From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754903AbbEOTIu (ORCPT <rfc822;w@1wt.eu>);
	Fri, 15 May 2015 15:08:50 -0400
Received: from mx1.redhat.com ([209.132.183.28]:40752 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1753705AbbEOTIt (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Fri, 15 May 2015 15:08:49 -0400
Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley
	Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United
	Kingdom.
	Registered in England and Wales under Company Registration No. 3798903
From: David Howells <dhowells@redhat.com>
In-Reply-To: <20150515123610.16723.61913.stgit@warthog.procyon.org.uk>
References: <20150515123610.16723.61913.stgit@warthog.procyon.org.uk> <20150515123513.16723.96340.stgit@warthog.procyon.org.uk>
To: mcgrof@suse.com
Cc: dhowells@redhat.com, rusty@rustcorp.com.au, mmarek@suse.cz,
        mjg59@srcf.ucam.org, keyrings@linux-nfs.org, dmitry.kasatkin@gmail.com,
        linux-kernel@vger.kernel.org, seth.forshee@canonical.com,
        linux-security-module@vger.kernel.org, dwmw2@infradead.org
Subject: sign-file and detached PKCS#7 firmware signatures
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <21176.1431716875.1@warthog.procyon.org.uk>
Date: Fri, 15 May 2015 20:07:55 +0100
Message-ID: <21177.1431716875@warthog.procyon.org.uk>
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Luis,

As David Woodhouse pointed out to me, you don't need sign-file if you're just
going to create a detached PKCS#7 message as your signature.  You can just use
"openssl smime" directly.

The reason that sign-file is needed for module signing is that the signature
is added to the module with a little bit of metadata to indicate its presence
- but if you're having detached signatures, that isn't relevant.

You can do this with two steps:

 (1) Require that an X.509 certificate is made available to the kernel to
     provide the public key.  One way to do this is to convert it to DER form
     and place it in the source directory as <name>.x509 when you build the
     kernel.

 (2) Document that to produce a signature for a firmware blob, you just run
     the following command:

		openssl smime -sign \
		 -in $FIRMWARE_BLOB_NAME \
		 -outform DER \
		 -inkey $PRIVATE_KEY_FILE_IN_PEM_FORM \
		 -signer $X509_CERT_FILE_IN_PEM_FORM \
		 -nocerts \
		 -md $DIGEST_ALGORITHM \
		 >$PKCS7_MESSAGE_FILE_IN_DER_FORM

     Note that if you have crypto hardware available that openssl can use, you
     can do that in this command.


To summarise, what you have to present to the kernel is the following:

 (A) A DER-encoded X.509 certificate containing the public key.

 (B) A DER-encoded PKCS#7 message containing the signatures.

 (C) A binary blob that is the detached data for the PKCS#7 message.

David