From: David Howells <dhowells@redhat.com>
To: Andy Lutomirski <luto@kernel.org>
Cc: dhowells@redhat.com, rusty@rustcorp.com.au, mmarek@suse.cz,
mjg59@srcf.ucam.org, keyrings@linux-nfs.org,
dmitry.kasatkin@gmail.com, mcgrof@suse.com,
linux-kernel@vger.kernel.org, seth.forshee@canonical.com,
linux-security-module@vger.kernel.org, dwmw2@infradead.org
Subject: Re: [PATCH 4/8] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #4]
Date: Wed, 20 May 2015 14:14:31 +0100 [thread overview]
Message-ID: <31479.1432127671@warthog.procyon.org.uk> (raw)
In-Reply-To: <555BDA4B.6020207@kernel.org>
Andy Lutomirski <luto@kernel.org> wrote:
> > enum pkey_id_type {
> > PKEY_ID_PGP, /* OpenPGP generated key ID */
> > PKEY_ID_X509, /* X.509 arbitrary subjectKeyIdentifier */
> > + PKEY_ID_PKCS7, /* Signature in PKCS#7 message */
> > PKEY_ID_TYPE__LAST
> > };
> >
>
> I don't understand these comments. "OpenPGP generated key ID" refers to the
> name of a key. "X.509 arbitrary subjectKeyIdentifier" also refers to a name
> of a key.
OpenPGP was how we did things originally. We then switched to X.509 because
we had to take account of UEFI. These values are implicit parts of the kernel
ABI.
> "Signature in PKCS#7 message" refers to a signature style. This seems
> inconsistent.
Not precisely. The format of the descriptor is immutable given the particular
magic number. You set the ID type to that and all the other fields bar one to
zero and you put the signature and all the metadata in the PKCS#7 blob which
you place directly prior to the descriptor (the length of the blob is the one
thing you do need to specify). Effectively, it's an override.
> Also, I think we're really going to want signatures that specify their
> purpose, e.g. "module named xyz" or "firmware file named abc" or "kexec
> image". Let's get this right the first time rather than needing yet another
> type in the very near future.
If this is so, then this _must_ also apply to your hash list idea.
> Finally, why are we using PKCS#7 for this? Can't everything except kexec
> images use raw signatures in some trivial non-ASN.1-ified format? A raw
> signature can reference a UEFI-sourced key just fine.
We have PKCS#7 already in the kernel. It's a standard. We can add attributes
of our own devising to extend it if necessary (say your typing idea referenced
above).
> It could be as simple as:
>
> 4 bytes of signature type
> (length of pubkey identifier, pubkey identifier)
> 4 bytes of purpose
> (length of purpose-specific data, purpose-specific data)
Let's not create yet another unextendable non-standard standard.
David
next prev parent reply other threads:[~2015-05-20 13:14 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-15 12:35 [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] David Howells
2015-05-15 12:35 ` [PATCH 1/8] X.509: Extract both parts of the AuthorityKeyIdentifier " David Howells
2015-05-15 12:35 ` [PATCH 2/8] X.509: Support X.509 lookup by Issuer+Serial form " David Howells
2015-05-15 12:35 ` [PATCH 3/8] PKCS#7: Allow detached data to be supplied for signature checking purposes " David Howells
2015-05-15 12:35 ` [PATCH 4/8] MODSIGN: Provide a utility to append a PKCS#7 signature to a module " David Howells
2015-05-20 0:50 ` Andy Lutomirski
2015-05-20 13:14 ` David Howells [this message]
2015-05-20 16:00 ` Andy Lutomirski
2015-05-15 12:36 ` [PATCH 5/8] MODSIGN: Use PKCS#7 messages as module signatures " David Howells
2015-05-15 12:36 ` [PATCH 6/8] sign-file: Add option to only create signature file " David Howells
2015-05-15 12:36 ` [PATCH 7/8] system_keyring.c doesn't need to #include module-internal.h " David Howells
2015-05-15 12:36 ` [PATCH 8/8] MODSIGN: Extract the blob PKCS#7 signature verifier from module signing " David Howells
2015-05-15 13:46 ` [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures " David Woodhouse
2015-05-15 16:52 ` [PATCH 1/4] modsign: Abort modules_install when signing fails David Woodhouse
2015-05-19 1:29 ` Mimi Zohar
2015-05-19 6:40 ` Woodhouse, David
2015-05-19 11:45 ` Mimi Zohar
2015-05-19 12:57 ` Woodhouse, David
2015-05-19 13:54 ` Mimi Zohar
2015-05-15 16:53 ` [PATCH 2/4] modsign: Allow external signing key to be specified David Woodhouse
2015-05-15 16:53 ` [PATCH 3/4] modsign: Allow password to be specified for signing key David Woodhouse
2015-05-19 1:37 ` Mimi Zohar
2015-05-15 16:54 ` [PATCH 4/4] modsign: Allow signing key to be PKCS#11 David Woodhouse
2015-05-15 19:07 ` sign-file and detached PKCS#7 firmware signatures David Howells
2015-05-18 23:13 ` Luis R. Rodriguez
2015-05-19 9:25 ` David Howells
2015-05-19 16:19 ` Luis R. Rodriguez
2015-05-19 16:48 ` David Howells
2015-05-19 18:21 ` Luis R. Rodriguez
2015-05-19 18:35 ` Luis R. Rodriguez
2015-05-19 18:47 ` David Howells
2015-05-19 20:12 ` Luis R. Rodriguez
2015-05-19 20:29 ` David Howells
2015-05-15 22:51 ` [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] Rusty Russell
2015-05-18 12:43 ` [PATCH 4/4] modsign: Allow signing key to be PKCS#11 David Howells
2015-05-19 14:45 ` [PATCH 9/8] modsign: Abort modules_install when signing fails David Woodhouse
2015-05-19 14:45 ` [PATCH 10/8] modsign: Allow password to be specified for signing key David Woodhouse
2015-05-19 15:50 ` Petko Manolov
2015-05-19 16:15 ` David Woodhouse
2015-05-19 16:34 ` Petko Manolov
2015-05-19 18:39 ` Mimi Zohar
2015-05-19 18:48 ` David Howells
2015-05-19 19:14 ` Mimi Zohar
2015-05-19 20:04 ` David Woodhouse
2015-05-19 14:46 ` [PATCH 11/8] modsign: Allow signing key to be PKCS#11 David Woodhouse
2015-05-19 14:46 ` [PATCH 12/8] modsign: Allow external signing key to be specified David Woodhouse
2015-05-19 14:47 ` [PATCH 13/8] modsign: Extract signing cert from CONFIG_MODULE_SIG_KEY if needed David Woodhouse
2015-05-19 15:36 ` [PATCH 10/8] modsign: Allow password to be specified for signing key David Howells
2015-05-20 0:36 ` [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] Andy Lutomirski
2015-05-20 13:36 ` David Howells
2015-05-20 15:56 ` Andy Lutomirski
2015-05-20 16:21 ` Petko Manolov
2015-05-20 16:41 ` Andy Lutomirski
2015-05-20 16:55 ` Petko Manolov
2015-05-21 21:38 ` Luis R. Rodriguez
2015-05-21 21:44 ` Andy Lutomirski
2015-05-21 21:59 ` Luis R. Rodriguez
2015-05-21 22:06 ` Andy Lutomirski
2015-05-21 22:16 ` Luis R. Rodriguez
2015-05-21 22:24 ` Andy Lutomirski
2015-05-21 22:31 ` Luis R. Rodriguez
2015-05-21 22:47 ` Andy Lutomirski
2015-05-21 23:01 ` Luis R. Rodriguez
2015-05-21 23:09 ` Andy Lutomirski
2015-05-22 7:56 ` David Howells
2015-05-22 12:42 ` Mimi Zohar
2015-05-22 7:49 ` David Howells
2015-05-22 7:48 ` David Howells
2015-05-22 12:28 ` Mimi Zohar
2015-05-24 10:52 ` Petko Manolov
2015-05-21 13:59 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=31479.1432127671@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dwmw2@infradead.org \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mcgrof@suse.com \
--cc=mjg59@srcf.ucam.org \
--cc=mmarek@suse.cz \
--cc=rusty@rustcorp.com.au \
--cc=seth.forshee@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).