing key 2015-05-20 1:08 ` [PATCH 1/3] X.509: Fix certificate gathering again Michal Marek 2015-05-20 1:08 ` [PATCH 2/3] MODSIGN: Use filechk to generate .x509.list Michal Marek @ 2015-05-20 1:08 ` Michal Marek 1 sibling, 0 replies; 10+ messages in thread From: Michal Marek @ 2015-05-20 1:08 UTC (permalink / raw) To: dhowells Cc: torvalds, aricart, linux-kernel, sedat.dilek, keyrings, rusty, linux-security-module, james.l.morris, dwmw2 Allow the users to place signing_key.{x509,priv} and x509.genkey in the source tree. If any of these files is missing, generate the file in the build tree with an .auto suffix. This avoids problems with overwriting user-supplied files. Signed-off-by: Michal Marek <mmarek@suse.cz> --- .gitignore | 2 ++ Documentation/module-signing.txt | 10 ++++++--- Makefile | 5 +++-- kernel/Makefile | 46 ++++++++++++++++++++-------------------- 4 files changed, 35 insertions(+), 28 deletions(-) diff --git a/.gitignore b/.gitignore index 4ad4a98..92b9bc8 100644 --- a/.gitignore +++ b/.gitignore @@ -100,6 +100,8 @@ extra_certificates signing_key.priv signing_key.x509 x509.genkey +signing_key.*.auto +x509.genkey.auto # Kconfig presets all.config diff --git a/Documentation/module-signing.txt b/Documentation/module-signing.txt index c72702e..74121fb 100644 --- a/Documentation/module-signing.txt +++ b/Documentation/module-signing.txt @@ -100,18 +100,22 @@ it can be deleted or stored securely. The public key gets built into the kernel so that it can be used to check the signatures as the modules are loaded. -Under normal conditions, the kernel build will automatically generate a new -keypair using openssl if one does not exist in the files: +The kernel expects the keypair to be stored in the files: signing_key.priv signing_key.x509 +If the keypair is not supplied, the kernel will generate it as: + + signing_key.priv.auto + signing_key.x509.auto + during the building of vmlinux (the public part of the key needs to be built into vmlinux) using parameters in the: x509.genkey -file (which is also generated if it does not already exist). +file (which, if not supplied, is also generated as x509.genkey.auto). It is strongly recommended that you provide your own x509.genkey file. diff --git a/Makefile b/Makefile index 2da553f..f46e76a 100644 --- a/Makefile +++ b/Makefile @@ -872,8 +872,8 @@ INITRD_COMPRESS-$(CONFIG_RD_LZ4) := lz4 # export INITRD_COMPRESS := $(INITRD_COMPRESS-y) ifdef CONFIG_MODULE_SIG_ALL -MODSECKEY = ./signing_key.priv -MODPUBKEY = ./signing_key.x509 +MODSECKEY = $(firstword $(wildcard $(srctree)/signing_key.priv) ./signing_key.priv.auto) +MODPUBKEY = $(firstword $(wildcard $(srctree)/signing_key.x509) ./signing_key.x509.auto) export MODPUBKEY mod_sign_cmd = perl $(srctree)/scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY) else @@ -1176,6 +1176,7 @@ MRPROPER_DIRS += include/config usr/include include/generated \ MRPROPER_FILES += .config .config.old .version .old_version \ Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \ signing_key.priv signing_key.x509 x509.genkey \ + signing_key.*.auto x509.genkey.auto \ extra_certificates signing_key.x509.keyid \ signing_key.x509.signer vmlinux-gdb.py diff --git a/kernel/Makefile b/kernel/Makefile index 3177160..58e6ca7 100644 --- a/kernel/Makefile +++ b/kernel/Makefile @@ -126,7 +126,7 @@ $(obj)/config_data.h: $(obj)/config_data.gz FORCE ############################################################################### ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y) X509_CERTIFICATES-y := $(wildcard *.x509) -X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += signing_key.x509 +X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += $(if $(wildcard $(srctree)/signing_key.x509),,signing_key.x509.auto) X509_CERTIFICATES := $(sort $(X509_CERTIFICATES-y)) ifneq ($(objtree),$(srctree)) X509_CERTIFICATES += $(sort $(wildcard $(srctree)/*.x509)) @@ -167,7 +167,7 @@ ifndef CONFIG_MODULE_SIG_HASH $(error Could not determine digest type to use from kernel config) endif -signing_key.priv signing_key.x509: x509.genkey +signing_key.priv.auto signing_key.x509.auto: $(firstword $(wildcard $(srctree)/x509.genkey) x509.genkey.auto) @echo "###" @echo "### Now generating an X.509 key pair to be used for signing modules." @echo "###" @@ -177,30 +177,30 @@ signing_key.priv signing_key.x509: x509.genkey @echo "### number generator if one is available." @echo "###" openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \ - -batch -x509 -config x509.genkey \ - -outform DER -out signing_key.x509 \ - -keyout signing_key.priv 2>&1 + -batch -x509 -config $< \ + -outform DER -out signing_key.x509.auto \ + -keyout signing_key.priv.auto 2>&1 @echo "###" @echo "### Key pair generated." @echo "###" -x509.genkey: +x509.genkey.auto: @echo Generating X.509 key generation config - @echo >x509.genkey "[ req ]" - @echo >>x509.genkey "default_bits = 4096" - @echo >>x509.genkey "distinguished_name = req_distinguished_name" - @echo >>x509.genkey "prompt = no" - @echo >>x509.genkey "string_mask = utf8only" - @echo >>x509.genkey "x509_extensions = myexts" - @echo >>x509.genkey - @echo >>x509.genkey "[ req_distinguished_name ]" - @echo >>x509.genkey "#O = Unspecified company" - @echo >>x509.genkey "CN = Build time autogenerated kernel key" - @echo >>x509.genkey "#emailAddress = unspecified.user@unspecified.company" - @echo >>x509.genkey - @echo >>x509.genkey "[ myexts ]" - @echo >>x509.genkey "basicConstraints=critical,CA:FALSE" - @echo >>x509.genkey "keyUsage=digitalSignature" - @echo >>x509.genkey "subjectKeyIdentifier=hash" - @echo >>x509.genkey "authorityKeyIdentifier=keyid" + @echo >$@ "[ req ]" + @echo >>$@ "default_bits = 4096" + @echo >>$@ "distinguished_name = req_distinguished_name" + @echo >>$@ "prompt = no" + @echo >>$@ "string_mask = utf8only" + @echo >>$@ "x509_extensions = myexts" + @echo >>$@ + @echo >>$@ "[ req_distinguished_name ]" + @echo >>$@ "#O = Unspecified company" + @echo >>$@ "CN = Build time autogenerated kernel key" + @echo >>$@ "#emailAddress = unspecified.user@unspecified.company" + @echo >>$@ + @echo >>$@ "[ myexts ]" + @echo >>$@ "basicConstraints=critical,CA:FALSE" + @echo >>$@ "keyUsage=digitalSignature" + @echo >>$@ "subjectKeyIdentifier=hash" + @echo >>$@ "authorityKeyIdentifier=keyid" endif -- 2.1.4 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 1/3] X.509: Fix certificate gathering again [not found] <18832.1432044859.1@warthog.procyon.org.uk> 2015-05-20 1:08 ` [PATCH 1/3] X.509: Fix certificate gathering again Michal Marek @ 2015-05-26 16:15 ` David Howells 2015-05-26 19:49 ` Petko Manolov ` (2 more replies) 1 sibling, 3 replies; 10+ messages in thread From: David Howells @ 2015-05-26 16:15 UTC (permalink / raw) To: Michal Marek Cc: dhowells, torvalds, aricart, linux-kernel, sedat.dilek, keyrings, rusty, linux-security-module, james.l.morris, dwmw2 Hi Michal, Could you have a look at the patch at the end of my branch: http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=modsign-pkcs7 It changes things from picking up arbitrary *.x509 files dropped in the kernel source and/or build directory to taking a single named PEM file with all the additional certs as a string config option. The PEM file can contain multiple certs simply cat'd together. If you're okay with that, it obsoletes these patches of yours. I've attached it here for convenience also. David --- commit 9c71c950793b1b8c23c6d945b31f6545f82adced Author: David Woodhouse <David.Woodhouse@intel.com> Date: Thu May 21 12:23:55 2015 +0100 modsign: Add explicit CONFIG_SYSTEM_TRUSTED_KEYS option Let the user explicitly provide a file containing trusted keys, instead of just automatically finding files matching *.x509 in the build tree and trusting whatever we find. This really ought to be an *explicit* configuration, and the build rules for dealing with the files were fairly painful too. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Signed-off-by: David Howells <dhowells@redhat.com> diff --git a/Documentation/module-signing.txt b/Documentation/module-signing.txt index 5d5e4e32dc26..4e62bc29666e 100644 --- a/Documentation/module-signing.txt +++ b/Documentation/module-signing.txt @@ -88,6 +88,7 @@ This has a number of options available: than being a module) so that modules signed with that algorithm can have their signatures checked without causing a dependency loop. + (4) "File name or PKCS#11 URI of module signing key" (CONFIG_MODULE_SIG_KEY) Setting this option to something other than its default of @@ -104,6 +105,13 @@ This has a number of options available: means of the KBUILD_SIGN_PIN variable. + (5) "Additional X.509 keys for default system keyring" (CONFIG_SYSTEM_TRUSTED_KEYS) + + This option can be set to the filename of a PEM-encoded file containing + additional certificates which will be included in the system keyring by + default. + + ======================= GENERATING SIGNING KEYS ======================= @@ -171,10 +179,9 @@ in a keyring called ".system_keyring" that can be seen by: 302d2d52 I------ 1 perm 1f010000 0 0 asymmetri Fedora kernel signing key: d69a84e6bce3d216b979e9505b3e3ef9a7118079: X509.RSA a7118079 [] ... -Beyond the public key generated specifically for module signing, any file -placed in the kernel source root directory or the kernel build root directory -whose name is suffixed with ".x509" will be assumed to be an X.509 public key -and will be added to the keyring. +Beyond the public key generated specifically for module signing, additional +trusted certificates can be provided in a PEM-encoded file referenced by the +CONFIG_SYSTEM_TRUSTED_KEYS configuration option. Further, the architecture code may take public keys from a hardware store and add those in also (e.g. from the UEFI key database). diff --git a/init/Kconfig b/init/Kconfig index a52935338419..b46c19525074 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1758,6 +1758,19 @@ config SYSTEM_TRUSTED_KEYRING Keys in this keyring are used by module signature checking. +config SYSTEM_TRUSTED_KEYS + string "Additional X.509 keys for default system keyring" + depends on SYSTEM_TRUSTED_KEYRING + help + If set, this option should be the filename of a PEM-formatted file + containing trusted X.509 certificates to be included in the default + system keyring. Any certificate used for module signing is implicitly + also trusted. + + NOTE: If you previously provided keys for the system keyring in the + form of DER-encoded *.x509 files in the top-level build directory, + those are no longer used. You will need to set this option instead. + config SYSTEM_DATA_VERIFICATION def_bool n select SYSTEM_TRUSTED_KEYRING diff --git a/kernel/Makefile b/kernel/Makefile index 541e1e89e90c..2d03e870ba8d 100644 --- a/kernel/Makefile +++ b/kernel/Makefile @@ -114,46 +114,75 @@ $(obj)/config_data.h: $(obj)/config_data.gz FORCE ############################################################################### # -# Roll all the X.509 certificates that we can find together and pull them into -# the kernel so that they get loaded into the system trusted keyring during -# boot. +# When a Kconfig string contains a filename, it is suitable for +# passing to shell commands. It is surrounded by double-quotes, and +# any double-quotes or backslashes within it are escaped by +# backslashes. # -# We look in the source root and the build root for all files whose name ends -# in ".x509". Unfortunately, this will generate duplicate filenames, so we -# have make canonicalise the pathnames and then sort them to discard the -# duplicates. +# This is no use for dependencies or $(wildcard). We need to strip the +# surrounding quotes and the escaping from quotes and backslashes, and +# we *do* need to escape any spaces in the string. So, for example: +# +# Usage: $(eval $(call config_filename,FOO)) +# +# Defines FOO_FILENAME based on the contents of the CONFIG_FOO option, +# transformed as described above to be suitable for use within the +# makefile. +# +# Also, if the filename is a relative filename and exists in the source +# tree but not the build tree, define FOO_SRCPREFIX as $(srctree)/ to +# be prefixed to *both* command invocation and dependencies. +# +# Note: We also print the filenames in the quiet_cmd_foo text, and +# perhaps ought to have a version specially escaped for that purpose. +# But it's only cosmetic, and $(patsubst "%",%,$(CONFIG_FOO)) is good +# enough. It'll strip the quotes in the common case where there's no +# space and it's a simple filename, and it'll retain the quotes when +# there's a space. There are some esoteric cases in which it'll print +# the wrong thing, but we don't really care. The actual dependencies +# and commands *do* get it right, with various combinations of single +# and double quotes, backslashes and spaces in the filenames. # ############################################################################### -ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y) -X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509) -X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += $(objtree)/signing_key.x509 -X509_CERTIFICATES-raw := $(sort $(foreach CERT,$(X509_CERTIFICATES-y), \ - $(or $(realpath $(CERT)),$(CERT)))) -X509_CERTIFICATES := $(subst $(realpath $(objtree))/,,$(X509_CERTIFICATES-raw)) - -ifeq ($(X509_CERTIFICATES),) -$(warning *** No X.509 certificates found ***) +# +quote := $(firstword " ") +space := +space += +space_escape := %%%SPACE%%% +# +define config_filename = +ifneq ($$(CONFIG_$(1)),"") +$(1)_FILENAME := $$(subst \\,\,$$(subst \$$(quote),$$(quote),$$(subst $$(space_escape),\$$(space),$$(patsubst "%",%,$$(subst $$(space),$$(space_escape),$$(CONFIG_$(1))))))) +ifneq ($$(patsubst /%,%,$$(firstword $$($(1)_FILENAME))),$$(firstword $$($(1)_FILENAME))) +else +ifeq ($$(wildcard $$($(1)_FILENAME)),) +ifneq ($$(wildcard $$(srctree)/$$($(1)_FILENAME)),) +$(1)_SRCPREFIX := $(srctree)/ +endif endif - -ifneq ($(wildcard $(obj)/.x509.list),) -ifneq ($(shell cat $(obj)/.x509.list),$(X509_CERTIFICATES)) -$(info X.509 certificate list changed) -$(shell rm $(obj)/.x509.list) endif endif +endef +# +############################################################################### + + +ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y) + +$(eval $(call config_filename,SYSTEM_TRUSTED_KEYS)) + +SIGNING_X509-$(CONFIG_MODULE_SIG) += signing_key.x509 kernel/system_certificates.o: $(obj)/x509_certificate_list -quiet_cmd_x509certs = CERTS $@ - cmd_x509certs = cat $(X509_CERTIFICATES) /dev/null >$@ $(foreach X509,$(X509_CERTIFICATES),; $(kecho) " - Including cert $(X509)") +quiet_cmd_x509certs = CERTS $(SIGNING_X509-y) $(patsubst "%",%,$(2)) + cmd_x509certs = ( cat $(SIGNING_X509-y) /dev/null; \ + awk '/-----BEGIN CERTIFICATE-----/{flag=1;next}/-----END CERTIFICATE-----/{flag=0}flag' $(2) /dev/null | base64 -d ) > $@ || ( rm $@; exit 1) targets += $(obj)/x509_certificate_list -$(obj)/x509_certificate_list: $(X509_CERTIFICATES) $(obj)/.x509.list - $(call if_changed,x509certs) +$(obj)/x509_certificate_list: $(SIGNING_X509-y) include/config/system/trusted/keys.h include/config/module/sig.h $(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(SYSTEM_TRUSTED_KEYS_FILENAME) + $(call if_changed,x509certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS)) -targets += $(obj)/.x509.list -$(obj)/.x509.list: - @echo $(X509_CERTIFICATES) >$@ endif clean-files := x509_certificate_list .x509.list @@ -212,40 +241,16 @@ x509.genkey: @echo >>x509.genkey "authorityKeyIdentifier=keyid" endif -# We need to obtain the certificate from CONFIG_MODULE_SIG_KEY. -quiet_cmd_extract_der = CERT_DER $(2) - cmd_extract_der = scripts/extract-cert "$(2)" signing_key.x509 +$(eval $(call config_filename,MODULE_SIG_KEY)) -# CONFIG_MODULE_SIG_KEY is either a PKCS#11 URI or a filename. It is -# surrounded by quotes, and may contain spaces. To strip the quotes -# with $(patsubst) we need to turn the spaces into something else. -# And if it's a filename, those spaces need to be escaped as '\ ' in -# order to use it in dependencies or $(wildcard). -space := -space += -space_escape := %%%SPACE%%% -X509_SOURCE_temp := $(subst $(space),$(space_escape),$(CONFIG_MODULE_SIG_KEY)) -# We need this to check for absolute paths or PKCS#11 URIs. -X509_SOURCE_ONEWORD := $(patsubst "%",%,$(X509_SOURCE_temp)) -# This is the actual source filename/URI without the quotes -X509_SOURCE := $(subst $(space_escape),$(space),$(X509_SOURCE_ONEWORD)) -# This\ version\ with\ spaces\ escaped\ for\ $(wildcard)\ and\ dependencies -X509_SOURCE_ESCAPED := $(subst $(space_escape),\$(space),$(X509_SOURCE_ONEWORD)) - -ifeq ($(patsubst pkcs11:%,%,$(X509_SOURCE_ONEWORD)),$(X509_SOURCE_ONEWORD)) -# If it's a filename, depend on it. -X509_DEP := $(X509_SOURCE_ESCAPED) -ifeq ($(patsubst /%,%,$(X509_SOURCE_ONEWORD)),$(X509_SOURCE_ONEWORD)) -ifeq ($(wildcard $(X509_SOURCE_ESCAPED)),) -ifneq ($(wildcard $(srctree)/$(X509_SOURCE_ESCAPED)),) -# Non-absolute filename, found in source tree and not build tree -X509_SOURCE := $(srctree)/$(X509_SOURCE) -X509_DEP := $(srctree)/$(X509_SOURCE_ESCAPED) -endif -endif -endif +# If CONFIG_MODULE_SIG_KEY isn't a PKCS#11 URI, depend on it +ifeq ($(patsubst pkcs11:%,%,$(firstword $(MODULE_SIG_KEY_FILENAME))),$(firstword $(MODULE_SIG_KEY_FILENAME))) +X509_DEP := $(MODULE_SIG_KEY_SRCPREFIX)$(MODULE_SIG_KEY_FILENAME) endif +quiet_cmd_extract_der = SIGNING_CERT $(patsubst "%",%,$(2)) + cmd_extract_der = scripts/extract-cert $(2) signing_key.x509 + signing_key.x509: scripts/extract-cert include/config/module/sig/key.h $(X509_DEP) - $(call cmd,extract_der,$(X509_SOURCE)) + $(call cmd,extract_der,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY)) endif ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 1/3] X.509: Fix certificate gathering again 2015-05-26 16:15 ` [PATCH 1/3] X.509: Fix certificate gathering again David Howells @ 2015-05-26 19:49 ` Petko Manolov 2015-05-26 21:56 ` David Howells 2015-05-28 5:18 ` Michal Marek 2 siblings, 0 replies; 10+ messages in thread From: Petko Manolov @ 2015-05-26 19:49 UTC (permalink / raw) To: David Howells, Michal Marek Cc: torvalds, aricart, linux-kernel, sedat.dilek, keyrings, rusty, linux-security-module, james.l.morris, dwmw2 On May 26, 2015 7:15:38 PM GMT+03:00, David Howells <dhowells@redhat.com> wrote: >Hi Michal, > >Could you have a look at the patch at the end of my branch: > > http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=modsign-pkcs7 > >It changes things from picking up arbitrary *.x509 files dropped in the >kernel >source and/or build directory to taking a single named PEM file with >all the >additional certs as a string config option. The PEM file can contain >multiple >certs simply cat'd together. > >If you're okay with that, it obsoletes these patches of yours. > >I've attached it here for convenience also. > >David >--- >commit 9c71c950793b1b8c23c6d945b31f6545f82adced >Author: David Woodhouse <David.Woodhouse@intel.com> >Date: Thu May 21 12:23:55 2015 +0100 > > modsign: Add explicit CONFIG_SYSTEM_TRUSTED_KEYS option > >Let the user explicitly provide a file containing trusted keys, instead >of > just automatically finding files matching *.x509 in the build tree and > trusting whatever we find. This really ought to be an *explicit* > configuration, and the build rules for dealing with the files were > fairly painful too. > > Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> > Signed-off-by: David Howells <dhowells@redhat.com> > >diff --git a/Documentation/module-signing.txt >b/Documentation/module-signing.txt >index 5d5e4e32dc26..4e62bc29666e 100644 >--- a/Documentation/module-signing.txt >+++ b/Documentation/module-signing.txt >@@ -88,6 +88,7 @@ This has a number of options available: >than being a module) so that modules signed with that algorithm can >have > their signatures checked without causing a dependency loop. > >+ >(4) "File name or PKCS#11 URI of module signing key" >(CONFIG_MODULE_SIG_KEY) > > Setting this option to something other than its default of >@@ -104,6 +105,13 @@ This has a number of options available: > means of the KBUILD_SIGN_PIN variable. > > >+ (5) "Additional X.509 keys for default system keyring" >(CONFIG_SYSTEM_TRUSTED_KEYS) >+ >+ This option can be set to the filename of a PEM-encoded file >containing >+ additional certificates which will be included in the system >keyring by >+ default. >+ >+ > ======================= > GENERATING SIGNING KEYS > ======================= >@@ -171,10 +179,9 @@ in a keyring called ".system_keyring" that can be >seen by: > 302d2d52 I------ 1 perm 1f010000 0 0 asymmetri Fedora >kernel signing key: d69a84e6bce3d216b979e9505b3e3ef9a7118079: X509.RSA >a7118079 [] > ... > >-Beyond the public key generated specifically for module signing, any >file >-placed in the kernel source root directory or the kernel build root >directory >-whose name is suffixed with ".x509" will be assumed to be an X.509 >public key >-and will be added to the keyring. >+Beyond the public key generated specifically for module signing, I think this should be "private", not "public" key. The modules are signed with the private key... Petko ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 1/3] X.509: Fix certificate gathering again 2015-05-26 16:15 ` [PATCH 1/3] X.509: Fix certificate gathering again David Howells 2015-05-26 19:49 ` Petko Manolov @ 2015-05-26 21:56 ` David Howells 2015-05-28 5:18 ` Michal Marek 2 siblings, 0 replies; 10+ messages in thread From: David Howells @ 2015-05-26 21:56 UTC (permalink / raw) To: Petko Manolov Cc: dhowells, Michal Marek, torvalds, aricart, linux-kernel, sedat.dilek, keyrings, rusty, linux-security-module, james.l.morris, dwmw2 Petko Manolov <petkan@mip-labs.com> wrote: > >+Beyond the public key generated specifically for module signing, > > I think this should be "private", not "public" key. The modules are signed > with the private key... No. Private keys aren't added to the keyring. The title of the section is "Public keys in the kernel". David ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 1/3] X.509: Fix certificate gathering again 2015-05-26 16:15 ` [PATCH 1/3] X.509: Fix certificate gathering again David Howells 2015-05-26 19:49 ` Petko Manolov 2015-05-26 21:56 ` David Howells @ 2015-05-28 5:18 ` Michal Marek 2015-05-28 8:33 ` David Woodhouse 2015-05-28 9:58 ` David Howells 2 siblings, 2 replies; 10+ messages in thread From: Michal Marek @ 2015-05-28 5:18 UTC (permalink / raw) To: David Howells Cc: torvalds, aricart, linux-kernel, sedat.dilek, keyrings, rusty, linux-security-module, james.l.morris, dwmw2 Dne 27.5.2015 v 00:15 David Howells napsal(a): > Hi Michal, > > Could you have a look at the patch at the end of my branch: > > http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=modsign-pkcs7 > > It changes things from picking up arbitrary *.x509 files dropped in the kernel > source and/or build directory to taking a single named PEM file with all the > additional certs as a string config option. The PEM file can contain multiple > certs simply cat'd together. > > If you're okay with that, it obsoletes these patches of yours. I'm fine with the concept as it indeed solves the problem with the wildcard matching for good. So please drop the patches that I posted. The only issue is that the makefile expressions are a bit hairy. For starters, we already have definitions for $(quote) and $(space) in kbuild. I'll have a closer look at the config_filename macro and try to simplify it somehow. But it's just cosmetics, the patch can be merged as is for now. Michal ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 1/3] X.509: Fix certificate gathering again 2015-05-28 5:18 ` Michal Marek @ 2015-05-28 8:33 ` David Woodhouse 2015-05-28 9:58 ` David Howells 1 sibling, 0 replies; 10+ messages in thread From: David Woodhouse @ 2015-05-28 8:33 UTC (permalink / raw) To: Michal Marek Cc: David Howells, torvalds, aricart, linux-kernel, sedat.dilek, keyrings, rusty, linux-security-module, james.l.morris On Thu, 2015-05-28 at 13:18 +0800, Michal Marek wrote: > > The only issue is that the makefile expressions are a bit hairy. For > starters, we already have definitions for $(quote) and $(space) in > kbuild. I'll have a closer look at the config_filename macro and try to > simplify it somehow. But it's just cosmetics, the patch can be merged as > is for now. I've actually changed my mind about the 'awk | base64 -d' bit. The error handling is too poor. I'd like to do that in C with a variant of the existing extract_cert tool, and make sure we have proper X.509 certificates and error handling/reporting. I'll fix that, but probably not this week while I'm ostensibly on honeymoon and not answering emails like this one... (If anyone else wants to beat me to it, you probably just need to make extract_cert.c loop on extracting the certs from the file/BIO, but do make sure it tolerates only *one* in the existing 'find signer cert' mode.) -- David Woodhouse Open Source Technology Centre David.Woodhouse@intel.com Intel Corporation ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 1/3] X.509: Fix certificate gathering again 2015-05-28 5:18 ` Michal Marek 2015-05-28 8:33 ` David Woodhouse @ 2015-05-28 9:58 ` David Howells 2015-05-28 10:05 ` David Woodhouse 1 sibling, 1 reply; 10+ messages in thread From: David Howells @ 2015-05-28 9:58 UTC (permalink / raw) To: David Woodhouse Cc: dhowells, Michal Marek, torvalds, aricart, linux-kernel, sedat.dilek, keyrings, rusty, linux-security-module, james.l.morris David Woodhouse <dwmw2@infradead.org> wrote: > > The only issue is that the makefile expressions are a bit hairy. For > > starters, we already have definitions for $(quote) and $(space) in > > kbuild. I'll have a closer look at the config_filename macro and try to > > simplify it somehow. But it's just cosmetics, the patch can be merged as > > is for now. > > I've actually changed my mind about the 'awk | base64 -d' bit. The error > handling is too poor. I'd like to do that in C with a variant of the > existing extract_cert tool, and make sure we have proper X.509 > certificates and error handling/reporting. You could also do it in perl pretty easily. David ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 1/3] X.509: Fix certificate gathering again 2015-05-28 9:58 ` David Howells @ 2015-05-28 10:05 ` David Woodhouse 0 siblings, 0 replies; 10+ messages in thread From: David Woodhouse @ 2015-05-28 10:05 UTC (permalink / raw) To: David Howells Cc: Michal Marek, torvalds, aricart, linux-kernel, sedat.dilek, keyrings, rusty, linux-security-module, james.l.morris On Thu, 2015-05-28 at 10:58 +0100, David Howells wrote: > David Woodhouse <dwmw2@infradead.org> wrote: > > > > The only issue is that the makefile expressions are a bit hairy. For > > > starters, we already have definitions for $(quote) and $(space) in > > > kbuild. I'll have a closer look at the config_filename macro and try to > > > simplify it somehow. But it's just cosmetics, the patch can be merged as > > > is for now. > > > > I've actually changed my mind about the 'awk | base64 -d' bit. The error > > handling is too poor. I'd like to do that in C with a variant of the > > existing extract_cert tool, and make sure we have proper X.509 > > certificates and error handling/reporting. > > You could also do it in perl pretty easily. It's a fairly trivial change to scripts/extract-cert.c though, which gives you validation of the cert ASN.1 instead of just base64-decoding and importing arbitrary crap as long as it's found between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- Yeah, we could do the X.509 parsing/validation in perl too. But let's not. -- David Woodhouse Open Source Technology Centre David.Woodhouse@intel.com Intel Corporation ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2015-05-28 10:05 UTC | newest] Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <18832.1432044859.1@warthog.procyon.org.uk> 2015-05-20 1:08 ` [PATCH 1/3] X.509: Fix certificate gathering again Michal Marek 2015-05-20 1:08 ` [PATCH 2/3] MODSIGN: Use filechk to generate .x509.list Michal Marek 2015-05-20 1:08 ` [PATCH 3/3] MODSIGN: Split user-supplied and autogenerated signing key Michal Marek 2015-05-26 16:15 ` [PATCH 1/3] X.509: Fix certificate gathering again David Howells 2015-05-26 19:49 ` Petko Manolov 2015-05-26 21:56 ` David Howells 2015-05-28 5:18 ` Michal Marek 2015-05-28 8:33 ` David Woodhouse 2015-05-28 9:58 ` David Howells 2015-05-28 10:05 ` David Woodhouse
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).