From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S934700AbbEOMgI (ORCPT <rfc822;w@1wt.eu>);
	Fri, 15 May 2015 08:36:08 -0400
Received: from mx1.redhat.com ([209.132.183.28]:32891 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S934673AbbEOMgC (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Fri, 15 May 2015 08:36:02 -0400
Subject: [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4]
From: David Howells <dhowells@redhat.com>
To: rusty@rustcorp.com.au
Cc: mmarek@suse.cz, mjg59@srcf.ucam.org, keyrings@linux-nfs.org,
        dmitry.kasatkin@gmail.com, mcgrof@suse.com,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        seth.forshee@canonical.com, linux-security-module@vger.kernel.org,
        dwmw2@infradead.org
Date: Fri, 15 May 2015 13:35:13 +0100
Message-ID: <20150515123513.16723.96340.stgit@warthog.procyon.org.uk>
User-Agent: StGit/0.17.1-dirty
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


Hi Rusty,

Here's a set of patches that does the following:

 (1) Extracts both parts of an X.509 AuthorityKeyIdentifier (AKID) extension.
     We already extract the bit that can match the subjectKeyIdentifier (SKID)
     of the parent X.509 cert, but we currently ignore the bits that can match
     the issuer and serialNumber.

     Looks up an X.509 cert by issuer and serialNumber if those are provided in
     the AKID.  If the keyIdentifier is also provided, checks that the
     subjectKeyIdentifier of the cert found matches that also.

     If no issuer and serialNumber are provided in the AKID, looks up an X.509
     cert by SKID using the AKID keyIdentifier.

     This allows module signing to be done with certificates that don't have an
     SKID by which they can be looked up.

 (2) Makes use of the PKCS#7 facility to provide module signatures.

     sign-file is replaced with a program that generates a PKCS#7 message that
     has no X.509 certs embedded and that has detached data (the module
     content) and adds it onto the message with magic string and descriptor.

 (3) The PKCS#7 message (and matching X.509 cert) supply all the information
     that is needed to select the X.509 cert to be used to verify the signature
     by standard means (including selection of digest algorithm and public key
     algorithm).  No kernel-specific magic values are required.

 (4) Makes it possible to get sign-file to just write out a file containing the
     PKCS#7 signature blob.  This can be used for debugging and potentially for
     firmware signing.

 (5) Extract the function that does PKCS#7 signature verification on a blob
     from the module signing code and put it somewhere more general so that
     other things, such as firmware signing, can make use of it without
     depending on module config options.

Note that the revised sign-file program no longer supports the "-s <signature>"
option as I'm not sure what the best way to deal with this is.  Do we generate
a PKCS#7 cert from the signature given, or do we get given a PKCS#7 cert?  I
lean towards the latter.  Note that David Woodhouse is looking at making
sign-file work with PKCS#11, so bringing back -s might not be necessary.

They can be found here also:

	http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=modsign-pkcs7

and are tagged with:

	modsign-pkcs7-20150515

Should these go via the security tree or your tree?

David
---
David Howells (7):
      X.509: Extract both parts of the AuthorityKeyIdentifier
      X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier
      PKCS#7: Allow detached data to be supplied for signature checking purposes
      MODSIGN: Provide a utility to append a PKCS#7 signature to a module
      MODSIGN: Use PKCS#7 messages as module signatures
      system_keyring.c doesn't need to #include module-internal.h
      MODSIGN: Extract the blob PKCS#7 signature verifier from module signing

Luis R. Rodriguez (1):
      sign-file: Add option to only create signature file


 Makefile                                  |    2 
 crypto/asymmetric_keys/Makefile           |    8 -
 crypto/asymmetric_keys/pkcs7_trust.c      |   10 -
 crypto/asymmetric_keys/pkcs7_verify.c     |   80 ++++--
 crypto/asymmetric_keys/x509_akid.asn1     |   35 ++
 crypto/asymmetric_keys/x509_cert_parser.c |  142 ++++++----
 crypto/asymmetric_keys/x509_parser.h      |    5 
 crypto/asymmetric_keys/x509_public_key.c  |   86 ++++--
 include/crypto/pkcs7.h                    |    3 
 include/crypto/public_key.h               |    4 
 include/keys/system_keyring.h             |    5 
 init/Kconfig                              |   28 +-
 kernel/module_signing.c                   |  212 +--------------
 kernel/system_keyring.c                   |   51 +++-
 scripts/Makefile                          |    2 
 scripts/sign-file                         |  421 -----------------------------
 scripts/sign-file.c                       |  212 +++++++++++++++
 17 files changed, 578 insertions(+), 728 deletions(-)
 create mode 100644 crypto/asymmetric_keys/x509_akid.asn1
 delete mode 100755 scripts/sign-file
 create mode 100755 scripts/sign-file.c