linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: David Howells <dhowells@redhat.com>
To: mcgrof@suse.com
Cc: dhowells@redhat.com, rusty@rustcorp.com.au, mmarek@suse.cz,
	mjg59@srcf.ucam.org, keyrings@linux-nfs.org,
	dmitry.kasatkin@gmail.com, linux-kernel@vger.kernel.org,
	seth.forshee@canonical.com,
	linux-security-module@vger.kernel.org, dwmw2@infradead.org
Subject: sign-file and detached PKCS#7 firmware signatures
Date: Fri, 15 May 2015 20:07:55 +0100	[thread overview]
Message-ID: <21177.1431716875@warthog.procyon.org.uk> (raw)
In-Reply-To: <20150515123610.16723.61913.stgit@warthog.procyon.org.uk>

Hi Luis,

As David Woodhouse pointed out to me, you don't need sign-file if you're just
going to create a detached PKCS#7 message as your signature.  You can just use
"openssl smime" directly.

The reason that sign-file is needed for module signing is that the signature
is added to the module with a little bit of metadata to indicate its presence
- but if you're having detached signatures, that isn't relevant.

You can do this with two steps:

 (1) Require that an X.509 certificate is made available to the kernel to
     provide the public key.  One way to do this is to convert it to DER form
     and place it in the source directory as <name>.x509 when you build the
     kernel.

 (2) Document that to produce a signature for a firmware blob, you just run
     the following command:

		openssl smime -sign \
		 -in $FIRMWARE_BLOB_NAME \
		 -outform DER \
		 -inkey $PRIVATE_KEY_FILE_IN_PEM_FORM \
		 -signer $X509_CERT_FILE_IN_PEM_FORM \
		 -nocerts \
		 -md $DIGEST_ALGORITHM \
		 >$PKCS7_MESSAGE_FILE_IN_DER_FORM

     Note that if you have crypto hardware available that openssl can use, you
     can do that in this command.


To summarise, what you have to present to the kernel is the following:

 (A) A DER-encoded X.509 certificate containing the public key.

 (B) A DER-encoded PKCS#7 message containing the signatures.

 (C) A binary blob that is the detached data for the PKCS#7 message.

David

  parent reply	other threads:[~2015-05-15 19:08 UTC|newest]

Thread overview: 71+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-05-15 12:35 [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] David Howells
2015-05-15 12:35 ` [PATCH 1/8] X.509: Extract both parts of the AuthorityKeyIdentifier " David Howells
2015-05-15 12:35 ` [PATCH 2/8] X.509: Support X.509 lookup by Issuer+Serial form " David Howells
2015-05-15 12:35 ` [PATCH 3/8] PKCS#7: Allow detached data to be supplied for signature checking purposes " David Howells
2015-05-15 12:35 ` [PATCH 4/8] MODSIGN: Provide a utility to append a PKCS#7 signature to a module " David Howells
2015-05-20  0:50   ` Andy Lutomirski
2015-05-20 13:14   ` David Howells
2015-05-20 16:00     ` Andy Lutomirski
2015-05-15 12:36 ` [PATCH 5/8] MODSIGN: Use PKCS#7 messages as module signatures " David Howells
2015-05-15 12:36 ` [PATCH 6/8] sign-file: Add option to only create signature file " David Howells
2015-05-15 12:36 ` [PATCH 7/8] system_keyring.c doesn't need to #include module-internal.h " David Howells
2015-05-15 12:36 ` [PATCH 8/8] MODSIGN: Extract the blob PKCS#7 signature verifier from module signing " David Howells
2015-05-15 13:46 ` [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures " David Woodhouse
2015-05-15 16:52 ` [PATCH 1/4] modsign: Abort modules_install when signing fails David Woodhouse
2015-05-19  1:29   ` Mimi Zohar
2015-05-19  6:40     ` Woodhouse, David
2015-05-19 11:45       ` Mimi Zohar
2015-05-19 12:57         ` Woodhouse, David
2015-05-19 13:54           ` Mimi Zohar
2015-05-15 16:53 ` [PATCH 2/4] modsign: Allow external signing key to be specified David Woodhouse
2015-05-15 16:53 ` [PATCH 3/4] modsign: Allow password to be specified for signing key David Woodhouse
2015-05-19  1:37   ` Mimi Zohar
2015-05-15 16:54 ` [PATCH 4/4] modsign: Allow signing key to be PKCS#11 David Woodhouse
2015-05-15 19:07 ` David Howells [this message]
2015-05-18 23:13   ` sign-file and detached PKCS#7 firmware signatures Luis R. Rodriguez
2015-05-19  9:25   ` David Howells
2015-05-19 16:19     ` Luis R. Rodriguez
2015-05-19 16:48     ` David Howells
2015-05-19 18:21       ` Luis R. Rodriguez
2015-05-19 18:35       ` Luis R. Rodriguez
2015-05-19 18:47       ` David Howells
2015-05-19 20:12         ` Luis R. Rodriguez
2015-05-19 20:29         ` David Howells
2015-05-15 22:51 ` [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] Rusty Russell
2015-05-18 12:43 ` [PATCH 4/4] modsign: Allow signing key to be PKCS#11 David Howells
2015-05-19 14:45 ` [PATCH 9/8] modsign: Abort modules_install when signing fails David Woodhouse
2015-05-19 14:45 ` [PATCH 10/8] modsign: Allow password to be specified for signing key David Woodhouse
2015-05-19 15:50   ` Petko Manolov
2015-05-19 16:15     ` David Woodhouse
2015-05-19 16:34       ` Petko Manolov
2015-05-19 18:39   ` Mimi Zohar
2015-05-19 18:48   ` David Howells
2015-05-19 19:14     ` Mimi Zohar
2015-05-19 20:04       ` David Woodhouse
2015-05-19 14:46 ` [PATCH 11/8] modsign: Allow signing key to be PKCS#11 David Woodhouse
2015-05-19 14:46 ` [PATCH 12/8] modsign: Allow external signing key to be specified David Woodhouse
2015-05-19 14:47 ` [PATCH 13/8] modsign: Extract signing cert from CONFIG_MODULE_SIG_KEY if needed David Woodhouse
2015-05-19 15:36 ` [PATCH 10/8] modsign: Allow password to be specified for signing key David Howells
2015-05-20  0:36 ` [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] Andy Lutomirski
2015-05-20 13:36 ` David Howells
2015-05-20 15:56   ` Andy Lutomirski
2015-05-20 16:21     ` Petko Manolov
2015-05-20 16:41       ` Andy Lutomirski
2015-05-20 16:55         ` Petko Manolov
2015-05-21 21:38       ` Luis R. Rodriguez
2015-05-21 21:44         ` Andy Lutomirski
2015-05-21 21:59           ` Luis R. Rodriguez
2015-05-21 22:06             ` Andy Lutomirski
2015-05-21 22:16               ` Luis R. Rodriguez
2015-05-21 22:24                 ` Andy Lutomirski
2015-05-21 22:31                   ` Luis R. Rodriguez
2015-05-21 22:47                     ` Andy Lutomirski
2015-05-21 23:01                       ` Luis R. Rodriguez
2015-05-21 23:09                         ` Andy Lutomirski
2015-05-22  7:56                         ` David Howells
2015-05-22 12:42                           ` Mimi Zohar
2015-05-22  7:49         ` David Howells
2015-05-22  7:48       ` David Howells
2015-05-22 12:28         ` Mimi Zohar
2015-05-24 10:52           ` Petko Manolov
2015-05-21 13:59   ` David Howells

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=21177.1431716875@warthog.procyon.org.uk \
    --to=dhowells@redhat.com \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=dwmw2@infradead.org \
    --cc=keyrings@linux-nfs.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mcgrof@suse.com \
    --cc=mjg59@srcf.ucam.org \
    --cc=mmarek@suse.cz \
    --cc=rusty@rustcorp.com.au \
    --cc=seth.forshee@canonical.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).